Johan Balijon, Head of Global Services, at Orange Business Services, Russia and the CIS, kindly agreed to answer questions from Anti-Malware.ru. This interview is part of the "Faces of the Industry" series of articles.
Let's talk about the basics. What is a "DDoS-attack" from Orange Business Services point of view?
DDoS is a distributed denial-of-service attack coming from a large number of computers. Typically, traffic is sent to the victim from computers infected with malicious software (botnets). The victim can be a website or an online service. As a result of the attack, users cannot reach or use it. The problem is that it is not possible to insulate oneself from the attacks entirely, but special methods can reduce their impact on the functionality of the resource and filter out spurious traffic.
How has the understanding of DDoS-attacks evolved in the last few years?
Unfortunately, the frequency and power of DDoS-attacks increases every day. Attacks on a scale of gigabytes per second are no surprise. A large number of DDoS-attacks affect NTP (Network Time Protocol, a protocol for synchronizing the internal clock). Somewhere around 7-8% of all NTP servers are still using older versions of software that make them vulnerable. This back door is used by cybercriminals. When it is closed, there will surely be another shortly thereafter, and then another. This process is endless.
What are the most popular types of malicious attacks?
Usually attacks are carried out on logical levels 3 or 4 (in OSI models, networks, and transport layers, respectively). Attacks at level 7 (application layer) are rare, but gradually gaining popularity.
What are the sources of DDoS-attacks, and are there any trends?
The sources of attacks are infected computer devices connected to botnets. Android based mobile devices, which are part of botnets, have also become sources of DDoS-attacks. Sometimes the attacks come from botnets comprised of infected servers.
Most of the attacks are still coming from the U.S., but recently attacks from China have started to gradually gain momentum. Asia's economy is booming, and we think that in the near future China will be the first country in the list of DDoS-attack sources. This is because there is a large number of computers with outdated Windows XP that are often pirated and which do not have security updates installed. Thus, these computers will inevitably become part of various botnets.
Which companies are most prone to DDoS-attacks? Who is at risk?
DDoS-attacks may target all companies that have resources on the Internet. Financial institutions' online banking sites, social networks, online media, and, for some reason, travel agency sites are very popular with cybercriminals.
Some time ago, our site was also attacked. We simply did not know who to call or what to do. It was very troublesome.
A great example! Your site discloses information which is detrimental to attackers. Most likely, that's why you became their target. One well-known blogger, Krebs, has often undergone DDoS-attacks, and has written in great detail how they are organized in his blog.
What are the reasons for attacks? What motivates attackers?
The motives for DDoS-attacks can be very different. Attackers disrupt sites so that they cease to function, to halt the sale of products and so owners stop making money. These attacks may be the work of unscrupulous competitors.
Some people simply may not like certain websites. The easiest way to get rid of unwanted information is to make it inaccessible to ordinary users by using DDoS-attacks.
Can you give us some examples of DDoS-attacks from your experience in Russia?
Since we are discussing security, we cannot disclose confidential information about clients. But I can say that in recent months the number of attacks on Russian companies has grown, predominately in the financial sector. Some of them were over 40 Gb/s.
Perhaps in the future their number will decline, but this will only happen if they discover other ways to attack those who are the victims of hackers.
Are there ways to protect against such powerful attacks?
Today, botnets contain such a large number of computers from which to conduct attacks that we, like other vendors, can only minimize the damage. It simply is impossible to completely stop such attacks. We manage to keep the websites and their services functioning, even during the attack. While we are trying to stop it, users can connect to the site via an alternative communication channel.
How well do companies in Russia understand the threat of DDoS-attacks and are they interested in taking protective measures?
The situation with security services is similar to the work of insurance companies. They only turn to us after something bad has happened. We cannot say that this characteristic is only true for Russian companies. We are seeing the same thing in Europe. When there is a DDoS-attack, they come running to us and ask where they have to sign to make it all stop. Most website owners think that this problem simply won’t concern them.
Could it be worth positioning your services as a kind of insurance against DDoS?
Good idea! For many, it’s worth thinking about insurance against potential damage. If decisions are made ahead of time, they will protect against attacks, this will ensure continuous operation of your company, and help avoid financial and reputational losses.
How do you assess the potential of the Russian market for protection from DDoS?
If we are speaking of customers, the potential is immense. Many companies have not yet experienced DDoS-attacks. Business vulnerability increases with dependence on online services. It is one thing when you sell products through a network of retail stores (physical outlets), quite another when the majority of your sales are online. If the site does not work for a few hours, it can survive, but if the attack lasts a few days, then it may be time to start talking about the risk of bankruptcy. More and more Russian companies are beginning to work on the net and therefore the demand for our services grows proportionally.
