As the second-largest telecommunications carrier in Canada, TELUS Corp. needed a more efficient way to track and prevent crippling DoS attacks. Manually logging in to routers and tracking anomalies took too long and was just plain cumbersome.

“We have a number of engineers who would manually try to track down attacks after a customer phoned in to report an attack,” said Leonard Hendricks, TELUS Corp.’s director of marketing.

“Obviously, if you are doing that manually, it’s a very labor-intensive means of doing it. Especially where you have a coast-to-coast network, attacks can be coming from one or many points across your network,” which makes it all the more difficult to isolate and filter them out, Hendricks added.

DoS attacks, in which networks and systems are bombarded with bogus traffic that disrupt legitimate services, are occurring with increasing frequency and virulence. TELUS, which offers data, Internet, voice, and wireless services to millions of customers across Canada, is currently upgrading an OC-48 network to a 10-Gb environment. As part of the overhaul, the enterprise went on the hunt for technology to thwart the DoS threat.

Determining the best solution
After evaluating DoS prevention tools from three different vendors, the telecommunications carrier opted for Arbor Networks’ Peakflow system because it can track high volumes of traffic moving at high speeds without disrupting network performance. The Peakflow DoS product detects abnormal traffic patterns by comparing them against an established baseline of normal network traffic. It then helps IT operators filter out bogus traffic.

TELUS engineers put all three DoS prevention tool candidates through rigorous simulated DoS attacks to gauge strength during an actual attack. Since Peakflow doesn’t sit in the network—collector devices are placed near routers and pull traffic information from those routers—there’s less chance of the DoS prevention system disrupting the network, Hendricks explained.

TELUS has four collectors deployed across the network core. Multiple Cisco routers feed information into each collector, which then sends information indicating abnormal behavior to Peakflow controllers. The controllers trace the traffic back to its source or port of entry. An IT operator is notified via e-mail, pager, or SNMP alerts and is provided with a traffic profile. The system then recommends steps IT administrators can take either through router filters or firewall rules to stop the anomalous traffic.

No traffic filtering wanted
In choosing the solution, the one thing TELUS didn’t want was a product that would start automatically filtering traffic.

“In our case, because of the network nodes and amount of traffic going around, we felt if we had a system that automatically started [filtering], we would lose control of our network and it may start to do things we didn’t want it to do,” said Hendricks.

For instance, if a customer turned on a new Web site that suddenly generated a spike in traffic, it could appear like a DoS attack. Automatic filtering would shut down that traffic in the core of TELUS’ network immediately without asking for authorization.

“We would end up with one rather upset customer,” Hendricks noted. “We just can’t afford to be shutting customers down. If it were an HTTP DoS attack, we would shut an entire customer down if that filter were broad enough. If you’re a customer, that might not be what you want us to do.”

Instead, Peakflow lets an engineer or operations person look at that spike and determine if a customer has a trouble ticket open that indicates there will be a surge in traffic. If they are unsure, they can contact the customer and find out whether or not the customer was expecting a surge in traffic.

A proactive approach
Since Peakflow is connected to TELUS’ trouble management system, IT operators can look at problems before customers call.

“Because we now have only one console, it collapses all the information for us in a much more usable format. So engineers don’t have to log in to umpteen routers to figure out where the attack is coming from, both from an IP perspective as well as what POP, what routers. Before, all of that was manually collected,” Hendricks explained.

Additionally, if customer service elects to not cut a trouble ticket on an attack it deems unconfirmed or not serious, IT operators don’t have to guess about the problem. They can simply log in to Peakflow and get a better view of what is happening.

Peakflow tracks the history of an event, so operators know the duration of an attack and its volume level. “Previously we wouldn’t know, so we had no basis for correlating a degradation of service for a customer to an attack,” Hendricks said.

Expanding the solution
Peakflow has been installed in the company’s production environment for three months, and TELUS plans to order four more Peakflow collectors for deployment at the distribution level—the next layer out from the network core.

Hendricks believes that tools like Peakflow, if deployed networkwide, can make a difference in stopping DoS attacks like those that brought down major Web sites two years ago.

“I think it will make a substantial difference just in giving service providers the ability to act quicker,” Hendricks said. “In order to really effectively deal with large-scale attacks, service providers have to be working together….[In] a lot of cases, once it makes it to the Web site of the enterprise, it is a bit too late.”