TDC DoS Protection Service Description and Special Terms

Transcription

1 TDC DoS Protection Service Description and Special Terms

2 Table of contents 1 Purpose of this Product-Specific Appendix Service description Attack detection Managed Objects Misuse anomaly detection Attack mitigation Mitigation initiating process TDC Scrubbing Center Ending mitigation Technical service description Value-added services Additional Managed Objects Pre-defined mitigation templates Auto-mitigation Service reporting Pricing Delivery Service limitations Customer responsibilities Service changes and ordering additional services Special terms... 9 Service Description and Special Terms, DK2.6 2 (10)

3 1 Purpose of this Product-Specific Appendix This Product-Specific Appendix includes a service description for the TDC DoS Protection service (hereinafter referred to as the service) supplied by TDC and the special terms of the service. This Product-Specific Appendix is attached to and incorporated into the Delivery Agreement between TDC and the customer. 2 Service description TDC DoS (Denial of Service) Protection service is provided as a network-based service and consists of traffic monitoring, attack detection and mitigation as well as the reporting services. The DoS attack detection takes place by monitoring and analysing the customer s internet traffic at the edge of the TDC internet domain. The mitigation is performed in TDC s core network to eliminate the negative impact of the illegitimate traffic before it reaches the customer s internet access line and site. 2.1 Attack detection Managed Objects The service protects the customer s network resources, which in the system are grouped into Managed Objects (MO). One MO can contain either IP address ranges and/or individual IP addresses covering the network resources. One MO cannot contain both IPv4 and IPv6 network resources. The network resources defined in the same MO must have a similar traffic profile and similar load capacity. The service monitors the traffic and detects traffic anomalies targeted towards each of the customer s IP-addresses defined in the child MOs. An alarm is generated for the relevant MO when a traffic anomaly is detected. One of the MOs, called the Parent Managed Object, should cover all of the customer s network resources that should be protected. The Parent Managed Object should be complemented with more granular child MOs, which are the customer s selected strategic network resources like web or DNS services. The basic service includes one (1) Parent Managed Object and four (4) more specific child MOs. If the customer has one (1) or more child IPv6 MOs, a dedicated IPv6 parent MO is required. In such case the basic service covers two (2) Parent Managed Objects (one IPv4 and one IPv6 parent MO) and three (3) more specific child MOs (divided into IPv4 and IPv6). The configuration of the MOs is agreed between the customer and TDC during the service delivery phase Misuse anomaly detection The service is able to detect traffic anomalies which may cause the protected network resources to be either totally inaccessible or periodically disrupted for legitimate usage. The misuse anomaly detection mechanism measures IP, ICMP, TCP, UDP and total traffic to each of the protected network resources in order to identify protocol anomalies and exceptional traffic peaks. Each MO has pre-set anomaly-specific threshold values. The threshold values are defined in packets or bits per second. The anomaly-specific threshold values are agreed for each MO between TDC and the customer during the service setup phase. The threshold values should be tuned during the operational phase in case false positives occur or the MO traffic profile changes as described in chapter The misuse anomaly detection is able to detect known anomalies used in a specific set of attack methods, including: ICMP Anomaly TCP NULL Flag Anomaly Service Description and Special Terms, DK2.6 3 (10)

4 TCP SYN Flag Anomaly TCP RST Flag Anomaly IP NULL (Proto 0) Anomaly IP Fragmentation Anomaly IP Private Address Space Anomaly DNS (TCP and UDP port 53) Anomaly UDP Misuse Detection Total traffic 2.2 Attack mitigation Mitigation initiating process The service generates an alarm when any of the MO-specific threshold values are exceeded. The alarm is detected by the TDC Network Operation Center (NOC), which contacts the customer for consultation on whether or not the mitigation should be started. In case the customer agrees that mitigation should be started, the NOC creates a service ticket and forwards the ticket to the TDC Security Operations Center (SOC). TDC SOC reroutes the traffic targeting the attacked network resources via the TDC Scrubbing Center and starts analysing the attack. TDC SOC starts a mitigation best suited for the attack characteristics, severity and source. During the mitigation TDC SOC monitors the attack constantly and tunes the mitigation accuracy and granularity in dialog with the customer. When the traffic profile returns to normal level and the attack is assumed to be over, TDC SOC and the customer agree on when to stop the mitigation (see section 2.2.3). In case the customer detects the DoS attack before any of the pre-set service threshold values are exceeded, the customer can contact TDC NOC directly to start the investigation of the suspected attack. In such case TDC NOC creates a service ticket and forwards the service ticket to TDC SOC for analysis and, if necessary, mitigation TDC Scrubbing Center When an attack against one or more of the customer s protected network resources is detected, the traffic to the attacked resources is rerouted via the TDC Scrubbing Center for analysis and, if necessary, mitigation. The target of the mitigation is to block the malicious traffic and forward the legitimate traffic to the network resource. The rerouting affects the traffic targeting the attacked network resource only. The traffic originating from the attacked network resources is routed normally through the TDC internet domain. The scrubber functionality for IPv4 includes advanced mitigation technologies, including: Filtering based on source IP address or country of origin Zombie detection ICMP protection TCP protection UDP protection DNS protection HTTP protection The scrubber functionality for IPv6 includes advanced mitigation technologies, including: Source IP address Black/white list (e.g. tcp / udp / port number) Zombie TCP Syn Payload Service Description and Special Terms, DK2.6 4 (10)

