from the silicon angle media office in Boston Massachusetts it's the queue now here's your host David on tape hello everyone and welcome to this cube conversation today we're gonna dig into the challenges of defending distributed denial of service or DDoS attacks we're gonna look at what DDoS attacks are why they occur and how defense techniques have evolved over time and with me to discuss these issues as Darin and Steve he's the CTO of security at net Scout Darren good to see you again can you tell me about your role your CTO of security so you got CTO specific to the different areas of your business yeah so I work within the broader CTO office at net Scout and we really act as a bridge between customers engineering teams our product management and the broader market and we're all about making sure that our strategy aligns with that of our customers that we're delivering what they need and when they need it and we're really about thought leadership so looking at the unique technologies and capabilities that that scout has and how we can pull those things together to deliver new value propositions new capabilities that can move our customers businesses forward and obviously taking us with of them great so let's get into it I mean everybody hears of DDoS attacks but specifically you know what are they why do they occur when what's the motivation behind the bad guys hitting us so a distributed denial of service attack is simply when an attacker is looking to consume some or all of the resources that are assigned to a network service or application so that a genuine user can't get through so that you can't get to that website so that your network is full of traffic so that firewall is no longer forwarding packets that's fundamentally what a DDoS attack is all about in terms of the motivations behind them they are many and varied there's a wide wide range of motivations behind the DDoS activity that we see going on out there today everything from cybercrime where people are holding people to ransom so I will take your website down unless you pay me you know X Bitcoin from ideological disputes through to nation-state attacks and then of course you get the you know things like students in higher educational establishments targeting online coursework submission and testing systems because they simply you know don't want to do the work fundamentally the issue you have around the motivations today is that it's so easy for anyone to get access to fairly sophisticated attack capabilities that anyone can launch an attack for pretty much any reason and that means that pretty much anyone can be targeted okay so you gotta be ready so are there different types of attacks I guess so right used to be denial of service now I'm distributed the service but what are the different types of attacks so the three main categories of distributed denial of service attack of what we call volumetric attacks State exhaustion attacks and application-layer attacks and you can kind of think of them around the different aspects of our infrastructure or the infrastructure of an organization that gets targeted so volumetric attacks are all about saturating Internet connectivity filling up the pipe as it were state exhaustion attacks are all about exhausting the state tables in specific pieces of infrastructure so if you think about load balancers and firewalls they maintain state on the traffic that they're forwarding if you can fill those tables up they stop doing their job and you can't get through them and then you have the application layer attacks which is their name would suggest is simply an attacker targeting an attack targeting a service at the application layer so for example flooding a website with requests for a download something like that so that genuine user can't get through it presumably some of those attacks for the infiltrators some of them are probably easier have a lower bar than others is that right or they pretty much also the same level of sophistication in terms of the attacks themselves there's big differences in the sophistication of the attack in terms of launching the attack it's really easy now so a lot of the attack tools that are out there today would be you know are fully weaponized so you click a button it launches multiple attack vectors at a target some of them will even rotate those attack vectors to make it harder for you to deal with the attack and then you have the DDoS for hire services that will do all of this for you is effectively a managed service so there's a whole economy around this stuff so common challenge and security very low barriers to entry how have these attacks changed over time so DDoS is nothing new it's been around for over 20 years and it has changed significantly over that time period as you would expect with anything in technology if you go back 20 years a DDoS attack of a couple of gigabits a second would be considered very very large last year we obviously saw saw DDoS attacks break the terabit barrier so you know that's an awful lot of traffic if we look in a more focused way at what's changed over the last 18 months I think there's a couple of things that are worth highlighting firstly we've seen the numbers of what we would consider to be midsize attacks and really grow very quickly over the last 12 months mid-sized to us is between 100 and 400 gigabits per second so we're still talking about very significant traffic volumes that can do a lot of damage you know saturate the internet connectivity of pretty much any enterprise out there between 2018 2019 looking at the two first halves respectively you're looking at about seven hundred and seventy six percent growth so there are literally thousands of these attacks going on out there now in that hundred to four hundred