BT Global Services
December 2012 (Issue 1)
To support our global customers managing complex systems and network security, BT Assure provides a straightforward and cost effective solution. A focused set of propositions are offered to help expanding organisations address security in the critical areas of their business. BT’s experience in Secure Networking, Business Continuity and Identity & Access Management ensures that our customers stay ahead of threats and vulnerabilities as they open their applications and networks to a wider global audience.
We organise our BT Assure portfolio around simple core ideas, and look for ways to integrate capabilities so our customer’s enjoy the combined benefits of all our expertise. For example, a security assessment from BT Assure will be delivered using both BT Assure and BT Advise capabilities. This combines deep security expertise with expert design and methodology.
A distributed denial-of-service (DDoS) attack is one in which a multitude of compromised systems attack a single target, thereby causing denial of service for users of the targeted system.
This is achieved by a flood of incoming messages to the target system, usually from a network of compromised hosts (botnets), which essentially forces it to shut down, either by overloading the web server, firewall or saturating the communications link, thereby denying service to the system to legitimate users.
We offer Assure Denial of Service Mitigation through Internet Connect UK (formerly BTnet), our ultra-resilient core network and the biggest of its kind in the UK.
Assure Denial of Service Mitigation guards against the three main types of attack:

Misuse attacks against specific web servers – Internet Control Message Protocol
(ICMP), Transmission Core Protocol (TCP) NUL, TCP SYN, TCP RST, IP NULL, IP
Fragment, IP private address space and Domain Name System (DNS) flood attacks.

Profile anomalies – including high-bandwidth threats like User Datagram Protocol (UDP) floods.

Application attacks – including repeated Hypertext Transfer Protocol (HTTP) GET website commands, DNS flood attacks on DNS servers and malformed DNS requests.
•
Over the past few years, the size and frequency of DDoS attacks have grown dramatically as attackers take advantage of botnets and other high-speed Internet access technologies to overwhelm their target’s network infrastructure. The largest attacks, measured in Gbps
(Gigabits per second), have grown from 10Gbps to 100Gbps in 6 years.
Page 1

•
Not only are DDoS attacks getting larger and more frequent, but they are also becoming more sophisticated as they pinpoint specific applications (e.g., SIP, DNS, HTTP or VoIP) with smaller, more stealth attacks. Over a quarter of DDoS attacks are now Application-
Based.
Individuals and organisations choosing to ‘fight a cause’ online are increasingly using botnets
(some self-electing) to affect an impact on well-known Brand Names. Any organisation with IP based networks, applications or devices are a potential target.
With BT Assure Managed Security Services your customers can get the most powerful network security available from the world’s most trusted network security provider. It’s important that they optimise their operations while staying protected against the ever-changing threats to their network. Addressing the complex challenges and costs of giving their network adequate round the clock protection is a big job.
Our solutions have helped customers reduce their security operating costs by up to 30 per cent, with added freedom coming from the choice of deployment options available: cloud, data centre or in-house hosting.
BT’s DDOS mitigation solutions sit within this portfolio area.
BT is recognised as one of only 3 providers ranked as ‘strong positive’ in Gartner’s Market Scope for Managed Security Services in Europe, 2011. BT is recognised for improved customer feedback in Europe, an extensive security service portfolio and key messages that emphasise simplicity, cost reduction, compliance and asset protection. Our differentiation focuses on security embedded in the network, skilled resources and a global infrastructure. BT’s strengths include:
- A resilient operations infrastructure and BT's responsiveness in incident reporting
- The quality of its internal operational processes (for example, quality assurance)
- The skills of its engineers and the ability to listen, respond and adjust to client requirements.
BT Assure DDoS
The standard service is available on UK networks only and includes the following attributes:

Web based Customer Portal provided

Single Customer Portal user id provided

A single internet service connection is monitored.

BT sets detection parameters based on information on the Data Capture Form

Changes to detection parameters, when the bandwidth or the IP address range of the internet connection changes, will be triggered by an email from the order entry system. (in the same way as for initial provision).
The service offered to customers is purely based on an automatic response by the system when thresholds agreed on installation are exceeded. If the system fails to detect an attack or if it starts an auto-mitigation and the traffic delivered to the customer still results in their service being unavailable to their legitimate customers, then they can seek assistance via the normal Internet
Connect UK (formerly BTnet) Fault reporting process.
Page 2

