The issues cyber-security has to tackle on a daily basis are numerous as they are determined by the variety of channels through which harm can be done. The present work deals with the issue of DDoS attacks and builds a case on one of the well-known IT companies to single out the problem, the immediate solutions and preventive practices, and the lessons learned from the experience.
We will write a custom Case Study on Deutsche Telecom Company’s Cyber Security specifically for you
807 certified writers online
Deutsche Telecom (German Telecom) is a communications organization with the headquarters in Bohn. Created on the aftermath of the Deutsche Bundespost privatization two decades ago, it currently has the country’s Government as a direct and indirect stockholder of 31.8%1. A major Internet service provider, the company has experienced organizational structure reshuffles in 2005 and 2008, merging and separating from assorted strategic telecommunications units. By 2012, the company had several subsidiaries abroad and a 50-50% joint venture with a UK-based network operator Orange.
Because the Internet and related communications are a part of the country’s infrastructure, a deterrence of these communications would result in a serious infrastructure distortion and economic damage to both the company and the customers. At Deutsche Telecom, they pride themselves on transparent, customer-oriented policies and try to safeguard the customers’ security by sharing knowledge and research evidence.
DoS and DDoS attacks
As the name implies, a Denial-of-service (DoS) attack is the incident of malicious hackers trying to close access to a web resource2. DoS attacks can be conducted in different ways, the most common of which is overloading the service. The attackers saturate the service with communication requests rendering the system non-responsive to traffic. A more massive attack involves a network of malicious users targeting a bandwidth of services. Such an attack is called a Distributed DoS or DDoS.
Some of the common targets of DDoS attacks are governments, financial establishments, and electronic commerce institutions. They can be carried out for political and ideological purposes, as well competitive damping and expulsion from the market. In the case of Deutsche Telecom, however, the actors of the attack or their purposes were unknown3.
The attack on Deutsche Telecom’s reverse Domain Name System (DNS) commenced on September 3rd, 2012, at about 4 p.m. The DNS was out but the attack was promptly mitigated within an hour and a half. DDoS defense tools were facilitated, and the DNS was functioning again. By 6 p.m., the attackers have already modified the packet structure to override the company’s defense. This is when the DNS went out of function the second time.
The attack was again countered by a reconfigured set of defense tools. The saturation ceased by midnight only to restart on September 5th. This time, the DNS remained in function because the defense tools were still up. The third attack wave happened in the evening the same day, with no damage done to the DNS4.
The BSI (Bundesamt für Sicherheit in der Informationstechnik or Federal Office for Information Security) was informed about the attacks the same day. The company asked BSI for an emergency contact point at a web-hosting provider. It also contacted the Federal Crime Office and issued formal complaints to the Public Prosecution Service the following week. Two weeks after the first attack, the mitigation measures were called back.
The attacker’s or attackers’ motives for the actions remain unknown. No demands to the company were made and no information concerning the actors has been discovered. One of the possible explanations for these events is that the attackers were testing their skill, resources, and tools, that is, the attack for carried out for the sake of itself. Although the source of the DDoS remains unclear, the adversaries must have used the amplification technique.
The technique subsumes short-querying the third-party service DNS with spoofed-source IPs (Deutsche Telecom’s DNS IPs). The queries cause the third-party DNS to shortly send long responses to the IP of the attacked. While the DNS protocol’s amplification factor does not exceed the limit of 100, the size of the queries can be amplified to up to 4000 bytes, which makes it hard to withstand. The fact that the queries often come from legit-looking servers is another factor adding to the gravity of such attacks5.
Because the attackers used the another web host provider’s servers, Deutsche Telecom started the mitigation with abuse messages to the said provider. They were unsuccessful, hence the necessity to redirect the traffic. As stated in the report on the network security, the registered 2012 attacks did not raise the traffic above 60 Gbit/s but Deutsche Telecom possessed enough capacity to withstand the traffic overload6. Deutsche Telecom’s CERT (Computer Emergency Response Team) was briefed on the incident and assisted with analyzing it7. The attack method was revealed despite the fact that the actors remained unknown. The real queries were distinguished from the automated (DDoS) ones and the latter were blocked by the company’s security system.