gig band and that's changing the way that network operators are thinking about dealing with them second thing that's changed is in the complexity of attacks now I've already mentioned this a little bit but there are now a lot of attack tools out there that completely automate the rotation of attack vectors during an attack so changing the way the attack works periodically every few minutes or every few seconds and they do that because it makes it harder to mitigate it makes it more likely that they'll succeed in their goal and then the third thing that I suppose has changed is simply the breadth of devices and protocols that are being used to launch attacks so we all remember in 2016 when Dyne was attacked and we started hearing about IOT and mirai and things like that that CCTV and DVR devices were being used there since then a much broader range of device types being targeted compromised subsumed into botnets and used to generate DDoS attacks and we're also seeing them use a much wider range of protocols within those DDoS attacks so there's a technique called reflection amplification which has been behind many of the largest DDoS attacks over the last 15 years or so traditionally it used a fairly narrow band of protocols over the last year or so we've seen attackers researching and then weaponizing a new range of protocols expanding their capability getting around existing defenses so there's a lot changing out there so you talking about mitigation how do you mitigate how do you defend against these attacks so that's changing actually so if you look at the way that the service provider world used to deal with DDoS predominantly what you would find is they would be investing in intelligent DDoS mitigation systems such as the Arbour TMS and they'd be deploying those solutions into their primary peering locations potentially into centralized data centers and then when they detected an attack using our sight line platform they would identify where it was coming in they identify the target of the attack and they divert the traffic across their network to those TMS locations inspect the traffic clean away the bad forward on the good protect the customer protect the infrastructure protect the service what's happening now is that the shape of service provider networks is changing so if we look at the way the content used to be distributed in service providers they pull it in centrally push it out to their customers if we look at the way that value-added service infrastructure used to be deployed it was very similar they deploy it centrally and then serve the customer all of that is starting to push out to the edge now contents coming in in many more locations nearer to areas delivered value-added service infrastructure is being pushed into virtual network functions at the edge of the network and that means that operators are not engineering the core of their networks in the same way they want to move DDoS attack traffic across their network so that they can then inspect and discard it they want to be doing things right at the edge and they want to be doing things at the edge combining together the capabilities of their router and switch infrastructure which they've already invested in with the intelligent DDoS mitigation capabilities of something like Ann Arbor TMS and they're looking for solutions that really orchestrate those combinations of mitigation mechanisms to deal with attacks as efficiently and effectively as possible and that's very much where we're going with the site line with sentinel products okay and we're gonna get into that you'd mentioned service providers do enterprises the same way and what's different so some enterprises approaching in exactly the same way so your larger scale enterprises that have networks that look a bit like those of service providers very much looking to use their router and switch infrastructure very much looking for a fully automated orchestrated attack response that leverages all capabilities within a given network with full reporting all of those kind two things for other enterprises hybrid DDoS defense has always been seen as the best practice which is really this combination of a service provider or cloud-based service to deal with high-volume attacks that would simply saturate connectivity with an on-prem or virtually on-prem capability that has a much more focused view of that enterprises traffic that can look at what's going on around the applications potentially decrypt traffic for those applications so that you can find those more stealthy more sophisticated attacks and deal with them very proactively do you you know a lot of times companies don't want to collaborate because their competitors but security is somewhat different are you finding that service providers or maybe even large organizations but not financial services that are are they collaborating and sharing information they're starting to so with the scale of DDoS now especially in terms of the size of the attacks and the frequency of the tax we are starting to see I suppose two areas where there's collaboration firstly you're seeing groups of organizations who are looking to offer services in a unified way to a customer outside of their normal reach so you know service provider a has reach in region area service provider B in region B see in region C they're looking to offer a unified service to a customer that has offices in all of those regions so they need to collaborate in order to offer that unified service so that's one driver for collaboration another one is where you see large service providers who have multiple kind of satellite operating companies so you know you think of some of the big brands that are out there in the search provider world they have networks in lots of parts of