So the actual customer journeys would be as follows.
1. Arbor system detects traffic that has exceeded the high threshold to cause an automatic mitigation to occur. a. After 10 minutes of consistently exceeding the high threshold the Threat Mitigation
System (TMS) instigates divert of traffic. b. Diverted traffic flows through the TMS and using the previously agreed Mitigation template attempts to ‘clean’ the traffic. c. i.
Possible outcomes of above process
TMS successfully blocks all ‘bad’ traffic and customer is happy.
1. TMS continues to block traffic until Anomaly that triggered the mitigation has fallen below the thresholds for detection of a low anomaly for a latency period of 10 mins. The TMS then with draws the route and traffic returns to normal path. ii. The Arbor system has triggered the TMS inappropriately (false positive)and the mitigation countermeasures are having an undesired effect on their user experience.
1. Customer would have to call the Internet Connect UK (formerly BTnet) help desk and ask for the Mitigation to be halted.
2.
3.
Fault passed to IPMC they could halt the mitigation if confident in the outcome, else
IPMC call DDoS Team iii. The Arbor system has triggered the TMS from a valid anomaly but fails to provide successful mitigation due to the way that the attack has been crafted.
1. a fault
Customer would have to call the Internet Connect UK (formerly BTnet) fault desk and log
2.
3.
4.
Fault passed to IPMC
IPMC call DDoS Team who work with the customer to fine tune the mitigation.
The mitigation then becomes a manual mitigation and requires manual intervention to be stopped (E.G. does not end when the anomaly that triggered it finishes)
2. The Arbor system identifies the attack but the TMS fails to trigger a mitigation, resulting in the traffic still being delivered to the customer. i. There could be two outcomes to this scenario
1. The IPMC would notice this (Possibly not likely as their main purpose in life is to deal with network failures not these types of customer specific alerts and could always be overlooked)
2. Customer would have to call the Internet Connect UK (formerly BTnet) fault desk and log a fault a. Fault passed to IPMC. b. IPMC investigate possible issue with infrastructure that surrounds the Arbor Detection/
Mitigation capability. c. IPMC exhaust their knowledge and call out DDoS support team.
A post mortem report will be available directly to the customer from the portal for the customer to access.
BT Assure DDOS mitigation service uses sampled “netflow” information from network routers to detect attacks, Parameters being monitored include the:

Level of traffic towards all IP addresses in PPS

Automatic profiling
Page 3

 Misuse o DNS o ICMP in PPS (packet per seconds) o IP Fragment in PPS o IP NULL in PPS o IP Private in PPS o TCP NULL in PPS o TCP RST in PPS o TCP SYN in PPS.
The BT Assure DDOS mitigation solution detects a wide range of undesirable traffic and reduces the load on the web servers through the blocking of attack traffic while allowing valid traffic to pass. “Unauthorised” are hosts that present anomalies around:

Http authentication

Number of Http requests for single objects from a single source

Number of Http requests from a single source to multiple objects.

Http malformed

Time for TCP idle session timeout - (This prevents sessions being maintained if there is no traffic inbound)

TCP syn authentication timeout - (This is an anti-spoofing measure that requires a reset packet to be sent on the first connection of a successful TCP handshake. The connecting device must be able to deal with this initial reset packet and request the connection again. Most browser clients will do this)

DNS Authentication Timeout

DNS Malformed

VOIP SIP Malformed

VOIP SIP source Limiting

Zombie Detection BPS - (This is the number of bits per second that you would not expect a single source to be constantly requesting data from your site.)

Zombie Detection PPS - (This is the number of packets per second that you would not expect a single source to be constantly requesting data from your site.)
The BT Assure solution can provide reports on anomalies detected; firstly BT provides high level attack information
Page 4

Customers can then drill down into this information on attack traffic pattern and the source and destination of the attack.
The BT Assure DDOS mitigation solution passes traffic to TMS (Threat Management System) when under attack, this layer provides an ability to absorb multi gigabits per second of spurious traffic while enabling valid traffic to pass.
BT’s service is designed for maximum efficiency. The sensors are at carefully chosen points in the network; resilient, regularly updated and logs can be captured for forensics. BT’s service delivers the TMS with experienced staff, high quality correlation, and regular updates, customer tuning.
Page 5

Page 6

• 1 one off Installation charge of £1,245.00 for 1 year contract (waived for 3 and 5 year
•
•
•
•
•
•
• terms)
•
1 Annual rental based on Customer Bearer Bandwidth.
1 Managed Object (generic for all applications/IP addresses)
1 Mitigation Template (generic for all applications/IP addresses)
1 Alerting service
1 Weekly Report
1 Automatic mitigation service
1 Portal account read only for alerts
1 Best efforts support if auto mitigation fails to mitigate attack
7
Page 7