Last year we witnessed multiple high-profile distributed denial of service (DDoS) attacks on Internet-based organizations that leveraged thousands of compromised Internet of Things (IoT) devices to generate terabit-scale attack traffic. The first major DDoS attack of 2017 occurred in January against multiple UK banks, which affected access to online services (check balances and transactions) at Lloyds, Halifax and Bank of Scotland. To defend organizations against massive and sophisticated cyber-attacks, Big Switch recently introduced BigSecure – a next-generation terabit-scale cyber-defense architecture – in collaboration with security providers such as A10 Networks.
The BigSecure + A10 solution consists of Big Switch’s Big Monitoring Fabric (Big Mon) with A10’s Thunder Threat Protection System (TPS) and vThunder TPS to enable automated, scale-out cyber-defense. As described in the diagram below, the joint solution leverages Big Mon’s SDN controller and high-performance open networking switches to mitigate amplified attacks in the network. Additionally, the integrated system filters volumetric and protocol attacks by dynamically redirecting traffic to an A10 vThunder TPS cluster deployed on commodity x86 servers.
Big Switch and A10 demonstrated the joint solution at Networking Field Day 14 to protect a DNS service from Mirai-style DDoS attacks, as depicted in the diagram below:
- Big Monitoring Fabric (inline) is placed at the Internet edge, receiving attack traffic
- Big Mon’s Ethernet switch replicates DNS traffic and sends it to A10’s Thunder TPS out-of-band to detect the presence of attacks
- Upon detection of a DDoS attack, the A10 Thunder TPS programmatically communicates the attack’s parameters via Big Mon’s RESTful API
- The Big Mon Controller redirects DNS traffic to A10’s vThunder TPS for scrubbing
- Clean traffic is then sent to the DNS service infrastructure
This entire interaction takes 2-3 seconds, serving as a proof-point for enabling dynamic cyber-defense through multi-system programmability. Additionally, as attack bandwidth increases, the Big Mon Controller can load balance traffic across a vThunder TPS cluster – thus enabling elastic mitigation that can handle terabit-scale attacks.
Video Demo: The video demonstration of the BigSecure + A10 TPS/vThunder solution is available here: https://vimeo.com/200275212
Intent-Based Security: This ability to deliver multi-vendor multi-system automation is a unique value that SDN brings to address the speed challenges in security. What is needed is intent-based security, where security teams are spending their precious time on security architectures, security policies, assessing and experimenting new security technologies. We need to let machines do mundane, low-value, tedious tasks for which they are the best. With SDN combined with security tool programmability, we finally have the opportunity to implement software-defined security (SDSec) and have security intent drive automated security interactions system wide.
RSA Conference: We will be discussing the BigSecure + Thunder TPS/vThunder solution at the RSA Conference next week in our respective booths, so please stop by to learn more.
- Big Switch Networks: North Hall booth #4508
- A10 Networks: South Hall booth #533
Prashant GandhiVP and Chief Product Officer Rich GrovesPrincipal Architect, A10 Networks