A Leading African Telecom Tests for DDoS Disruptions

A leading mobile network operator in Africa sought reassurance that their defenses were sufficient to mitigate DDoS attacks.

User requests sent to the company’s website are processed by its DNS services. The NETSCOUT Threat Mitigation System (TMS) is the first checkpoint, initially filtering out large-scale volumetric attacks. The traffic is then transferred to Arbor Edge Defense (AED), which looks for application and basic network-level attacks. After AED processing and mitigation, traffic is sent back to TMS for additional filtering of larger or more complex attacks. The traffic, now scrubbed by NETSCOUT’s AED and TMS, is then allowed to reach the company’s firewalls, routers and origin servers.

The Solution

The Red Button team designed DDoS testing that included six attack scenarios, all of which targeted a single company origin server. In order to bypass the company’s Imperva CDN service and test the NETSCOUT defenses, our simulated attacks went straight for the relevant IP address.

The NETSCOUT TMS had an enabled zombie detection feature, intended to identify threats from compromised devices in a botnet. As we did not feel this feature was the most appropriate mitigation measure for all potential threats, our tests included attacks with zombie detection disabled as well.

The Results

Three network attacks were immediately detected and mitigated, but a small-scale ESP Flood was not. While AED identified the excessive traffic, neither AED nor TMS responded to it with mitigation measures.

The two application layer attacks – a GET Flood and a POST Flood – were not mitigated by AED or TMS. As a result, the targeted website experienced increased latency and intermittent downtime of varying severity.

Recommendations

Based on the mixed results, Red Button recommended that the company take the following measures:

• Improve traffic filtering: To minimize exposure to ESP Floods and narrow the threat landscape, limit requests using ESP, AH or IKE protocols to assets specifically utilizing IPSec. TMS and AED filtering should be updated to deny such traffic to all other destinations.
• Address rate limit issues: Contact NETSCOUT to clarify why custom-configured rate limit rules did not activate during testing. In addition, enable HTTP request rate limiting in AED and review protection settings in both AED and TMS.
• Retest origin assets: After applying the configuration changes, test defenses against both application-layer (L7) and tunneling (L3+4) attacks.