|
Security matters: Diverting dangerous traffic
July 11, 2007
By Jessica Twentyman
When it comes to dealing with denial of service (DoS) attacks, Adrian Asher is an expert. As head of security at online gaming company BetFair, he has successfully thwarted numerous attempts to bring down the companys website with the vast floods of bogus traffic associated with DoS attacks but the cost of that achievement, he says, has been considerable.
Weve invested huge amounts in security and availability, in everything we need to ensure that uptime for our site is as close to 100 per cent as possible, he says. Weve got multiple levels of firewall, enormous amounts of network bandwidth and numerous highly specialised devices designed to alert us to, and protect us from, denial of service attacks.
Mr Asher also has a huge team of in-house security specialists at his disposal, who spend their working lives analysing internet traffic, identifying deviations from the norm and dealing with them immediately. While he declines to say exactly how many people are in that team, he claims that it is bigger than IT security teams at some of the big banks he has worked at in the past.
Given that BetFairs site handles 5m bets each day and eager gamblers deposit around L2,000 of funds on the site every minute, its enthusiasm for DoS protection is hardly surprising. Any period of downtime would cost the company dearly. But plenty of other organisations do not have the resources in-house to protect themselves so comprehensively, as evidenced in recent months by successful DoS attacks on the London Stock Exchange, the Telegraph newspaper and a host of commercial and government websites in Estonia.
One answer is to engage the services of a specialist DoS mitigation service, such as that provided by Prolexic. Customers that use Prolexics services have all their internet traffic diverted through one of the companys four, heavily fortified data centres worldwide: two in the US (Arizona and Florida), one in London, and one in the Philippines.
At these centres, we monitor and filter traffic flows and remove all threats, including the largest and most destructive DoS attacks known to the internet, before they ever reach the customers network infrastructure, explains Prolexic CEO Darren Rennick.
The traffic thats delivered back to the customer is purified and threat-free and the whole process is transparent to both the customer and its website visitors.
In this way, says Mr Rennick, companies are able to tap into a wealth of expertise and infrastructure dedicated to dealing with DoS attacks that would otherwise be beyond their reach.
There are two ways customers can use services such as that offered by Prolexic. Some opt for an always-on service, where internet traffic is permanently diverted through a services data centre for a monthly subscription charge. Prolexic fees for that start at $7,500 a month, but can be as much as $50,000, depending on the amount of traffic that the customer is asking to have cleansed and the complexity of its computing environment.
Others, naturally, only turn to outside help once they find themselves under attack. These customers would face an emergency response charge to switch the service on, which ranges from $10,000 to $40,000 at Prolexic. They are then tied in to paying the monthly subscription fee for 12 months.
For some companies, however, that option may still be too costly. If thats the case, the best line of defence is to have a really great relationship with your companys ISP [internet service provider], says Jose Nazario, senior security researcher at Arbor Networks.
A specialist in denial of service mitigation products (along with companies including Cisco, Mazu Networks and Radware), Arbor Networks sells to some of the worlds largest companies, but also counts 70 per cent of the worlds ISPs among its customers, enabling them to offer DoS protection and mitigation to their enterprise clients directly.
Have the right phone numbers at hand so you know who to call at the ISP when an attack strikes, or even better, sit down now with its security specialists to discuss how they can help you take preventative measures, he advises.
The DoS services offered by ISPs vary dramatically in maturity, cost, and according to some, effectiveness. But if a company is not able to protect itself from denial of services attacks with its own resources, then it simply has to work with an ISP it feels confident with, says Dr Nazario.
Like a crowd of protesters that clog the entrance to your building, a denial of service attack can descend quite suddenly and without warning. Your priority is to push that crowd back a few blocks down the street, so that legitimate customers can come and go freely.
Thats exactly what your ISP can do for you, it can hold back the bad traffic so that normal business is not impacted. It just makes good business sense to take advantage of that capability, he says.
Copyright The Financial Times Limited 2007
About Prolexic:
Prolexic Technologies provides cutting edge solutions that protect Internet operations from the debilitating service disruptions caused by DDoS attacks. Prolexic's patent-pending Clean Pipe Virtual Transport(R) network offers solutions that keep its clients' Internet-facing infrastructures free of DDoS traffic. Without making major adjustments or multimillion-dollar investments in their existing hardware infrastructures, Prolexic's customers rest assured that their network borders are secure and can thus focus on what is really important: their businesses. More information about Prolexic is available at www.prolexic.com
| |