5 The scrubbing center is physically located in TDC s core network equipment room. The equipment room has been designed for telecommunications equipment, and it complies with high quality standards for information security and availability. The room is also equipped with high capacity, secured telecommunications connections and power supplies Ending mitigation During the mitigation TDC SOC is in close co-operation with the customer, and the status is updated within agreed time slots. When TDC detects that the attack is over, and the traffic profile is back to normal level, TDC SOC will contact the customer and propose ceasing the mitigation. In case the customer acknowledges the cessation, TDC will start the decommissioning of the activated mitigation tasks, and the customer's internet traffic is routed normally again. The customer may be able to modify the infrastructure or configuration in such a way that the attack will no longer have a severe impact on the customer s network resources. In such case the customer may contact the TDC Network Operation Center (NOC) or local TDC customer services to request the cessation of the mitigation. TDC SOC will give its own understanding to the customer, and in case the customer requests the cessation, TDC will start decommissioning the mitigation activities. The mitigation period is considered to have begun when mitigation, agreed between the customer and TDC SOC, is activated in the TDC Scrubbing Center. The mitigation period is considered to be over when, agreed between the customer and TDC SOC, the mitigation is deactivated in the TDC Scrubbing Center. After the mitigation the customer will get a report covering the attack (type, length, impact etc.) and the mitigation, including the mitigation start and stop times and the different technologies used to mitigate the attack. 2.3 Technical service description TDC performs sampled traffic flow monitoring at each of its internet peering connections. These traffic samples are sent to the TDC DoS Protection service where they are automatically analysed and compared to the set MO-specific threshold values. An alarm is generated in case one of the set threshold values is exceeded. While further traffic analysis or mitigation is needed, the traffic targeting the attacked network resource is routed via the TDC Scrubbing Center. The standard dynamic routing protocol is used to off-ramp the wanted traffic to the TDC Scrubbing Center. TDC will select the used scrubbing center case by case based on the scrubbing center s geographical location and available capacity. From the moment of the off-ramp triggering, the traffic is routed via the defined scrubbing center within 30 seconds. After the clean traffic has passed the scrubber, it is on-ramped to follow the normal routing again. During the mitigation phase the malicious traffic is blocked. The granularity of the mitigation can be finetuned during the mitigation as soon as the attack analysis gives more detailed information about the malicious traffic. In addition to scrubbing, black-hole routing can be done in TDC peering routers to complement the attack mitigation. All the service components have a redundant configuration, and they are geographically dispersed in separate TDC equipment rooms. Service Description and Special Terms, DK2.6 5 (10)

6 2.4 Value-added services Additional Managed Objects The basic service includes five (5) Managed Objects. One of these MOs is defined as IPv4 Parent Managed Object, and optionally one of them can be defined as IPv6 Parent Managed Object. Additional MOs are sold in bundles of five (5). A one-off charge (installation charge) and a recurring service charge (monthly charge) are applied to each bundle of five (5) additional Managed Objects. The recurring service charge is applied after the first MO from the additional bundle of five has been delivered and the baseline period has started. This means that the fees are applied although the customer would utilise only one (1) additional MO. The recurring service fee remains the same until all five additional MOs have been brought into use. The one-off charge is applied every time a new MO delivery process is run to add new MOs even though this would happen within the already ordered bundle of five. After the whole bundle of five MOs has been brought into use, a new one-off charge and a new recurring service charge are applied when an additional MO is added to the service. The additional MOs are delivered as described in chapter Pre-defined mitigation templates All customers have their own specific traffic patterns. TDC provides customised mitigation templates based on the customer s specific traffic patterns and needs. The benefit of using customised mitigation templates is that the customers get mitigation filters that are adjusted to their business and traffic pattern, which will allow an improved impact on mitigation as the most effective mitigation technique can be achieved faster than normal, given that TDC has a more detailed knowledge of the service. TDC provides one (1) customised mitigation template per Managed Object. TDC recommends that the template is tested and TDC will allocate two (2) hour within normal operating hours to this purpose. In case of an attack, TDC will contact the customer to get a confirmation that an attack is ongoing and thereafter apply the customised mitigation template agreed and accepted by the customer and start the mitigation process. A one-off charge (installation charge) is applied per five (5) mitigation template Auto-mitigation DDoS attacks may be very different from each other. Some attacks last for a long period of time, while others come and go. For businesses where high availability on the internet is a must, e.g. online shops and betting sites, a fast mitigation response time is vital. Therefore, TDC offers an auto-mitigation process which reduces the attack response and mitigation start time to less than one (1) minute. A prerequisite for auto-mitigation are mitigation templates customised on the basis of the customer-specific traffic patterns. The auto-mitigation process is based on mitigation starting automatically when TDC receives an alarm based on increased traffic levels. The TDC Scrubbing Center then automatically applies the customised mitigation template and mitigation is agreed and accepted by the customer. (If the customer requests a change in the auto mitigation during the attack, normal mitigation fee will apply) A one-off charge (installation charge) and a monthly charge (MRC) are applied per five (5) mitigation templates. 2.5 Service reporting The service includes a monthly service report for the customer. The report covers the traffic profile at MO level and a list of all detected attacks, even low-level attacks which have not triggered an alarm. The Service Description and Special Terms, DK2.6 6 (10)

