Experiencing Pain you can’t Explain?

Stephen Gates
By | January 30, 2015

Posted in: Network Security Trends , Hosting Provider DDoS Protection

Last week I attended the Corero annual sales kickoff at our HQ in Hudson, MA. While there, I had the opportunity to spend several days with one of our most seasoned security engineers, David B.  He was discussing his experience regarding a hosting provider who was currently evaluating the Corero SmartWall® Threat Defense System (TDS) as a proof of concept (POC).  David has successfully performed many high-profile POCs with some of the largest hosting providers in North America.  He always tells me the same thing, “Steve, you won’t believe the type and frequency of attacks this provider was under.”

According to David, the hosting provider had 2-10Gbps Internet pipes coming from different upstream ISPs who delivered raw Internet bandwidth into their hosting center.  Although a relatively smaller hosting provider, they hosted some of the largest websites for many of the companies in their region.   They’ve been a successful hosting provider for years.  Recently they were experience - as David puts it, “pain they could not explain”.

What do I mean by pain? 

Let me clarify.  The hosting provider (mentioned above) had been experiencing unusual latency that could not be explained.  All network-related systems were operating at peak performance but something was slowing down the network.  David discovered that during any 24-hour period they would experience very large spikes of incoming traffic that often were not completely filling their Internet pipes. Downstream systems were being stressed as a result. Their infrastructure simply could not handle the rapid increase of incoming traffic. Ordinary increases and decreases in traffic that follow the sun (people tend to sleep at night) were normal.  But huge spikes in traffic for very short durations were not. They guessed the increases in traffic were due to DDoS attacks but they lacked complete visibility into the attacks themselves. They originally thought all DDoS attacks were designed to fill their victims’ pipes.  However, now they know better.

Corero has unparalleled visibility!

David went on to explain that once he installed the Corero SmartWall TDS coupled with SecureWatch® Analytics, within minutes he knew what was affecting the hosting provider’s network - and their system performance. They were under a regular barrage of DDoS attacks but previously had no way of completely verifying it.

David explained that almost every attack was under 10 Gbps in size, which again did not consume all of the available bandwidth.  Also the attacks were short in duration.   The longest attack in any given 24-hour period was less than 25 minutes long.  David mentioned that this activity is Standard Operating Procedures (SOP) for attackers today, and he observes similar attacks across all of the Corero customer base.

What did the attacks look like?

Below are several screen-shots David shared with me.  These are from the Corero SecureWatch Analytics dashboard powered by Splunk.  For example, the screen-shot below displays the hosting provider’s Link Utilization from an 8 hour snapshot-in-time.  Normal utilization on both of their 10G pipes is between  1-3 Gbps.  However, larger spikes in utilization had all the indications that they were under some sort of DDoS attack.   (See 12:00 AM and 8:00 AM below.)

Pain you cant image 1


When drilling deeper into the activity, Packets per Second (below), it also matched the spikes they were experiencing in Link Utilization.  Increases is Packets per Second of this magnitude was surely effecting their downstream infrastructure. Two spikes reached almost 4 Million Packets per Second (PPS). (See 12:00 AM and 8:00 AM below.)


Pain you cant image 2


Upon further investigation as shown below, notice that the Top Source Port = 1900. Almost all of the attacks this hosting provider was experiencing were utilizing UDP port 1900; which we all know is related to the Simple Service Discovery Protocol (SSDP).



Pain you cant image 3


These attacks were actually reflective/amplified DDoS attacks.  Attackers take advantage of the millions of home devices that have the Universal Plug and Play (UPnP) service open to the Internet.   These devices are often being used to amplify SSDP attacks. Back in October of 2014, I wrote a blog about SSDP attacks.  

Satisfied Customer!

By way of the Corero SecureWatch Analytics, David described how he easily identified the SSDP attacks.  As requested by the Hosting Provider, David placed the Corero SmartWall TDS in blocking mode.  The real-time Threat Defense Systems immediately began to block all SSDP-based attacks the hosting provider was experiencing.  David mentioned that the hosting provider was extremely impressive by the technology.  Realizing the Corero solution could block all of the DDoS attacks they were experiencing, the hosting provider agreed to purchase the solution.

Corero has Unparalleled Defense!

The Corero Security Operation Center observes DDoS attacks just like this one shown above threatening our Hosting Provider customers on a daily basis.  These attacks are not necessarily saturating the Hosting Providers’ 10Gbps Internet links –contrary to what many may believe. Rather, these attacks are categorized as partial-saturation DDoS attacks, often in the 3-5 Gbps range (per pipe) causing latency, reducing performance and threatening outage’s  throughout the entire hosted environment. Typical duration of these attacks are on the order of under 30 minutes in length – not long enough to engage cloud scrubbing services to solve the problem before it’s too late.

The Corero SmartWall TDS transparently blocks DDoS attack traffic before it enters the Hosting environment and stops DDoS attacks instantaneously without incurring false positives.  Hosting Providers that take advantage of the Corero SmartWall TDS are enabled to defeat DDoS attacks in real-time, before their customers are even aware an attack has taken place. The Corero SmartWall TDS delivers superior DDoS attack visibility and reporting and alerts the provider immediately upon attack detection.   With the efficient (¼ wide 1 RU) footprint, low power, low BTU, and unparalleled performance of the SmartWall TDS, Hosting Providers are protecting their business and their customers.


You May Also Be Interested In: