Unless you run Amazon or Alibaba or a global Internet hosting operation it is unlikely that you would have heard of NSFOCUS. But since 2000 it has focused on helping to secure the Internet via vulnerability analysis, threat understanding, DDoS prevention and security intelligence.
And its security labs have, as its research and testing base, access to the huge Chinese threat intelligence market with more than 400 million endpoints.
iTWire interviewed Attley Ng, NSFOCUS senior vice-president, and one of its Australian users and ardent advocate, James Braunegg, director of Micron21, Australian’s first tier four data centre, and in his words, “the best data centre in Australia.” The latter gave the writer some exclusive insights into DDoS attacks – read “Anatomy of a DDoS attack” later in this article.
Ng said, “The launch of NSFOCUS into Australia is a natural extension of our progress across Asia Pacific. Australia has a mature information technology market, with a rich depth of IT expertise that includes cyber security professionals, yet corporates and governments are still falling prey to cyber-attacks. In the aftermath of the massive cyber attacks the world witnessed last year, organisations in Australia and worldwide can no longer rely solely on threat intelligence feeds to alert them to risks.”
Stephen Balicki, managing director, Aquion, said: “Our partnership with NSFOCUS presents us with exceptional opportunities, as their comprehensive solutions deliver a real edge in the data security arena. These will appeal to channel partners and reinforce our AqSEC business unit which helps customers to monitor, manage and secure all elements of enterprise infrastructure using the best technologies.”
The NSFOCUS suite of Threat Intelligence solutions includes:
- NSFOCUS Threat Intelligence (NTI) Portal: Allows users to gain additional insight into various threats and threat actors via research, data collection, and analysis of crowdsourced information. NSFOCUS customers can drill deeper into detail on threats, upload malware samples for analysis, and monitor/track IP addresses with automatic notifications.
- Threat Analysis Alerts and Reports: NSFOCUS provides timely analysis on threat trends, campaigns and actors, in addition to critical vulnerabilities identified. Via weekly blogs, emergency alerts, and regularly released reports, customers are updated with the latest threat information available.
- Actionable Data Feeds: Delivered by strategically located NSFOCUS Cloud Centers, these feeds provide information across four crucial risk areas:
- IP Reputation: A list of IP addresses that have earned a negative reputation through involvement in suspicious activity, including phishing, botnets, APTs, DDoS attacks and more.
- Malicious Web/URL: A domain reputation list that includes malicious websites that are the source of exploit kits, malware, and phishing attacks.
- Command & Control: A set of IP addresses that are known to control botnet armies used to take services offline. This feed is used to prevent organisations’ own resources from unknowingly participating in cyber-attacks, mitigate ransomware, as well as conserving network resources.
- Malware Hashes: A set of MD5 file hashes that can be used to identify malware in email or file transfers, as well as stored data.
Anatomy of a DDoS attack
Braunegg is a serial entrepreneur and has a Masters in Medicine, Immunology, and Pathology. He has a great story in taking the family printing business located about 45km to the east of the Melbourne CBD, to Australia’s first tier four data centre. (iTWire has an article about that here). Data centres are classified by tiers – one being the lowest and four being the highest.
He cites the ISP, iiNet experiencing DDoS (distributed denial of service) attacks in 2015 that took them down for days. Micron21 and its NSFOCUS solution (then the only NSFOCUS install in Australia) fixed the issue in hours. Needless to say, Micron21 provides DDoS protection to some top end business, retail, banking, automotive, health and government names.
“But any Micron21 client gets that protection automatically as part of its hosting – we just need to allocate the additional resources to scale up for the big attacks. Shame that the census was not using us,” he wryly smiled. The remainder of this segment is in his words.
Large brands are constantly under attack – be it DDoS or persistent threats looking for a weakness to compromise.
We looked at how the larger players were managing DDoS and it seemed to come back to NSFOCUS and Black Lotus solution providing a traffic scrubbing technology for deep packet inspection in real time to identify good and bad packets and reject the latter.
But it wasn’t that simple – DDoS attacks were predominately originating from overseas and coming down the submarine pipes to Australia so the extra traffic was hurting everyone. We ended up installing DDoS scrubbing facilities (and these are not cheap $500-800K) in four global POPS (points of presence) to stop the traffic before it gets here – to clean it as close to the source as possible. Less than 5% of DDoS attacks originate from Australia.
DDoS traffic comes about 30% from the US, 30% from EU (including Russia), and 30% from South East Asia – of that 60% comes from China.
Typically, ISPs have said to DDoS victims that the solution was to throw more capacity at their ports – great for the ISP but it really does not solve the issue.
DDoS is not really all about bored script kiddies or hijacking home routers and IP cameras into a botnet. This is the very low-end stuff more designed to cause a small inconvenience. These use free kits to create very short-lived attacks – perhaps up to 1Gbps for a few minutes. Yes, any device attached to the Internet with communication capabilities can be compromised if you don’t protect them.
DDoS has become monetised and you can employ dark organisations to take down company X. Often the DDoS attack is by a competitor – what pain can I cause to create financial burden? These are the 1+Gbps attacks that are sustained over a long period and these attacks are not cheap.
I repeat any well-known brand experiences these types of attacks all the time and in Australia you need a balanced approach using overseas scrubbing, not more capacity and bigger servers, to minimise the impact.
On the capacity issue, he said that most Australian e-commerce sites had between 30-50Mbps connections and that went up to 200Mbps to handle things like the Black Friday online sales.