Arbor White Paper
Securing Data
Centers: A Unique
Opportunity for ISPs
About Arbor Networks
Arbor Networks, Inc. is a leading provider of network
security and management solutions enterprise and service
provider networks, including the vast majority of the world’s
Internet service providers and many of the largest enterprise
networks in use today. Arbor’s proven network security and
management solutions help grow and protect customer
networks, businesses and brands. Through its unparalleled,
privileged relationships with worldwide service providers
and global network operators, Arbor provides unequalled
insight into and perspective on Internet security and traffic
trends via the ATLAS® Active Threat Level Analysis System.
Representing a unique collaborative effort with 230+
network operators across the globe, ATLAS enables the
sharing of real-time security, traffic and routing information
that informs numerous business decisions.
Arbor White Paper: Securing Data Centers: A Unique Opportunity for ISPs
The Growing Managed Security Services Market
For today’s enterprises, any downtime in their
Internet data center (IDC) operations can
dramatically impact the bottom line. So it
is no surprise that the increasing scale and
frequency of distributed denial of service
(DDoS) attacks are now having a much
greater impact on the business continuity
and profitability of these companies. What’s
more, while DDoS attacks may have been
driven by noneconomic reasons in the past,
they now have major monetary drivers
including extortion, competitive advantage
and corporate revenge.
DDoS threats that impact the availability of services represent
a significant opportunity for Internet service providers (ISPs).
Enterprises and their IDC operators are more concerned about
DDoS than ever before, and ISPs can help them combat these
threats. This white paper explores the security challenges
affecting today’s enterprises and IDC operators, and examines
how ISPs are in a unique position to respond by delivering
revenue-generating, managed DDoS protection services.
The managed security service provider (MSSP) market is
expected to grow to around $4 billion by 2016 in North
America alone, according to Frost & Sullivan. Moreover, the
managed security and security monitoring services segment
will continue to yield the highest percentage of total revenue
in the MSSP market.
“Although budget cutbacks have resulted from the economic
slowdown, companies are continuing to implement measures
to upgrade security,” says Frost & Sullivan Research Analyst
Martha Vazquez. “Outsourcing security to an MSSP will free up
time for organizations to focus on core business processes.”
Enterprises will spend more on network-based security services
from ISPs as they become more comfortable with ISPs providing these services. Many factors—such as better support, more
mature options, improved service control and faster services—
will increase this comfort level. Today, the majority of MSSP
customers purchase managed security services that are based
on customer premise equipment (CPE). Consequently, customers
might have fewer concerns about purchasing a network-based
security service if it also includes a CPE-based component.
The managed security service provider (MSSP)
market is expected to grow to around $4 billion
by 2016 in North America alone, according to
Frost & Sullivan.
1
Arbor White Paper: Securing Data Centers: A Unique Opportunity for ISPs
The Evolving DDoS Threat
The market demand for managed security services is real and growing. Service providers have
some inherent advantages that enable them to capitalize on this demand because they own
the pipes that transmit data across the Internet. This makes ISPs uniquely well-positioned
to deliver a comprehensive solution that can combat the two primary types of DDoS attacks.
First, they can stop “volumetric” DDoS attacks. These are usually
generated by Internet bots or compromised PCs that are
grouped together in large-scale botnets. Examples include
DDoS attacks against UK-based online betting sites1 where the
hackers extorted the betting firms, and the politically motivated
DDoS attacks against the Georgian government.2 They are
generally high-bandwidth attacks and originate from a large
number of bots that are geographically distributed. Because of
the high-bandwidth and distributed nature of these attacks, the
congestion might occur upstream in the provider’s network and
cannot be stopped at the enterprise or data-center edge.
In addition, a new type of DDoS attack has emerged that
threatens the business viability of service provider customers.
Two days before Christmas in 2009, last-minute shoppers could
not access some of the world’s most popular Internet shopping
sites including Amazon, Expedia and Walmart. A targeted DDoS
attack against UltraDNS,3 a leading provider of domain name
system (DNS) services, took these major retail sites offline. The
attack could have dramatically affected the Christmas shopping
season and the profitability of these retailers if UltraDNS had
not been able to detect and stop the attack very quickly.
