Providing Mitigation Support Against the Toughest Attacks with DFLabs and SolarWinds
The Domain Name System (DNS) is a crucial service for modern communications. Any disruption to the service will result in cascading failures which would paralyze any user or organization. The criticality of this service and the difficulty organizations and incident responders have when responding to an attack creates an Achilles heel, which attackers cannot resist taking advantage of.
The DNS protocol essentially serves as a telephone directory for internet users. This protocol allows users to navigate to sites on the web through domain names without needing to know their corresponding IP addresses. Due to the nature of how this service works, it is often the target of Denial of Service (DoS) attacks which aim to cripple the very service which keeps the world interconnected via the web.
Attacks against the DNS can be very difficult for an organization to mitigate due to how they are typically carried out. The overall goal of an attacker when targeting DNS is to saturate the network by continuously exhausting bandwidth capacity or exhaust server-side assets with invalid or malformed packets, consuming all available resources. These types of attacks come on strong and can make it extremely difficult to contain because the traffic cannot be trusted and appears to be coming from everywhere, leaving analysts scrambling to keep up.
Today, security operations teams are faced with a number of problems and unanswered questions, especially when it comes to tackling this type of attack. Examples include:
How can my organization protect its crucial services against dynamic attacks like Denial of Service (DoS) attacks?
How can we help mitigate an active DoS attack?
How can our security analysts be more effective when combating heavy-hitting attacks such DoS attacks?
The DFLabs and SolarWinds Orion Solution
The DFLabs and SolarWinds solution fuses the powerful monitoring and management abilities of the SolarWinds Orion platform together with the robust automation and orchestration capabilities of DFLabs’ IncMan SOAR solution, to provide organizations with a complete end to end package for securing their infrastructure against hard to defend against attacks, such as Denial of Service.
By providing incident responders with the robust evidence gathered from SolarWinds, organizations can build out workflows based on the evidence received to take action on suspicious traffic before human intervention is needed. Once all criteria is met, analysts are notified of the malicious activity, allowing their talents to only be called upon when absolutely necessary to stop an ongoing attack. This prevents overutilization of security staff and ensures swift action is taken when time is of the essence.
About SolarWinds Orion
The Orion Platform is at the core of the SolarWinds IT Management Portfolio. It provides a stable and scalable architecture that includes data collection, processing, storage, and presentation. The Orion Platform provides common features like network node discovery, dashboards, reporting, alerting, SNMP traps, Syslog, groups, and more that can be leveraged across all products.
Now let’s look at a simple use case in action.
An alert is received for abnormal bandwidth consumption rates from an organization’s SolarWinds Orion deployment. Upon receipt of the alert, IncMan executes the DDoS Mitigation R3 Rapid Response Runbook which searches through the Orion nodes and pulls associated interface traffic for the affected interfaces.
Once the interface information has been received the R3 Rapid Response Runbook comes to its first conditional statement. This statement looks for the average bits per second to be greater than three times the normal bandwidth rate that would be expected for that interface. If the threshold is not breached the Orion alert is cleared, and the Runbook automatically closes. However, if the threshold is breached, the Runbook executes another conditional statement to try and identify the device reporting the increase in traffic.
If the device is a switch, the Runbook automatically disables the affected interface and queries the organization’s SIEM platform for flow and event data. Armed with this information, the Runbook is temporarily paused to allow an analyst to review the event and interface data. If the device is not a switch, the R3 Rapid Response Runbook will not disable any associated interfaces but instead only query the SIEM for flow and event data. The Runbook will then pause to allow an analyst to review the evidence gathered.
Once an analyst has had an opportunity to review all of the incident data they will be given an option to either close the incident out as a false positive or upgrade the incident to a higher priority event. If upgraded they will, acknowledge and notate it in the SolarWinds Orion platform and create a new incident response ticket in the organization’s ticketing system to allow the incident response team to review the incident data and take further action where necessary.
The DFLabs and Solar Winds solution supports incident responders with Denial of Service mitigation strategies by combining the automation and orchestration tools found in DFLabs’ IncMan SOAR platform, with the powerful centralized monitoring and management capabilities provided by the Orion platform. These two solutions when combined provide an extension to the single pane of glass required for monitoring and management of today’s complex IT environments. Armed with the extensive incident evidence provided by SolarWinds, DFLabs IncMan SOAR supplies incident responders with the data necessary to make decisions quickly and to take automated actions to stop an attacker in their tracks.