It’s common knowledge that network abuse is on the increase. The latest statistics from Statista report that the United States currently experiences an annual loss of more than 525 million USD due to cybercrime.
But many of these attacks come from inside an ISPs network, as a result of compromised hosts within their network. In order to increase ISP security and deal with this type of network abuse in a more efficient manner, ISPs need layers of security in place that include robust threat intelligence sharing, more advanced detection and response technology, and true integration and automation capabilities.
Why a multi-layered intrusion detection system is needed
Traditional intrusion detection relies on the inspection of individual packets, which are scanned for suspicious patterns or activities. However, the massive increase of link speeds and throughputs, especially in large networks, makes this approach ineffective. Today’s attacks generally fall into two categories, Denial of Service (DoS)/Distributed Denial of Service (DDoS) attacks and hacks that steal data, such as SQL injection or other command injection attacks. The Ponemon Institute reports that DoS attacks represent 21% of today’s total annualized cost of cybercrime.
DoS/DDoS attacks that target the network layer use a variety of techniques and ISPs need to defend against all of them. Whichever route you choose, your ISP must take a multi-layered approach to secure web applications from DoS attacks. Defending against DoS attacks requires two different approaches: on-premises hardware and cloud-based services.
On-premises hardware
Most organizations rely on hardware like:
The problem with on-premises hardware is that it attempts to stop a DDoS attack only after it’s entered your ISP. If your bandwidth isn’t sufficient, it will saturate all your available bandwidth and cause an outage for your entire ISP.
Cloud-based services
These services exist outside your ISP and secure traffic before it reaches your network. There are two main types of Cloud-based anti-DoS/DDoS services – DDos Mitigation Providers, which route suspicious traffic to a centralized location where the malicious traffic is filtered, and Web site Protection Services, which use Content Delivery Networks to absorb and inspect malicious traffic across a distributed network of servers.
How to improve the detection and prevention of distributed denial of service (DDoS) attacks
An ISPs first line of protection should be Network Ingress Filtering to ensure that no packets leaving your ISP network have a source address outside of your ISP’s address range. By doing this, you can detect and filter block offending hosts within your network.
Your ISP can also implement traffic monitors to alert your network abuse team if a particular subscriber is congested for more than 10 minutes – an indication that something unusual is going on. Once your network abuse team has detected this, they can take action to mitigate the attack. Many DDoS attacks at the network level can be stopped by only allowing legitimate HTTP traffic into the network via Port 80 (HTTP) or Port 442 (HTTPS). This solution should drop all other non-application traffic.
Sharing information to combat network abuse
ISPs are at the mercy of their customers’ worst practices. One way they can improve their defenses is to share cyber-threat information amongst themselves. This shared information should be seen as a means of achieving specific security objectives. Because of the sensitive nature of this information, sharing should only take place within a trusted group,
All ISPs can benefit from the creation of a community with a common security goal; for example, sharing cloud security-related information such as threats, vulnerabilities, and strategic threat analysis.
The European Network and Information Security Agency (ENISA) notes that valuable information has several dimensions. Such information should:
- Be timely and specific
- Be relevant to the participant’s concerns
- Provide a suitable level of detail, while protecting individual privacy
Creating an integrated, multi-layered security solution
A chain is only as strong as its weakest link. In order for network abuse teams to function effectively, ISP security needs to consist of an integrated, multi-layered security solution made up of anti-virus software, firewalls, hierarchical passwords, anti-spam, and spam filters, privacy controls, intrusion detection systems, and abuse handling tools.
While there is no real way to achieve total security against network abuse, a multi-layered security solution will hinder the progress of a threat, giving your network abuse team time to deal with it.
AbuseHQ from Abusix provides ISPs with threat intelligence in real-time, illuminating blind spots in your network, identifying network abuse, and forewarning your network abuse team of future threats.
To find out more about how you can proactively protect your ISP from network abuse, download this free eBook from Abusix:
