Grégory Degueldre has worked as a Network Architect at Belnet since 2016. Before that, he worked for several years in the Defence Department, where he was involved in the roll-out of the new WAN/LAN network. Given the nature of the Defence Department's operations, IT network security was a crucial part of this.
With his background and interest in IT security, it was natural to involve him in the implementation of the first anti-DDoS solution when he joined Belnet. As administrator of the service, he faced a significant number of DDoS attacks targeting research and educational institutions as well as federal government agencies. Over the years, he has developed extensive expertise in this area, including regular contact with various anti-DDoS solution providers.
Grégory, you will soon start implementing Advanced DDoS Security, the new anti-DDoS solution from Belnet. Can you broadly describe the process that preceded this?
Belnet's old anti-DDoS solution had gradually reached its capacity limit and we could not protect any more customers. So Belnet had to look for a new solution and decided to start with a market analysis. We contacted the most reputable solution providers for the ISP sector. However, all identified solutions worked very differently from each other, which made comparison difficult. Belnet therefore decided to launch a specific public procurement procedure: the competitive dialogue.
This procedure enabled the selection of potential partners who could meet the minimum requirements. The chosen solutions then had to be validated independently of their operation, by means of a long list of technical requirements relating to functionality and capacity. The validation of the proposed solutions was completed both on paper, using the technical sheets for the various elements, and in a test lab. Every functionality or possibility had to be demonstrated. Only those candidates who proposed a solution that met all the requirements were invited to submit a bid. Ultimately, the contract was awarded based on price and the SLAs offered.
What was the deciding factor in your choice of the new solution?
Belnet follows public procurement laws and is not allowed to make subjective choices. The intent was to objectively identify Belnet's needs for the next 4 years. This required a vision. Here, technical specifications, features and capacity served as minimum requirements. In the end, I can say that Belnet is satisfied with both the award and the process followed. The process allowed us to learn quite a bit about the different mitigation approaches.
Can you explain how Advanced DDoS Security specifically works?
Incoming network traffic is continuously monitored. During an attack, the volume of traffic to a destination or the proportion of certain types of packets will look different than under normal circumstances. The system detects that anomaly and thus the attack and notifies the management system - the brains of the solution. That system then decides to reroute traffic destined for the target of the attack to a scrubbing center and sends an alert to the client under attack. The scrubbing center ensures that legitimate traffic is distinguished from malicious traffic. Only legitimate traffic is forwarded to the real destination. Malicious traffic is blocked and removed.
The techniques used in doing so depend on the attack and can be used separately or together to achieve meticulous purging of incoming traffic. If the attack becomes very sizeable, the solution will implement an initial filter on the routers connected to our remote Internet connections. This allows Belnet to fend off attacks up to its own external capacity. Only if this external capacity is compromised will traffic on its way to the target be diverted to the Cloud Scrubbing Center. At that point, the attack traffic no longer reaches the Belnet network. In fact, traffic to the target is cleaned up before it is routed to its real destination.
Once the attack is over, the protection remains active for a while in case the attack resumes. Eventually, if everything remains normal, security is disabled. An incident report is generated and sent to the target customer. This report provides details about the attack, such as the target, the most active sources, the vectors used and the number of packets that were filtered.
What are the main benefits for the customer? What additional benefits does the new service offer over the previous one?
- The new solution is no longer permanently in traffic flow. This significantly reduces the chance of false positives or dropping legitimate packets. Moreover, bugs or maintenance of the solution no longer affect the client, since the solution is only used during attacks.
- Although being outside the normal traffic flow results in a longer mitigation time, it also allows all Belnet customers to be protected with a smaller infrastructure. Not all clients are attacked at the same time. Thus, Belnet is not limited in the number of customers to be protected, either in terms of capacity or internal resources.
- Mitigation capacity is now much greater both on the Belnet network and by relying on the Cloud Scrubbing Center.
- The number of mitigation techniques available is much greater. Mitigation is smarter compared to simple volume limits. It is now possible to identify botnet members or compare the characteristics of attack packets with legitimate traffic (behavioural analysis).
- The new solution consists of several layers of protection: intelligent scrubbing devices, filters at the edge of the Belnet network for more volumetric attacks and the Cloud Scrubbing Center for very large-scale attacks.
- From now on, when a customer is attacked, they will be notified immediately once mitigation is implemented.
What are the main reasons customers choose DDoS protection?
Working without an Internet connection has become unthinkable these days. More and more organisations are using applications that run in the cloud. Consequently, during a DDoS attack, the entire organisation and all its employees will be unable to work, or at least their activities will be severely affected. These issues are also often accompanied by press reports that sound like a demonstration of powerlessness and give a poor image in terms of reliability.
However, solutions to protect against DDoS attacks are often considered expensive and useless, especially by those who have not yet fallen victim to them. This is true with all insurance policies. The story changes completely, however, when a customer is attacked at a critical time. Then protection implementation always becomes a priority. Even if the activation of protection is technically possible in a very short time, it must be understood that the mitigation measures will not be 100% functional. Indeed, the solution must learn what is legitimate in order to build a benchmark to better identify what is malicious. Otherwise, the solution is robbed of its mechanisms and you run the risk of it being less effective and letting through a little too much malicious traffic or, worse, stopping legitimate traffic.