This attack revealed the potential impact of DDoS to online
commerce. More importantly, it revealed a new type of
“application-layer” DDoS attack that targets specific services
and consumes lower bandwidth. These new application-layer
DDoS attacks threaten a myriad of services ranging from Web
commerce and DNS services to email and online banking.
Enterprise customers are very concerned with the availability
of critical services running in their data centers. At the same
time, attackers view these Internet-facing data centers as new
prime targets and are launching DDoS attacks to wreak havoc
on these companies. The convergence of volumetric and
application-layer DDoS attacks poses a significant threat to
online services, and customers will be looking for solutions.
$
TARG ET
I M PACT
$
I M PACT
Load Balancer
I M PACT
$
Paid Attacker
Botnet
Internet
TARG
ET
TARG ET
Internet Data Center
I M PACT
I M PACT
Load Balancer
Attack Traffic
Legitimate Traffic
news.bbc.co.uk/2/hi/technology/4169223.stm
www.cnn.com/2009/TECH/08/07/russia.georgia.twitter.attack
3 www.cnn.com/2009/TECH/12/24/cnet.ddos.attack/index.html
1
2
2
DDoS driven by financial motivations
Arbor White Paper: Securing Data Centers: A Unique Opportunity for ISPs
Only ISPs Can Provide the Comprehensive Solution
to Protect Data Centers from DDoS
ISPs can gain a unique advantage by
providing a layered network- and edge-based
managed solution to combat both volumetric
and application-layer DDoS attacks. The best
place to stop volumetric DDoS attacks is
in the ISP cloud (via network-based DDoS
protection) because the saturation happens
upstream and can only be remediated in the
provider’s cloud.
The best place to perform application-layer DDoS detection is
in the data center itself because the attack can only be detected
and quickly stopped at the data-center edge. Only ISPs can
provide both a network-based service component to stop
volumetric DDoS attacks and a CPE-based service component
to stop application-layer DDoS attacks—representing a distinct
competitive advantage.
There are cost efficiencies at work, too. When an ISP is
already supplying a managed firewall, Secure Socket Layer
virtual private network (SSL VPN), intrusion detection system
(IDS), intrusion prevention system (IPS) and other security
measures, adding an incremental managed DDoS protection
service can be relatively straightforward and cost-efficient.
LARG E D DoS ATTACKS
I S P CLEAN I NG
CE NTE R
DATA CE NTE R
Firewall
ISP
Load Balancer
Firewall
IDS/IPS
Attack Traffic
IDS/IPS
Target Applications
and Services
APPLICATION LAYE R
Multiple layers of defense required for comprehensive DDoS protection
3
Arbor White Paper: Securing Data Centers: A Unique Opportunity for ISPs
Why Traditional Security Products Fail to Address
the Evolving DDoS Threat
Firewalls, IPS and other products are
key elements of your customers’ security
strategy, but these solutions are designed
to provide security functions that are
fundamentally different from dedicated
DDoS detection and mitigation products.
For example, firewalls are essentially policy enforcement
points that are usually deployed at the network or data-center
perimeter. Their role is to establish and enforce the rules that
govern what traffic is allowed in and out of a data center as
defined by ports, protocols and destinations.
Internet-facing data centers are open to Web traffic (TCP
port 80/443) and other services such as video, voice and file
transfer. DDoS attacks target the very services that firewalls
have to allow through, so there is no inherent DDoS protection
in the firewall layer.
In fact, because firewalls maintain state information for every
session established between a client on the Internet and the
corresponding server in the data center, the firewalls themselves
are commonly the targets of DDoS attacks. What’s more, they
are potentially the single point of failure that disables the data
center during large-scale DDoS attacks. In these cases, it is best
to provide DDoS protection in the ISP network or “cloud” before
it reaches the data center since by that time it is too late.
