iWelcome offers a mission critical infrastructure service to its customers.
Its IDaaS platform provides Identity & Access Management (IAM) functionality to manage the access and identity lifecycle of corporate users (employees, customers, partners, consumers). It covers various IAM processes, such as (and not limited to) provisioning services, authentication & federation services, self-service, service desk, user management and auditing & logging services.
iWelcome has taken extensive measures in ensuring business continuity of its IDaaS service in an operational context. One nightmare scenario for any external accessible service remains: the service becomes victim to an intentional external attack aimed to bring down the availability of the service by bombarding the service with massive traffic volumes. This attack type is referred to as a Distributed Denial of Service (DDoS) attack.
iWelcome and its datacenter provider GTT have therefore set up a service to mitigate the impact of DDoS attacks by redirecting malicious traffic before it reaches the IDaaS service.
DDoS attacks are attempts to make a computer or network device unavailable to legitimate users. A common attack method is to bombard an attack target with massive volumes of requests to open a connection.
The target host normally cannot cope with such a large number of session requests and simply stops responding, rendering it useless. The DDoS attack also swamps a customer’s Internet connection, blocking traffic from legitimate sources.
The reasons for DDoS attacks vary, however common motivations are political, competitive, criminal, social activism or even a disgruntled ex-employee. The person who wants to attack a specific individual or organisation (the sponsor) is rarely the same person who actually conducts the DDoS attack. The sponsor typically pays an unrelated attacker to initiate and control the attack.
A common attack method is for an attacker to use thousands of compromised Internet connected computers to form a ‘botnet’ which simultaneously send multiple requests to open a network session with a host or network device owned and operated by the attack target. As the attack grows the traffic generated by the botnet aggregates and begins to swamp the target’s Internet connection and hosts machines, effectively disconnecting them from the Internet.
DDoS attacks are, unfortunately, a fact of life on today’s Internet and the frequency, size and sophistication of attacks is increasing each year. DDoS attacks actually can be simply bought from the Internet.
From an enterprise’s perspective a DDoS attack can render its Internet connection or the targeted host(s) useless quickly, effectively disconnecting them from the Internet. This means an enterprise may have lost its ability to transact ‘online’ and the enterprise site will suffer bad PR by being unavailable.
In the situation of IDaaS, a targeted DDoS on the IDaaS private cloud of the organisation may lead to unavailability of critical functionality for authentication, access and connectivity to applications, effectively prohibiting users to access any of the enterprise’s data or systems.
Note: The impact of a DDoS attack on IDaaS greatly depends on the entire Identity infrastructure of a specific iWelcome customer. Hence each iWelcome customer will need to assess the DDoS risk and impact for its specific situation to determine the width of mitigation measures to be taken. These may reach beyond the mitigation service provided by iWelcome.
DDoS mitigation works by redirecting Internet traffic destined for a customer’s IDaaS environment (Tenant) or the underlying network infrastructure through a number of Threat Management Systems (TMSs). The TMSs analyse the customer’s traffic flow based on peak traffic rates, attack signatures and packet inspection techniques based on protocols, IP addresses, port numbers and other data to identify and drop malicious DDoS attack traffic.
iWelcome’s DDoS Mitigation Service is a service provided by iWelcome and its datacenter provider GTT to effectively mitigate the impact of DDoS attacks. During an attack the customer’s traffic is redirected through the DDoS Mitigation platform, which intelligently identifies and drops malicious attack traffic in the datacenter's core network before it reaches the iWelcome platform where it may cause the most damage.
Historical techniques for dealing with DDoS attacks, such as ‘black hole’ routing, stopped all traffic from reaching the DDoS attack target. Whilst ‘black hole’ routing is effective at protecting a site or data centre it ironically achieves the same result as the DDoS attack because it blocks all traffic, good and bad.
iWelcome’s DDoS Mitigation Service uses Network Collectors and Threat Management Systems located at strategic POPs in iWelcome’s datacenter’s IP backbone, to analyse, identify, and discard malicious DDoS attack traffic before it reaches the iWelcome platform and its customer tenants. By dropping the malicious traffic in this backbone, iWelcome’s Internet connection, IDaaS platform and customer tenant do not become saturated with DDoS attack traffic and remain operational.
