Since launching our cloud-based flow traffic analyzer, we’ve seen a lot of interesting takes and strategies on how to employ the DOSarrest Traffic Analyzer(DTA) from our customers. Whether Netops/Secops is focusing on an enterprise network or a multi-tenant hosting provider, DTA has been used to identify and monitor these security threats to their respective network operations:
1) DDoS Attacks – a cyberattack strategy, we here at DOSarrest are all too familiar with, Netops teams for the various enterprises and hosting companies are increasingly finding themselves reacting to an attack, where time is of the essence to identify and mitigate before it causes primary and collateral damage. The attacker realizes they don’t need anything too sophisticated to cause damage and flood the servers and network infrastructure with volumetric and/or protocol style attacks.
Many of the companies we have been working with have implemented multiple IDS platforms in strategic spots in their networks for quick identification and triggering of their DDoS mitigation solutions (cloud or on premise hardware). The problem with this strategy has been the monitoring, management and maintenance of these platforms, where they find it cumbersome to implement and integrate into their operations, details and alerts are either obtuse or incomplete.
With DTA and few simple command lines on their multiple routers, switches and firewalls, customers can get an immediate data overview, as flow data from a wide and disparate set of network devices is centralized into the DTA, and graphically enriched to provide detailed, searchable data with alert capability.
2) DNS Infrastructure – popular for the criticality and high degree of dependency upon an organizational DNS infrastructure, SecOPS must be vigilant for attacks on this critical asset. Whether it be a targeted attack on the Recursive cachers (which could kill access for thousands of users for an ISP), or the Authoritative DNS servers which would kill any lookups for however many domains it is hosting, an attack on DNS systems can have widespread effects. DNS systems can further be exploited to be part of an attack, and not just be a target. DNS reflection attacks, where attackers spoof the IP address of their real attack target and send queries that instruct the DNS server to recursively query many DNS servers or to send large responses to the victim. As a result, a company’s DNS servers can help drown a 3rd party victim’s network with their DNS traffic
With DTA, you can identify and isolate your, or your hosting customer DNS infrastructure, and set up monitors to quickly alert when it’s a target or is being used to attack another network.
3) Web Application Attacks – An attack vector that is increasing exponentially every year, web application attacks like SQL injection, cross-site scripting (XSS) and cross-site request forgery (CSRF), try to break into applications and steal data for profit. Attackers can also target vulnerable web servers (where major CMS platforms have a major exploit on a quarterly basis) and install malicious code for various nefarious purposes.
In identifying where your critical web applications reside in your network, you can use DTA to monitor and alert on abnormal traffic patterns to and from your web applications.
4) File Servers & Data Exfiltration – Invariably organizations and hosting providers have systems/servers that contain extremely sensitive information (eg. Credit Card holder information) and thus is highly coveted by cyber criminals. These bad actors will attempt to copy, transfer or retrieve this data from these systems.
With DTA you have the ability to identify these sensitive systems and create a profile on what can be considered normal traffic based on source and destinations IP’s & ports, traffic levels and packet per second, and create alerts based on these profiles.
5) Zombie Servers and Malicious Software – Whether you run a 5 server stack, or 5000 server datacenter, there will be a point and time where a system will be ‘decommissioned’ but still spinning and on the wire, and are quite often forgotten till the next audit, whenever that is. These systems are often exploited by cyber criminals who install their own software suites for exploiting external entities or your other internal systems. And when they are exploited, their activities can go unnoticed for extended periods of time while they wreak havoc.
With DTA you can quickly identify when these rogue systems come to life and properly decommission before they do untold damage.
While these are some of the major themes we are seeing our customers use DTA to address, the situations are myriad and provides us ample ideas as we continue to develop this relatively new and exciting cloud product.
The beauty of this cloud-based service is, it’s so flexible our customers are actually able to request a graphical metric they want to see and we can create it for them and other customers in a few hours.
Jag Bains
CTO, DOSarrest Internet Security