ISP/Internet
Data Center
FAILURE
CONGESTION
CONGESTION
Botnet
Firewall
Attack Traffic
Legitimate Traffic
Firewalls can actually be the targets of DDoS attacks
4
Arbor White Paper: Securing Data Centers: A Unique Opportunity for ISPs
ISP/Internet
Data Center
FAILURE
CONGESTION
CONGESTION
Botnet
IPS
Attack Traffic
Legitimate Traffic
IPS devices are not designed to stop DDoS attacks
IPS/IDS devices are also not designed or positioned to protect
against some denial of service attacks. They are designed to
inspect packets and remove network-based malware through
signature matching. Many times, however, DDoS attack traffic
is not a signature-based threat. Because all IDS/IPS devices
are deployed in-line and suffer from the same resource and
memory exhaustion problems that plague firewalls, they are
also a potential single point of failure on the network and
increase network latency. In these cases, the detection and
removal of DDoS attack traffic is best done in the ISP’s
network either before it reaches the data-center edge or
through off-ramping the malicious traffic.
Some firewalls and IDS/IPS products offer DDoS detection
using techniques such as statistical anomaly detection or
malformed protocol detection. But since firewalls and IDS/IPS
products conduct anomaly detection on a per point basis, they
have a very myopic view of the network. The very nature of a
“distributed” denial of service attack means that the attack traffic
is coming from different sources. Therefore, the solution must
be able to recognize this behavior and stop the traffic as close
to the sources as possible. This is another reason why the
distributed detection and mitigation of DDoS attacks are best
done in the ISP network.
In these cases, it is best to provide DDoS
protection in the ISP network or “cloud” before
it reaches the data center since by that time it
is too late.
5
Arbor White Paper: Securing Data Centers: A Unique Opportunity for ISPs
Peakflow ® SP: The Platform for Comprehensive
Managed DDoS Services
A complete DDoS protection solution must support the following:
• Both in-line and, more importantly, out-of-band deployment
to avoid being a single point of failure on the network.
• True “distributed” DoS (DDoS) attack detection, which
requires broad visibility into the network (not just from a
single network perspective) and the ability to analyze traffic
from different parts of the network.
• Attack detection using multiple techniques such as statistical
anomaly detection; customizable threshold alerts; and
fingerprints of known or emerging threats that are based
on Internet-wide intelligence.
• Mitigation that can easily scale to handle attacks of all sizes,
ranging from low-end (e.g., 1 Gbps of mitigation, deployed
in the data center) to high-end (e.g., 40 Gbps of mitigation,
deployed in the ISP network).
Peering/
Transit Edge
The Peakflow SP solution (“Peakflow SP”) is a complete platform that service providers can use to develop comprehensive
managed DDoS services for customers. Today, the majority of
the world’s leading ISPs rely on Peakflow SP for the networkwide visibility and security they need to proactively fend off
malicious threats, thwart DDoS attacks and strengthen the
quality of their service. Increasingly, these ISPs are leveraging
their investment in Peakflow SP to deliver profitable, new,
in-cloud managed services.
Backbone
Peakflow SP
Collector Platform (CP) 5500
Peakflow SP
Business Intelligence (BI)
The solution must also feature managed security service
enablers. These include application programming interfaces
(APIs) for integration with existing systems; the ability to
launch a customer portal easily; provisioning templates; fault
tolerance; and redundancy. Lastly, the solution must be proven
and backed by a company that is a known industry expert in
Internet-based DDoS threats.
Peakflow SP
Collector Platform (CP) 5500
Regional Mitigation
Center
Peakflow SP
Threat Management System (TMS)
1200/2500/3x00/4x00
Peakflow SP
Portal Interface (PI)
Customer/
Hosting Edge
Peakflow SP Threat Management
System (TMS) 1200/2500
Peakflow SP Portal Interface (PI)
Peakflow SP
Flow Sensor (FS)
Managed Service Customers
Central Console for Visibility
and Threat Management
Peakflow SP Architecture
Consists of five types of appliances: 1) Peakflow SP Collector Platform (CP)
appliances in the peering edge or backbone; 2) Peakflow SP Flow Sensor
(FS) appliances in the customer aggregation edge; 3) Peakflow SP Business
Intelligence (BI) appliances to increase scalability and add redundancy for
managing criticalss objects; 4) Peakflow SP Portal Interface (PI) appliances
to increase the scale, redundancy and profitability of Arbor-based managed
services; and 5) Peakflow SP Threat Management System (TMS) appliances
deployed in any part of the network to surgically mitigate network threats.
