Over the first half of the year, one of the largest Telecommunications and Service Providers in Southeast Asia was experiencing 3 to 5 volumetric DDoS attacks per month. These attacks saturated many of their connections to other ISPs as well as their overseas links to PoPs in other Southeast Asian countries. This problematic assault impacted their entire internet service but was primarily focused on their mobile infrastructure including their NAT IPs. These attacks were affecting many of their customers and the issues were being escalated through to management all the way to the C-Suite. The organization was starting to see some customer churn due to the availability issues and began to look for a solution.
The operations team worked diligently to solve the problem. As a temporary fix, the provider tried to work with upstream providers to blackhole the malicious traffic. Unfortunately, technical limitations in the network and the nature of the attack made this approach difficult to get in place. The effort took a great deal of time which impacted their customers experience and the internal teams KPIs.
For organizations that have no other means of blocking an attack, blackholing is a widely available option but cannot discriminate any good traffic from the bad. Unfortunately, sophisticated attacks will use varied IP addresses and attack vectors, which limits the effectiveness of blackhole as a mitigation option. Blackhole routing indiscriminately blocks good and bad traffic, so the consequence is that the attacker has essentially accomplished their goal of disrupting traffic to the target network or service. Blackhole routing can still be useful when the target of the attack against an inconsequential part of a larger network. When critical services are in jeopardy, a more surgical mitigation option is needed.
The organization itself is a long-time user of Arbor Sightline and TMS equipment, but these were not able to prevent upstream links from becoming overwhelmed. BGP blackhole and Flowspec filtering in cooperation with their upstream providers were used to tamp down some of the attack traffic. This improved their situation, but some collateral damage was being seen.
NETSCOUTrecommended a layered defense consisting of their local Sightline and TMS deployment and Arbor Cloud.
This hybrid solution provides granular control of the visibility and attack mitigation for local traffic, while also handling the attacks which threaten to overwhelm the capacity of their peering links. With the integration of Arbor Cloud with Sightline and TMS as a layered defense strategy, they now have the ability to mitigate any size of attack and they can confidently provide clean pipe managed services to their enterprise customers.