Canadian carrier adds DoS defense

Canada's Telus has become the first known carrier to make a major commitment to deploying equipment that will protect its Internet backbone and customers from a range of denial-of-service attacks.

Canada's second-largest carrier, Telus is deploying Arbor Networks' DoS product - Peakflow DoS - which fights off a variety of DoS attacks, including distributed DoS attacks in which IP floods directed from hundreds of sources by a single attacker can quickly overwhelm servers and routers. Arbor Networks competes against Mazu Networks, which specializes in distributed DoS network defense.

Telus' step to combat these threats is winning approval from industry analysts.

"Hopefully, this will provoke the other service providers to step up to the [distributed DoS] problem" says IDC analyst Allan Carey. "This is definitely a competitive differentiator for Telus."

Large-scale DoS attacks cause conspicuous network outages from time to time, such as the attack a few weeks ago that left MSNBC.com unavailable for hours. While there's industrywide debate about whether to filter out attack traffic near the Web site or farther "upstream" in the ISP's network, Carey says that will become clearer after more real-world experience is gained.

"It's probably apt to use the analogy to antivirus protection: Deploy protection at both the gateway and the host level, wherever you can," Carey says, adding that customers want to see ISPs improve their defense on DoS.

Telus has initially deployed Arbor's Peakflow DoS equipment on multiple OC-3 links at four major hubs on its Internet backbone. The Arbor anti-DoS equipment will detect and analyze traffic traveling through high-speed Cisco routers, says Leonard Hendricks, director of marketing at Telus. These hubs in British Columbia, Alberta and Ontario can collect data from across larger Canadian cities to recommend appropriate action should a DoS attack be detected. Until now, Telus engineers were forced to do this type of "analysis manually, Hendricks says.

"A denial-of-service attack can be difficult to nail down," Hendricks says. "In the past, we had a reactive approach."

A customer might phone for help in fending off what was suspected of being a DoS attack on a Web site, and Telus engineers would look at the routers and try to block it. In the case of such attacks, "it could take some time to find out if it's an attack or just a hardware failure," Hendricks says.

In the few months since Telus deployed the Arbor equipment, the carrier has gotten a better picture of what's happening in terms of the DoS threat.

"We discovered we can see a lot more attacks than we had been able to in the past," Hendricks says.

Although Arbor's Peakflow DoS, which works by analyzing traffic through routers, can be configured to automatically take action against a perceived attack by blocking traffic streams, Telus prefers that any blocking "be done by humans," Hendricks says. "The big fear is that an automated system could block out legitimate traffic."

Telus initially is deploying the anti-DoS equipment to protect its core backbone, and in the next few months will be deploying additional Arbor gear at the edge of customer networks and in its Web-hosting centers. The project is costing Telus less than $2 million, according to Hendricks.

Telus sells services to Canadian ISPs that are likely to be attracted to the carrier's ability to analyze DoS attacks more efficiently, Hendricks says.

Telus has no plans to market DoS protection as a value-added service. That topic has gotten a lot of discussion from ISPs in the U.S., although none have made a public commitment to purchase antidistributed DoS gear.