7 report is sent via to the named customer contacts within seven (7) working days after end of month. TDC also submits a separate report on all performed customer-specific mitigation activities to the customer within five (5) working days after the cessation of the mitigation. 2.6 Pricing A one-off charge (installation charge) and a recurring service charge (monthly charge) are applied to the TDC DoS Protection service s monitoring and detection part. The recurring charge is applied after the first MO from the bundle of five (5) has been implemented, as mitigation is possible from this time although the baseline period has not been completed. Invoicing of the service will start when the initial setup of the customer is finished (ready for mitigation service RMS) or no later than two (2) weeks after TDC s request for IP addresses (see timeline below in section 2.7). In addition a separate one-off charge is applied to each mitigation case. The mitigation fee is applied per day, and the daily fee depends on the mitigation duration of the attack. In case the mitigation lasts twenty four (24) hours or less, a daily fee is applied. In case the mitigation takes more than twenty four (24) hours, a lower mitigation fee for the following days is applied. In cases where the customer will discuss the attack with the TDC SOC but not start a mitigation of the attack. TDC will invoice the customer a one-off charge per 30 min. at senior consultant rate. Unless otherwise agreed in writing, the TDC list prices are applied to the service fees. The charging of mitigation starts when a mitigation, agreed between the customer and TDC SOC, is activated in the TDC Scrubbing Center. The mitigation period is considered to be over when, agreed between the customer and TDC SOC, the mitigation is deactivated in the TDC Scrubbing Center. 2.7 Delivery As indicated on the timeline below, setup of the service consists of two phases: 1) Service delivery. TDC SOC contacts ( ) the customer in order to get information regarding which IP addresses to protect. The customer has the responsibility to provide TDC SOC with this IP address information. TDC SOC will do the initial definition of the customer s IP addresses in the TDC centralised monitoring system. The service delivery will finish with a documentation sent to the customer of the setup of the MOs. 2) Baseline. A baseline period starts after the service delivery. During the baseline period MOspecific service characteristics and traffic patterns are collected. After an approximately two (2)- week baseline period, a technical meeting (conference call) is held between TDC SOC and the customer. At the technical meeting the customer is responsible for providing TDC SOC with a. Information about the maximum load that the network resources can handle b. An overview of the customer s infrastructure (firewall, load balancer, etc.). TDC SOC requires this information in order to define the MO-specific threshold values for actual alarm detection. The time for the technical meeting is agreed during the service delivery phase. The baseline period ends with a setup fine-tuning period, where TDC SOC in cooperation with the customer can adjust the MO configuration and threshold values. In the baseline period the service is not fully configured, which means that traffic to protected network resources is not proactively monitored, but mitigation of DoS attacks can be done if the customer calls TDC NOC. After the baseline period the service is in full-blown operation and is able to detect and mitigate DoS attacks. The time needed by TDC SOC for the basic configuration is one (1) week. The baseline period is five (5) weeks, two (2) weeks for traffic analysis, one (1) week for threshold configuration and two (2) weeks for setup fine-tuning. Service Description and Special Terms, DK2.6 7 (10)

