VeriSign launches DDoS monitoring service

by Steve Ragan - Sep 18 2009, 17:00

VeriSign recently announced an addition to the VeriSign Internet Defense Network, a cloud-based Distributed Denial-of-Service (DDoS) attack mitigation service launched earlier this year, which offers monitoring-only abilities to business worried about DDoS attacks on their Internet-based services and infrastructure.

The monitoring-only service can quickly be turned into a mitigation service on demand for a cost. Since it is a part of the VeriSign Internet Defense Network offering, the newest addition is in reality just another layer of network defense. However, as businesses expand to include Internet operations and services, the threat of a massive DDoS attack on their infrastructure is a real one.

"A number of recent high-profile attacks against the United States and South Korean governments and popular social networking sites have moved DDoS up the list of concerns for many CISOs," said Ken Silva, CTO of VeriSign in a statement.

"Customers who attempt to overprovision their bandwidth are lulling themselves into a false sense of security against a real DDoS attack…The addition of a DDoS monitoring-only service will help many companies that depend on online commerce and communication by providing a means of watching for changes in Web site traffic that may indicate an impending attack.”

The Tech Herald talked to Mike Denning, Vice President of Enterprise Security, who explained some of the basics surrounding the Internet Defense Network program from VeriSign, as well as why it was created in the first place.

The birth of the VeriSign Internet Defense Network (IDN) program has an interesting back story. It was developed to protect VeriSign, as they have one of the most attacked networks online thanks to their .com and .net operations, Denning explained. From there, once the system was in place, they moved it public, and after a good deal of tweaking, have managed to take DDoS monitoring and mitigation and get it down to a science.

The IDN offering uses VeriSign’s global footprint, as well as solutions from business partners like Arbor Networks, to cover an overlapping layer of protection and remediation against DDoS attacks. For customers using the monitoring-only aspect of the IDN, once suspect traffic is identified, VeriSign engineers contact them to ensure that the traffic is expected.

If the abnormal traffic isn’t expected, then the customer can purchase mitigation services, if they are not already paying for them, and VeriSign will move to stop the attack. Mitigation comes in three layers. The first is off-ramping traffic, where malicious traffic is redirected so it reaches VeriSign first. Off-ramping can come in the form of DNS changes on the customer’s side or BGP announcements.

The second layer is filtering. This is where malicious traffic is scrubbed, after being sent to one of four scrubbing centers VeriSign controls, using a layered approach and progressively enhanced rule sets. The filtering is applied to various layers of the OSI stack, to help mitigate more complex attacks

Since traffic in a DDoS attack is designed to halt web operations, VeriSign will separate legit traffic from the malicious traffic, and pass only the legitimate stuff to the customer, which leads to the third layer of mitigation, on-ramping. On-ramping will send traffic back to the customer’s network using things like GRE tunneling or VPN connections.

However, Denning explained that depending on the customer network, the services the customer is using, and other considerations, the mitigation process is different for everyone. Right now, there are a few financial firms and a handful of smaller organizations using the IDN services. Price will vary, Denning said, depending on implementation, but will start at about $24,000 USD. When asked about virtual environments, Denning said that the IDN would complement those as well, due to cost effectiveness and centralized management offerings.

Once of the requirements for the IDN is the need for a /24 IP block or 254 continuous IP addresses. Not everyone has access to this, so we asked what would happen in that case. As it turns out, VeriSign has an in-house offering for just this scenario called DNS Assurance. We also asked about latency, and based on comments from Denning and IDN documentation, testing data shows the average latency to be about 30-35ms from one U.S. coast to another.
 
"With more businesses being run online these days, criminal motivation and sophistication are at an all time high. In the cloud DDoS defense will protect businesses across all networks, regardless of their architecture," said Richard Stiennon, industry security expert and Chief Research Analyst at IT-Harvest.
 
"Traditional solutions aren't going to be enough as attacks become more and more sophisticated; blocking and tackling in the cloud provides the best mode of defense against Distributed Denial of Service attacks."

More information about the IDN can be located here.

 

Around the Web