The just announced Fingerprint Sharing Alliance, a consortium of ISPs and telecommunications providers, should make it easier to share detailed data on attack without delay.
"This is very empowering to any service provider because it facilities a community for providers to get at the source of attack traffic and minimize the impact it has on everyone's networks and services," Dave Harcourt, head of network security for U.K. service provider British Telecom Wholesale, said in a statement.
Currently, experts say, such information is shared, but it requires a manual and tedious process, and, magnified by the scope of potential victims, becomes unwieldy very quickly.
"We share everything ad hoc," said Rob Rigby, director of MCI Security Services. "But now this will allow those
The consortium, all users of Arbor Network's Peakflow SP [Service Provider] platform, is comprised of MCI, Asia Netcom, British Telecom, Deutsche Telekom, ITC DeltaCom, ThePlanet, Verizon Dominicana, Rackspace and many other service providers from around the world. Arbor has a significant base of customers in the infrastructure security market, according to the company. Its Peakflow SP is used by all the Tier 1 service providers in the United States and the majority of global Tier 1 service providers and ISPs.
How it works
- 1. Using Arbor Networks' Peakflow SP, Service Provider A detects and mitigates a DDoS attack.
- 2. Service provider A securely sends the attack "fingerprint" to the relevant upstream providers affected by the attack.
- 3. After securely receiving the fingerprint, the information is used by the upstream ISP to trace back, analyze and mitigate the attack, thereby identifying and removing the infected hosts as close to the source [the Internet-based ingress point] as possible.
Benefits enterprises as well, and the Internet
"For mission-critical networks and the enterprise, the main benefit is having clean network pipes," said Farnam Jahanian, founder and chief scientist at Arbor Networks, a Lexington, Mass., network security provider. "If the enterprise is the source of the attack, the service provider can trace it back and tell the company which hosts are infected. If the enterprise is the victim of an attack, the service provider will be able [to] quickly mitigate the attack while communicating with the network operators who are sending the attack traffic, stopping the attack faster and closer to the source."
A standard around the corner?
"Everyone has to agree on a common form for sharing information, and that's time consuming," said Chris Morrow, a senior network consulting engineer at MCI. "We'd like to see the IETF standard RID [Real-time Inter-network Defense] come into play. A standard protocol would be a lot easier to use."
Arbor's Jahanian said the company plans to work with the standards bodies to provide the data format Arbor is implementing.
According to IETF documentation, the RID proposal would trace
"Arbor has 90% of the carrier market," said James Slaby, a senior security solutions and services analyst at The Yankee Group in Boston. "I'd be surprised to see many of its competitors jump on the bandwagon before it becomes a standard."
"It's not a panacea," Slaby added. "It doesn't mean the end of worms and denial-of-service attacks -- it's another brick in the wall and depends on carrier participation."
Added John Pescatore, vice president of Internet security at Gartner Inc.: "I think it is a great idea. If the major ISPs and anti-DDoS vendors supported a standard format and protocol for fast sharing of DDoS attack fingerprints, it should make it easier to stop these attacks further up the food chain. So, it is a great first step - but we need to see the ISPs cooperate and make some progress with this kind of thing. To date, they haven't moved very fast."