your well then they have other networks that join those networks together and they would very much like to share information kind of within that the challenge has always been well there are really two challenges to sharing information to deal with DDoS firstly there's a trust challenge so if I'm going to tell you about a DDoS attack are you simply going to start doing something with that information that might potentially drop traffic for a customer that might impact your network in some way that's one challenge the second challenge is invisibility in if I tell you about something how do you tell me what you actually did how do I find out what actually happened how do I tell my customer that I might be defending what happened overall so one of the things that we're doing in site language we're building in a new smart signaling mechanism where our customers will be able to cooperate with each other they'll be able to share information safely between one another and they'll be able to get feedback from one another on what actually happened what traffic was forwarded what traffic was dropped that's critical because you've mentioned the first challenges you got the balance of okay I'm business disruption versus protecting in the second is hey something's going wrong I don't really know what it is well that's not really very helpful well let's get more into the the Arbour platform and talk about how you guys are helping solve this this problem okay so sight line the honest sight line platform has been the market leading DDoS detection and mitigation solutions for network operators for well over the last decade obviously we were required by Netscape back in 2015 and what we've really been looking at is how we can integrate the two sets of technologies to deliver a real step change in capability to the market and that's really what we're doing with the site language Sentinel product site language Sentinel integrates net Scout and Arbor Technology so Arbor is traditionally provided our customers our sight line customers with visibility of what's happening across their networks at layer 3 and 4 so very much a network focus net Scout has smart data technology Smart Data technology is effectively about acquiring packet data in pretty much any environment whether we're talking physical virtual container public or private cloud and turning those packets into metadata into what we call smart data what we're doing in sight line with sentinel is combining packet and flow data together so you can think of it as kind of like colorizing a black and white photo so if you think about the picture we used to have insight line as being black and white we add this Smart Data suddenly we've colorized it when you look at that picture you can see more you can engage with it more you understand more about what was going on we're moving our visibility from the network layer up to the service layer and that will allow our customers to optimize the way that they deliver content across their networks it will allow them to understand what kinds of services their customers are accessing across their network so that they can optimize their value-added service portfolios drive additional revenue they'll be able to detect a broader range of threats things like botnet monitoring that kind of thing and they'll also be able to report on distributed denial of service attacks in a very different way if you look at the way in which much the reporting that happens out there today is designed it's very much network layer how many bits are forwarded how many packets are dropped when you're trying to explain to an end customer the value of the service that you offer that's a bit kind of vague what they want to know is how did my service perform how is my service protected and by bringing in that service layer visibility we can do that and that whole smarter visibility anger will drive a new intelligent automation engine which will really look at any attack and then provide a fully automated orchestrated attack response using all of the capabilities within a given network even outside a given network using the the the smarter signaling mechanism very whilst delivering a full suite of reporting on what's going on so that you're relying on the solution to deal with the attack for you to some degree but you're also being told exactly what's happening why it's happening and where it's happening in your secret sauce is this the way in which you handle the the metadata what you call smart data is that right I'll secret sauce really is in I think it's in a couple of different areas so with site language Sentinel the smart data is really a key one I think the other key one is our experience in the DDoS space so we understand how our customers are looking to use their router and switch infrastructure we understand the nature of the attacks that are going on out there we have a unique set of visibility into the attack landscape through the Netscape Atlas platform when you combine all of those things together we can look at a given network and we can understand for this attack at this this second this is the best way of dealing with that attack using these different mechanisms if the attack changes we love to our strategy and building that intelligent automation needs that smarter visibility so all of those different bits of our secret sauce really come together in centers so is that really your differentiator from you know your key competitors that you've got the experience you've got obviously the the tech anything else you'd add to that I think the other thing that we've got is two people so we've got a lot of research kind of capability in the DDoS space so we are we are delivering a lot of intelligence into our products as well now it's not just about