Sightline Signaling Alert Sharing Drives Cooperative DDoS Mitigation at Internet Scale

By Roland Dobbins and Steinthor Bjarnason

While the trend in all forms of technology — including DDoS attack vectors as well as DDoS defense capabilities — is towards ever-more-complex methodologies, we often find that many of the most significant innovations center around the novel application of well-known principles and processes in a new context. For example, the flow telemetry utilized by Arbor Sightline to detect, classify, and traceback DDoS attacks was initially envisioned by router vendors as a switching methodology. They then realized that the value of the information in the flow cache had intrinsic value of its own, if exported from the routers to collection/analysis systems. 

Although the initial use of flow telemetry was for ISP billing purposes, it soon became clear that it had other potential applications, such as performance measurement, peering analysis, et. al. NETSCOUT Arbor had the key insight that flow telemetry could be leveraged for security purposes, especially as it could scale to the largest networks and provide pervasive network visibility, including real time visibility into DDoS attacks. This was the genesis of Arbor Sightline, which has been the leading DDoS detection and network visibility solution since its introduction in the second half of 2000. 

Since that time, we have pioneered many additional advances in the DDoS defense and network visibility arenas, including operationalizing source-based remotely triggered blackholing (S/RTBH); flowspec-based attack mitigation and traffic diversion; and highly scalable, granular DDoS mitigation via the Arbor TMS intelligent DDoS mitigation system (IDMS); and on-demand auto-mitigations making use of the various mitigation techniques noted above. Cloud signaling between Arbor AED deployed on endpoint networks and Arbor Sightline/TMS deployed on transit provider and/or DDoS mitigation service provider networks brought automatically triggered, on-demand upstream DDoS mitigation capacity to bear when and as needed by endpoint networks.

Sightline Signaling

In Sightline/TMS 9.2, we've expanded the paradigm of cloud signaling with Sightline Signaling; this new functionality allows large, ASP-like enterprises, transit operators, broadband access operators, VPS and hosting/co-location providers, and even dedicated DDoS mitigation service providers which make use of Arbor Sightline to enter into cooperative DDoS mitigation agreements with other Arbor Sightline-powered organizations, and automatically bring to bear additional DDoS mitigation capacity on an ad-hoc basis. This capability allows organizations to enter into mutual, federated DDoS-defense agreements, enabling cooperative mutual DDoS mitigation assistance when it's needed the most. 

A key component of Sightline Signaling is its new alert-sharing capability. This functionality allows a Sightline-enabled organization under attack to select one or more Sightline DDoS alerts and forward them to preconfigured Sightline Signaling DDoS mitigation partners. When a Sightline Signaling message is received by a mitigation partner, all the parameters of the DDoS alert from the requesting organization — attack type, packets-per-second, average packet size, protocol, port numbers, attack sources, attack targets, etc. — are included in the Sightline Signaling message. This in turn allows the receiving Sightline system to determine whether the attack traffic in question is traversing the networks it monitors; if so, a new alert on the receiving system is created, including all the relevant information about the portion of attack traffic observed in the context of the receiving network, such as ingress and egress routers/interfaces. 

Once a new alert has been created on the mitigation partner's Sightline system, all the standard Sightline/TMS mitigation capabilities such as TMS countermeasures, flowspec, and/or S/RTBH are available to inform either a manually triggered mitigation, or a pre-configured auto-mitigation session. Either way, DDoS mitigation assistance can begin almost immediately, with situationally appropriate countermeasure selection, multiple mitigation technology options, and ongoing monitoring of resultant mitigations through the life of the attack.

Applying the Paradigm of Social Media

What we've been doing with Sightline Signaling alerts is essentially to make use of the standard social networking paradigm and apply it in real-time, in a contextually specific manner, to the inter-organizational DDoS mitigation arena. Instead of being forced to rely on out-of-band mechanisms such as conferencing systems, public instant-messaging networks, social media, or even ad-hoc voice communications, all the relevant technical details of a given DDoS attack can be shared automatically between DDoS mitigation partners, eliminating transcription errors, coordination delays, and other communications challenges. By transmitting the detailed parameters of DDoS attack traffic rather than a mere clone of the relevant DDoS alert from the requesting Sightline deployment, we enable the responding deployment to generate a detailed, contextually specific alert which gives the responding organization everything required to successfully participate in cooperative DDoS defense, thereby accelerating response times and ensuring the validity of received requests.

Sightline Signaling enables DDoS defense cooperation in a number of important situations. Most obviously it can be used to enable DDoS defense between internet service providers, allowing for true end-to-end defense coordination and moving toward a world where DDoS attacks are stopped at their source rather than at their destination. But it’s not limited to inter-organizational cooperation. Many network operators struggle with managing multiple independent networks, often acquired through M&A activity or because they are part of a large multi-national company with independent subsidiaries. Sightline Signaling breaks down the defense barriers between networks and enables operators to coordinate defense internally across these different administrative and routing domains much more easily than before. And of course, Sightline Signaling enables faster, more seamless attack mitigation between cloud providers and their customers as part of DDoS managed services. 

Prior to the introduction of Sightline Signaling, attempting to coordinate inter-provider, cooperative mitigation of large-scale, high-impact DDoS attacks could be extremely challenging, fraught with high response latencies, multiple levels of bureaucracy, and the inadvertent miscommunication of vital technical attack criteria during an attack — when every second counts. Sharing Sightline Signaling alerts ensures that all the relevant information can be shared by mitigation partners, swiftly, accurately, and securely. 

Due to the prevalence of Arbor Sightline-powered organizations worldwide, we view Sightline Signaling as a key technology enabling the creation of a global, distributed cooperative DDoS mitigation and suppression federation of unmatched scale, reach, mitigation capacity, and granular mitigation capability. Sightline Signaling is a great example of how to leverage existing communications paradigms in new ways to materially improve the ability of organizations to cooperate effectively in mitigating DDoS attacks on an Internet-wide basis, to the benefit of us all. 

To learn more about Sightline with Sentinel, click here

Dobbins and Bjarnason are ASERT principal engineers.