6
Arbor White Paper: Securing Data Centers: A Unique Opportunity for ISPs
40
4000
4 x APM (40 Gbps)
3 x APM (30 Gbps)
2 x APM (20 Gbps)
8 x 10 GigE ports, 6U, 1 x APM (10 Gbps)
30
20
Performance (Gbps)
10
3110
10 Gbps, 3U, 2 x 10 GigE ports + 10 x 1 GigE ports
9
8
7
6
5
3050
5 Gbps (software upgrade to 10 Gbps), 3U,
2 x 10 GigE ports + 10 x 1 GigE ports
4
3
2500
2.5 Gbps, 2U, 6 x 1 GigE ports, NEBS certified
2
1200
1.5 Gbps, 1U, 4 x 1 GigE ports
1
0
Small Provider, Dedicated
Customer, Small POPs
Deployment
Large Provider, Regional
Scrubbing Center, Large POPs
Peakflow SP TMS deployment
Peakflow SP meets the key requirements of a comprehensive
DDoS solution by providing:
• Ability to stop both volumetric and application-layer
DDoS attacks: Peakflow SP provides the tools to diagnose
and stop both high-bandwidth DDoS attacks as well as
targeted application-layer DDoS targets.
• Multiple deployment options: Peakflow SP can be
deployed out-of-band where attack traffic is diverted to
the TMS appliances. The solution can also be deployed
in-line or passively.
• True “distributed” DoS attack detection: Peakflow SP
offers true distributed anomaly detection rather than simple
point-based detection.
• Managed service enablers: Peakflow SP offers a full range
of enablers that help ISPs launch network-based service
offerings to their customers.
• Multiple methods of threat detection and mitigation:
Peakflow SP provides multiple attack detection techniques.
These range from statistical anomaly detection and
threshold-based flood detection to fingerprint-based
detection based on the global intelligence in Arbor’s
Threat Level Analysis System (ATLAS®).4
• Industry expertise backed by a market leader: Arbor
Networks is a leading provider of security and network
management solutions for global business networks, including
more than 70 percent of the world’s ISPs and many of the
largest enterprise networks in use today.
• Scalability to handle all-size threats: Peakflow SP can
detect threats of all sizes by leveraging flow technology in
existing network infrastructure equipment. The solution can also
stop any-size threat by supporting an array of Peakflow Threat
Management System (“TMS”) appliances that provide surgical
mitigation ranging from 1 Gbps to 40 Gbps (see above).
4
atlas.arbornetworks.com
7
Arbor White Paper: Securing Data Centers: A Unique Opportunity for ISPs
Conclusion
DDoS attacks are continuing to rise
and both public and private data centers
are prime targets. Today’s data center
operators are seeking solutions to this
pressing problem.
8
ISPs have a unique opportunity to respond by offering
valuable network- and edge-based services that protect their
customers’ data centers against DDoS attacks and drive
incremental revenue. Peakflow SP is a proven platform that
enables ISPs to develop unique managed DDoS protection
services and help solve this growing threat.
For more information about the Peakflow SP
solution, visit the Arbor Networks Web site
at www.arbornetworks.com/peakflowsp or
contact an Arbor Networks representative
at www.arbornetworks.com/contact.
Corporate Headquarters
76 Blanchard Road
Burlington, MA 01803 USA
Toll Free USA +1 866 212 7267
T +1 781 362 4300
Europe
T +44 207 127 8147
Asia Pacific
T +65 6299 0695
www.arbornetworks.com
©2012 Arbor Networks, Inc. All rights reserved. Arbor Networks, the Arbor Networks logo, Peakflow, ArbOS, How Networks
Grow, Pravail, Arbor Optima, Cloud Signaling, ATLAS and Arbor Networks. Smart. Available. Secure. are all trademarks of
Arbor Networks, Inc. All other brands may be the trademarks of their respective owners.
WP/SDC/EN/0612