A large US-based ISP discovered during DDoS events that sometimes very large-volume attacks caused regional outages beyond just the intended victims, as edge- and near-edge equipment was overwhelmed. Existing monitoring and reporting tools were focused only on network performance, making detection and forensic investigation of DDoS events extremely difficult and time consuming. Often times, expensive truck rolls were ordered to inspect equipment before the problem was fully understood and could be alleviated. Additionally, the ISP realized its customers were unable to implement their own DDoS mitigation solutions, due to various limitations including manpower, expertise, and cost. The ISP wanted to protect its own infrastructure and reduce costs such as truck rolls, as well as provide a managed DDoS service for its customers.
The ISP saw several needs:
A means of rapid detection to determine the nature and scope of the attack. This would prevent unnecessary or duplicate effort when moving to solve the problem, allow for quicker response, and even automated orchestration of mitigation.
A way to block attack traffic as rapidly and effectively as possible. This includes traffic at the ISP peering edge utilizing BGP Flowspec, as well as dedicated hardware positioned to remove attack traffic directly at the peering edge minimizing the potential for collateral damage.
Reporting mechanisms to clearly and distinctly identify the types and volumes of blocked traffic. This aids in rapidly being able to adapt countermeasures to prevent over-blocking of good traffic. It also allows the ISP to be able to accurately report to its commercial DDoS customers the effectiveness of the overall mitigation strategy, regardless of where and how the bad traffic was blocked.
Arbor Sightline provides the most comprehensive reporting for network utilization and DDoS protection. Combining Arbor Sightline with Arbor Sightline With Sentinel and Arbor Threat Mitigation System (TMS), security operators can detect attacks rapidly, orchestrate mitigation across their networks, and have full visibility into understanding exactly what mitigations are happening, why they’re active, and how, with full reporting.
With Arbor Sightline and TMS, the ISP can rapidly detect DDoS attacks and affect mitigation extremely quickly. This resulted in reduced operational overhead, lowered time to resolution, and prevented unnecessary and costly responses such as truck rolls. Additionally, Arbor Sightline With Sentinel provides comprehensive reporting across the entire mitigation response, including traffic blocked by the Network with BGP FlowSpec.
With this combination of comprehensive mitigation and reporting, the ISP also began offering DDoS mitigation to their customers as a supplement to their Internet service. With the ISP-provided DDoS mitigation, Customers can now have on-demand or always-on protection as part of their overall Internet service and SLA with the ISP. The ISP utilizing Arbor Sightline With Sentinel is able to generate usage reports outlining all aspects of a DDoS mitigation – both the volume and types of attacks. Customers can now see with full clarity what traffic was dropped, where it was dropped, and why, and the ISP can validate and report on both their own and their customer’s usage levels.