Attacks can be detected by:
- The customer
- iWelcome’s datacenter
If the customer detects an attack it will contact iWelcome via iWelcome’s support center using the methods and communication protocols for raising a P1 incident. iWelcome will execute a swift triage and enables the DDoS mitigation service if required.
If iWelcome or iWelcome’s datacenter detect a volumetric attack, iWelcome will contact the customer’s designated authorized person for calamity incidents to advise that an attack is occurring and confirm that it is acceptable to enable DDoS Mitigation. This procedure will be followed unless:
- upon discretion of iWelcome the intensity of the attack cannot wait for approval
- threatens more iWelcome customers
- the entire IDaaS Platform
Principally DDoS Mitigation will only be enabled with customer consent, ensuring that mitigation is not activated and traffic is not re-directed due to non-malicious activity known to the customer (however not reported as per SLA to iWelcome), such as a special event that causes a large increase in traffic or network testing.
The DDoS Mitigation service is enabled within 60 minutes. Once enabled a customer's traffic is redirected through the TMSs in the IP backbone.
When DDoS Mitigation has been enabled, the traffic is redirected through the IP backbone of iWelcome’s datacenter, so that it flows through the DDoS Mitigation Platform. The traffic flow is analysed using complex filters to detect network layer anomalies that could be associated with a high bandwidth ‘flood’ attack or with ‘cloaked’ application layer attacks. Once detected the malicious traffic is discarded by the TMS in the IP backbone - where there is plenty of bandwidth - without interrupting the flow of legitimate traffic destined for a customer’s environment.
iWelcome’s datacenter and iWelcome will continuously monitor the attack and execute processes to further increase protection levels as required. This may include (upstream) black holing and filtering at the edge.
If at any point there is a risk that iWelcome’s own network or its datacenter’s network could be compromised, iWelcome reserves the right to shut down the customers environment or connection there to until it is safe to reconnect the customer. This action could be undertaken whilst other measures are implemented (e.g. enabling black holing).
Once the attack has stopped, iWelcome will contact the customer to confirm that their mitigation service can be set to ‘unprotect’. From this point the customer’s traffic will return to its normal routing path.
Throughout the enablement of the service iWelcome’s support center will manage the attack and align with the customer.
Post-attack reports will be shared with the customer and will provide the customer with a per attack summary and attack statistics, including:
- GeoIP data (country, region, cities, etc.)
- IP packet information (header, ports, etc.)
- Top talkers (internal, external, etc.)
The service has a service level agreement and credits payable on non-performance as per the regular service SLA as agreed with the customer.
Key features of iWelcome’s DDoS Mitigation Service are as follows:
The DDoS protection service is built on upon tried and tested equipment and software from Arbor Networks who are the global leader in DDoS attack protection services.
iWelcome’s extensive application monitoring, iWelcome’s datacenter or the customer can detect and trigger the DDoS service; DDoS mitigation can be activated instantly, however full enablement and effect of the service takes a maximum of 60 minutes.
The service is embedded into the network of iWelcome’s datacenter and is designed to discriminate between legitimate and malicious traffic. It will identify and surgically discard DDoS attack traffic before it reaches the customer environment therewith minimizing interruption of the flow of legitimate traffic.
The service is predicated on the requirements of enterprises.
Key benefits of iWelcome’s DDoS Mitigation Service are as follows:
Customer’s IDaaS Services remain operational even when being attacked, maximising the availability of IAM functionality.
iWelcome’s DDoS Mitigation discards malicious traffic within the IP backbone of its datacenter before it reaches the customer environment where it would do the most harm.
The DDoS mitigation service provides customers with a key service that positively contributes to a customer’s business continuity planning (BCP) process.
Affordable insurance against the threat of DDoS attacks.
Integrated with the IDaaS offering, all of which is 24x7x365 managed by iWelcome’s operations & support center, providing customers with a single point of contact, management and accountability.
iWelcome’s DDoS Mitigation leverages the massive next generation pan European IP backbone of iWelcome’s datacenter, which has the scale to effectively respond and protect against DDoS attacks.
iWelcome’s DDoS Mitigation Service is priced as a simple monthly recurring fee with no hidden usage based charges.