The DDoS aftermath
If the 2012 DDoS was successful and the company’s server collapsed, it would severely and irreversibly damage both the provider and its customers, including individual users and businesses. The following actions were performed at varying times to either prevent the attacks altogether or lessen their effects.
- The necessity to protect organizations utilizing the provider’s services stipulated the setting of the ICSS IP Transit Security DDoS Defense platform. The platform is capable of detecting and mitigating DoS and DDoS attacks and reduce the effects of traffic “spikes” – seasonal or any other. The platform is constituted by seven threat management systems quartered in Germany and Europe. The service guarantees security as it constantly analyzes the query flows from IPs8.
- Within the ICSS platform, a hotline was established allowing the users to notify the company if they locate an attack.
- The platform has a cloud-based option which uses the redirection technique like the one deployed for the September 2012 attack. With its 2Tbps mitigation capacity, it is perfectly capable to reroute the malicious traffic, clean, and return to the client by GRE.
- As a joint project with BSI and the German Federal Association for Information Technology, Telecommunications and New Media (BITKOM), an online portal Sicherheitstacho.eu was launched in 2013. The portal is basically a dashboard providing a real-time view on cyber-attacks, free for access to everyone interested. The dashboard uses a system of sensors (which also serve as a decoy for unmanned attacks automatically detecting soft spots in assorted networks, sites, and device security)9. The company utilizes the data gathered by these sensors to shield its own system and provide the clients with the updated information10.
Deutsche Telecom seems to have narrowly escaped the irreparable damage the DDoS attack could have caused if it were not for the prompt actions to redirect the query overflow and the fact that the company possessed a high network capacity. Because the company and CERT realize the vulnerability of their clients should such an attack take place again, they have expanded their existing set of tools and techniques for attack mitigation. Some lessons that can be learned from the company’s experience are as follows.
Firstly, when the attack begins, the abuse messages to the web host provider should not be the intermediary step before a mitigation action is started. In this situation, the attackers were covered under the other provider’s infrastructure, which made it more complicated to identify the attack. A company facing a DDoS should start mitigation as it simultaneously tries to contact the other web host provider. If the network capacity is not high enough to withstand the query flow and the server collapses before the mitigation is started, the damage to the infrastructure will be irreversible.
Get your first paper with 15% OFF
Secondly, the redirection technique utilized during the September 2012 attack was further upscaled and applied to protect the company’s clientele. In combination with the sensor scanning, the technique facilitates prompt detection and protection for all parties involved.
Deutsche Telecom could have dealt with the attack more efficiently if the mitigation was started immediately after the attack was identified. When the security of private and corporate users is concerned, sole reliance on the network capacity being higher than the attackers’ cannot be always justified. However, the technique of redirecting the attack has proved useful, especially in tandem with other preventive practices such as the DDoS awareness portal.
“DDoS Defense.” Deutsche Telecom. Web.
“International Case Report On Cyber Security Incidents.” Msb.se. Web.
“Introducing Deutsche Telekom CERT.” Deutsche Telecom. Web.
“Overview of current cyber attacks on DTAG sensors.” Sicherheitstacho.eu. Web.
“Security dashboard shows cyber attacks in real time.” Deutsche Telecom. Web.
Group Information Security. “Security on the Internet: Report on Information and Internet Security.” Deutsche Telecom. Web.
Haughn, Matthew. “DNS amplification attack.” TechTarget. Web.
- “International Case Report On Cyber Security Incidents,” Msb.se. Web.
- “DDoS Defense,” Deutsche Telecom. Web.
- “International Case Report On Cyber Security Incidents,” Msb.se. Web.
- Matthew Haughn, “DNS amplification attack,” TechTarget. 2013. Web.
- Group Information Security, “Security on the Internet: Report on Information and Internet Security,” Deutsche Telecom. 2016. Web.
- “Introducing Deutsche Telekom CERT,” Deutsche Telecom. 2016. Web.
- “DDoS Defense,” Deutsche Telecom. 2016. Web.
- “Overview of current cyber attacks on DTAG sensors,” Sicherheitstacho.eu. 2016. Web.
- “Security dashboard shows cyber attacks in real time,” Deutsche Telecom. 2013. Web.