Cyber-security startup Netography emerged from stealth on Feb. 7 with a new technology approach to help organizations defend against the risk of distributed denial-of-service (DDoS) attacks.
DDoS attacks typically involve large volumes of attack bandwidth that overwhelm services, rendering them unavailable. Defending against DDoS is, however, about more than simply having more bandwidth available than an attacker. Netography’s approach brings together threat intelligence with a deep understand of network flow protocol data to help organizations identify potential threats and then implement the right types of Access Control Lists (ACLs) to limit risk.
“The secret sauce of DDoS defense companies in general is all based on how well you can see the telemetry of your network and how well you can manage that information,” Barrett Lyon, CEO of Netography, told eWEEK.
Lyon is no stranger to the world of DDoS companies, having founded several of them. In 2003, Lyon founded Prolexic, which Akamai acquired for $370 million in 2013. He went on to found defense.Net, as a DDoS mitigation in the cloud vendor, which summarily was acquired by F5 Networks in 2014.
How Netography Works
Modern networking infrastructure broadly makes use of multiple protocols, including sFlow and netflow, among others, that provide packet flow visibility. Lyon noted that the flow protocols largely were initially used just for bandwidth management.
“We got into it [flow] and we realized you could actually find all this security stuff too—maybe not all of it, but a good 80 to 90 percent of what will hit your routers and switches, we can see by reconstruction through flow,” Lyon explained. “There’s a whole variety of security things that we’ve written algorithms to detect from the flow data.”
Lyon said Netography works as a service, where organizations are able to get a comprehensive view of what is going on within their network. Beyond just visibility, Netography also makes use of the BGP Flowspec. He explained that with Flowspec, Netography is able to stream ACLs in real time into a remote network or switch to automatically help set up network policies that can be used to block DDoS risks.
“So if you have our service enabled, you export your flow to us, we analyze it, we figure out what’s going wrong and then we tell your switch or router what to do,” Lyon said. “We turn those devices into security devices before even it hits the firewall infrastructure or anything like that, which is then reducing the load on the rest of the network.”
Reflection Attacks
Among the most commonly used techniques by DDoS attackers is the use of amplification and reflection, which increases the bandwidth for an attack. With an amplification/reflection attack, hackers take advantage of misconfigured services on different servers to amplify attack volume. Often, the sources of the amplification are not aware that they are part of an attack and simply blocking a given address outright might not necessarily be the best option.
“We detect there’s that attack happening, we tell you where it’s headed to and try to extract an ACL that would give you some meaningful results,” Lyon said. “So the ACL in that case wouldn’t necessarily be IP addresses; it would probably be the UDP port that’s being used for the amplification attack.”
Dan Murphy, co-founder and CTO of Netography, said one of the core strengths of flowspec is that it can get to the right level of granularity for policy.
“Flowspec is more of a scalpel versus a sledgehammer, which makes it really powerful,” Murphy said.
Traffic Scrubbing
One of the techniques used by some DDoS vendors, including Prolexic, is an approach known as scrubbing, where traffic is “cleaned” prior to it being received by an enterprise router. Lyon emphasized that what Netography is doing is very different and, in his view, many modern enterprise networks are often very large and don’t need scrubbers.
“If you can put your own infrastructure that you have to work, you don’t necessarily need a Prolexic anymore,” Lyon said.
Lyon noted that in his experience some of the largest DDoS attacks on record, including one that surpassed 1 terabit per second of attack bandwidth, were able to be mitigated with a single ACL policy. Netography also makes use of threat data intelligence to enrich the flow data that is collected. The threat data is used to help create the network controls that can help to minimize the impact of a DDoS attack.
While Netography is now officially emerging from stealth, Lyon said he expects general availability of the service will come in mid-March. One of the other key innovations that Netography will have with general availability is a support center offering that is enabled via Slack messaging.
“We’ve actually created a synthetic command line interface where you and your employees or cohorts can join the same Slack channel and run commands against our service and be able to see the same exact charts and graphs and data,” Lyon said. “It enables collaborative work around security events, DDoS attacks or network problems.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.