8 In case the customer provides TDC SOC with the required IP address information within two (2) days after they have received the Welcome mail, the service setup time will be seven (7) weeks. Product ordered Welcome mail sent to customer IP address info received Ready for Mitigation Service (RMS) Invocing starting Technical meeting concerning threshold values Ready for Full-blown Operation (RFO) Basic configuration Traffic analysis Threshold configuration Setup fine tuning Service delivery Baseline Service setup Full-blown operation 2.8 Service limitations TDC performs attack detection and mitigation only for the customer s agreed network resources which are predefined in the service and grouped into Managed Objects. During the baseline period the service is not able to detect attacks targeted at the network resources. When a new MO is added, the service is still able to detect and mitigate attacks targeted at the existing network resources. When an existing MO is modified in such a way that the expected traffic pattern will change, a new baseline period is applied to the modified MO. TDC is able to detect and mitigate only the malicious traffic that is routed via the TDC internet domain. The capacity of the legitimate traffic passed through the TDC Scrubbing Center must not exceed the capacity of the customer internet access capacity provided by TDC. The TDC DoS Protection service does not remove the need for other security infrastructure services such as firewall and/or intrusion detection. As part of the service TDC, may need to limit the customer s network routing advertisement. The service causes extra delay to the internet traffic when traffic is routed via the TDC Scrubbing Center. However, this is done only when attack analysis and mitigation are activated and concerns only the traffic arriving from the internet towards the customer s network resources under attack. The service is only able to monitor the traffic originating outside of the TDC internet domain. The service is only able to detect and mitigate the attacks originating outside of the TDC internet domain. All network resources defined in the same MO have common threshold values. The service may not be able to detect attacks on all the MO s network resources equally in case their traffic profiles differ remarkably. 2.9 Customer responsibilities All customers are responsible for their own information security, including connections to the internet, internal network, hosts and applications. The customer is also responsible for ensuring that the service definitions follow the company s information security policy and are in accordance with the purpose of use intended for external connections. Service Description and Special Terms, DK2.6 8 (10)

9 The customer is responsible for informing TDC about which network resources to protect and providing the relevant information about these network resources to set-up threshold values. The customer is responsible for informing TDC about expected seasonal traffic volume growth and peaks to avoid so-called false positive alarms. For the sake of clarity, it is stated that all customer-approved mitigation cases, including a false positive case, will be charged in accordance with chapter 2.6. The customer is responsible for following the traffic volume trends and to propose adapting the threshold values to the changed internet traffic volume. The customer is responsible for notifying TDC of any changes to the network configuration or IP addresses that might influence the configuration of MOs and threshold values. The customer is responsible for nominating a designated person or entity who TDC will contact in the service delivery phase to discuss the protected MO s service characteristics. The customer is responsible for nominating the designated persons or entities who TDC will contact in case of attack detection. This contact information is kept in TDC NOC, and the customer is responsible for updating the contact information by contacting TDC SOC Service changes and ordering additional services A delivery contract is signed between the customer and TDC for the service changes and additional service orders having an impact on the monthly recurring service charge. Changes and additional services are delivered according to the TDC delivery process and invoiced according to the TDC DoS Protection service price list. The customer is eligible to place one (1) threshold value change order once in a calendar month free of charge. The monthly threshold value change order can cover several threshold value changes. More threshold value change orders are invoiced according to the TDC DoS Protection service price list. When the customer orders a new MO or a change to an existing MO which requires a new baseline period, the change is invoiced according to the TDC DoS Protection service price list. 3 Special terms TDC has the right, granted by the customer, to take samples and analyse the customer s internet traffic using the automated computer applications and also to filter the agreed predetermined traffic characterised as malicious by the service. The service may also filter legitimate traffic. TDC does not grant the flawless function of the service and is not liable for possible communication delays, harm, failures or damage caused by the service for legitimate traffic, including the cases known as false positives. The mitigation may increase the delay of the customer s internet traffic during the mitigation. TDC is not liable for such delay. TDC is not liable for damage to the customer that is directly or indirectly related to the malicious traffic targeted at the customer s network, hosts or internet services. TDC is also not liable to the customer to clarify the origin of the malicious traffic. TDC is not liable for damage or costs caused by the direct or indirect errors in software applications or hardware used in the service. The service is connected and shares information with the equipment manufacturer s centralised database. The database is intended for internet threat analysis within the internet community. The database offers Service Description and Special Terms, DK2.6 9 (10)

10 new up-to-date attack fingerprints for the TDC DoS Protection service. The database does not screen, store or share personal sensitive information. The customer s internet access service level may be degraded due to the TDC DoS Protection. The customer is not entitled to compensation if TDC fails to meet the internet access Service Availability levels due to DoS/DDoS attacks or countermeasures. The TDC DoS Protection service routes traffic to TDC Scrubbing Centers unencrypted. While routed via scrubbing centers the traffic may cross the borders of the independent states within the TDC internet domain. Each independent state follows telecommunications traffic in their area in different ways, and the traffic may end up in the knowledge of different states authorities. Service Description and Special Terms, DK (10)