Let’s talk a little about your company. We know Orange primarily as a telecommunications company. Why did you decide to engage in information security?
We started as a telecommunications company, but our main objective is to provide services related to the World Wide Web. We provide not only communication channels for our customers, but also managed services to local area networks and IP-telephony. Additionally, we can provide various services for clients using our resources, for example, Microsoft Exchange, as well as providing access to cloud storage. Security becomes a key component of these types of services.
Thus, part of our service portfolio consists of outsourcing services (note: under SaaS model) via proxy server management and protecting against malware and DDoS. The client chooses what s/he needs. We provide a full range of services for some very large companies in Russia and around the world, in a variety of industries, including the financial and manufacturing sectors. Information security services in our portfolio is also a part of our business strategy at Orange.
We are constantly conducting research on what our clients would like to receive and try to take it into account in Orange development strategy. Our industry is rapidly changing and evolving. What seemed completely new yesterday, looks quite commonplace today, and will be obsolete tomorrow. Several years ago we noticed that the number of DDoS-attacks was starting to grow rapidly, and therefore we considered security technologies that we could offer to clients.
What do you call your service for protection against DDoS-attacks?
Our service is called Internet Umbrella.
Is it possible, with your help, to investigate DDoS-attacks and find out what happened?
Cybercriminals are taking many steps to prevent getting caught and they are very successful. Of course, we can view the network packets, but IP-addresses in these packages are always fake (note: from infected botnet devices), all those involved are working behind the scenes. Finding the perpetrator and sponsor of attacks is virtually impossible.
There were cases of enormous traffic from one subnet with a single IP-address. It was not all malicious and a portion came from ordinary users. It would seem possible to block this address and the problem would be solved, but then you’d restrict access for a number of legitimate users. I don't think it can be considered a solution.
Sometimes, however, we can identify the real initiator of the attack and grab a botnet, but the perpetrators and sponsors still remain hidden. Not long ago, Microsoft seized control of several large botnets and liquidated them. Unfortunately, it only helps for a while, because new botnets continue to appear and vulnerable systems will always be around.
I understand that the service is provided with the equipment from a well-known vendor. Why don't clients just purchase the equipment for themselves? What value does Orange Business Services add?
Here, it is a question of choice: whether to outsource the services or do it all on your own. When your car breaks down, you take it to be repaired by a specialist, because the people working there know how to do it quickly and efficiently. You can buy software and hardware to protect against DDoS, but to make it work you need good experts with relevant expertise. Orange employs this kind of experts. They know our service very well and protect customers' resources 24/7.
And there is a technical aspect. Imagine that your Internet access is 100 Mb/s. You install the software and hardware that you’ve purchased and at some point someone starts to attack you. Even if you filter out spurious traffic, and it does not disrupt your internal network or server, the channel will still be clogged. As a result, legitimate users will still have great difficulty in gaining access to your resources. Internet Umbrella uses a network with a very large bandwidth that is not that easily choked. Therefore traffic is filtered on our side to minimize the impact of DDoS-attacks on ordinary users.
What is more advantageous, when purchasing protection against DDoS, subscribing to a service or software and hardware?
You can purchase a subscription to our service for three years, for the price of a good hardware-software complex. If you plan to use this complex for a longer term, it would be better to buy, but then you will have to hire several professionals who will monitor the protection, to make sure it is working correctly. One will not be enough, since he/she cannot, independently, provide round the clock protection. Of course, modern means of countering DDoS can operate in automatic mode, but sophisticated attacks require the intervention of professionals who will prioritize their response. This is the fundamental difference in the approaches. The last thing you need to consider is the damage from a possible attack. What will blockage of Internet resources for one, two, or three days cost the company? How will it affect its reputation? What will the financial loss be? Here, we go back to the issue of insurance and evaluate how much we need good quality protection.
We understand that a subscription to a DDoS protection service is not necessarily the cheapest option, but it ensures that protection is provided by experts who are constantly monitoring the situation and, if necessary, will take the required measures. If you do it yourself, it is possible that you will only learn about the onset of an attack several hours after it begins. Here, your corrective action will resemble firefighters who come to a call and try to extinguish roaring flames.
What are the benefits of your services in comparison with your competitors, for example, Akamai, Prolexic, or Kaspersky Lab?
We have a protection service and our own infrastructure and channel. We act as a sort of "one stop service". It is much easier for the customer, in organizational and technical terms, to have one contract, one service provider, and a single source for technical support.
What are your plans for the development of your security services DDoS-attack security services in the near future?
Maintain a high standard of service. On the one hand, we need to care about the performance of our platform, while on the other hand, the security system and the people who are working with it are also very important. We must always know what to do if a new type of attack occurs. Therefore, we also closely follow the latest trends in the field of information security.
Interview conducted by Alexander Panasenko.