what you detect locally anymore and we look at the way that the attack landscape is changing I mentioned that attackers are researching and weaponizing new protocols you know we're learning about that as it happens by looking at our honey pots by looking at our sinkholes by looking at our atlas data we're pushing that information down into site language Sentinel as well so that our customers are best prepared to deal with what's facing them when you talk to customers can you kind of summarize for our audience the the key to the business challenges you talked about some of the technical there may be some others that you can mention but try to get to that business impact yeah so on the business side of it there's a few different things so a lot of it comes down to operational cost and complexity and also obviously the cost of deploying infrastructure so and both of those things are changing because of the way that networks are changing and business models are changing on the operational side everyone is looking for their solutions to be more intelligent and more automated but they don't want them simply to be a black box if it's a black box it either works or it doesn't and if it doesn't you've got big problems especially if you've got service level agreements and things tied to services so intelligent automation to reduce operational overhead is key and we're very focused on that second thing is around deployment of capability into networks so I mentioned that the traditional DDoS that that the traditional DDoS mitigation kind of strategy was to deploy intelligent DDoS mitigation capability in to keep hearing locations and centralized data centers as we push things out towards the edge our customers are looking for those capabilities to be deployed more flexibly they're looking for them to be deployed on common off-the-shelf hardware they're looking for different kinds of software licensing models which again is something that we've already addressed to kind of allow our customers to move in that direction and then the third thing I think is really half opportunity and half business challenge and that's that when you look at service providers today they're very very focused on how they can generate additional revenue so they're looking very much at how they can take a service that maybe they've offered in the past to their top hundred customers and offer it to their top thousand or five thousand customers part of that is dry is intelligent automation part of that is getting the visibility but part of that again is partnering with an organization like netskope that can really help them to do that and so it's kind of part challenge part opportunity there but that's again something we're very focused on I want to come back and double down on the the point about automation seems to me the unique thing one of the unique things about security is this huge skills gap and people complain about that all the time a lot of infrastructure businesses you know automation means that you can take people and put them on you know different tasks more strategic and I'm sure that's true also its security but there's because of that skills gap automation is the only way to solve these problems right I mean you can't just keep throwing people at the problem because you don't have the skilled people and you can't take that brute force approach does that make sense to you it's scale and speed when it comes to distributed denial-of-service so given the attack vectors are changing very rapidly now because the tools support that you've got two choices as an operator you either have somebody focused on watching what the attack is doing and changing your mitigation strategy dynamically or you invest in a solution that has more intelligent art and more intelligent analytics better visibility of what's going on and that's slightly and with Sentinel fundamentally the other key thing is the scale aspect which is if you're looking to drive value-added services to a broader addressable market you can't really do that you know by simply hiring more and more people because the services don't cost in so that's where the intelligent automation comes in it's about scaling the capability that operators already have and most of them have a lot of you know very clever very good people in the security space you know it's about scaling the capability they already have to drive that additional revenue to drive the additional value so if I had to boil it down the business is obviously lower cost it's mentioned scale more effective mitigation which yeah which you know lowers your risk and then for the service providers it's monetization as well yeah and the more effective mitigation is a key one as well so you know leveraging that router and switch infrastructure to deal with the bulk of attack so that you can then use the intelligent DDoS mitigation capability the Arbour TMS to deal with the more sophisticated components combining those two things together all right we'll give you the final word Darren you know takeaways and you know any key point that you want to drive home yeah I mean sightline has been a market leading product for a number of years now what we're really doing in Nets care is investing in that we're pulling together the different technologies that we have available within the business to deliver a real step change in capability to our customer base so that they can have a fully automated and orchestrated attack response capability that allows them to defend themselves better and allows them to drive a new range of value-added services well Dara thanks for coming on you guys doing great work really appreciate your insights thanks Dave you're welcome and thank you for watching everybody this is Dave Volante we'll see you next time