A podcast Connecting the Dots, Exposing Threats and Navigating Cybersecurity

 

Episode 3: DDoS Attacks: The Past, Present & Future of Protecting Against Them

 
 

"A lot of these gambling sites, like I said, they're down in Costa Rica. And at the time, I think all of Costa Rica was off a single OC3, which is 155 megabits per second. So if I sent 200 megs, the entire country was offline..."- Matt Wilson

In episode 3, John and Paige get the uncensored history of DDoS attacks from special guest Matt Wilson, as they discuss the how’s of future proofing your web infrastructure against cyber attacks.


Have feedback or a cybersecurity topic you would like us to dig into on this podcast? We would love to hear from you! Drop us a quick note at lockandshield@team.neustar.

Highlights:

  • The inception of DDoS – here did this technology originate and how has it evolved since?
  • The wild world hacking – Matt breaks down some fascinating stories from the early days of sophisticated hacking.
  • Pathway to Multi-Cloud? How does Neustar adapt its security for cloud platforms?
  • Nation State Attacks – Hacking at the next level, how do government entities get involved in all of this?
  • Future Planning – What does the future look like for UltraDDoS and Ultra WAF?

Discover how Neustar can help secure your organization online.

Contact Us

 
 

Episode Transcript

John McArthur: Welcome back to the Lock and Shield podcast presented by Neustar. I'm your host john McArthur, Director Product for Security Intelligence and Neustar security solutions division. With me today is our regular podcast contributor Paige Enoch who manages Neustar's UltraGeoPoint, UltraReputation data sets. Paige, how are you doing today?

Paige Enoch: I'm great. Thanks, John. There's a heatwave that's happening on the west coast, so it's warm here today, but feels like summer. So, all good.I'm great. Thanks, John. There's a heatwave that's happening on the west coast, so it's warm here today, but feels like summer. So, all good.

John McArthur
I was going to say still no signs of Cicada or Brood X on the West Coast? Nope. Again, yeah. As you said last podcast, very distinctly Midwest/East Coast issue. Yeah. All right. Well, today's episode is a special one. We're digging deep into the history of cybersecurity back to the early days of DDoS attacks 25 years ago or so and how those have evolved to present day. And with us today to dive into this fascinating topic is a special guest, our own Matt Wilson, Senior Director of Application Security here at Neustar. Now Matt has over 20 year’s experience in the application network security space and was there at the beginning when DDoS attacks were first starting to disrupt the internet in the early 2000s. Before we get started, Matt, do you want to give us a quick description of your current role here at Neustar and the products you manage?

Matt Wilson
Yeah, sure. Thanks for having me, guys. Yeah, so we I own the Neustar’s Application Security Suite. So, this is comprised of our denial-of-service protection service, as well as our web application firewall, our bot management solutions, and the API protection suite. So that kind of all encompasses network and application security.

John McArthur
Got it. Got it. I don't know, we were just joking, you are currently, although you're based on the East Coast, you're currently in Arizona. So just to do a quick Cicada check, you're not having issues where you are right now?

Matt Wilson
No, there are no Cicadas. I'm outside of Phoenix right now and there are no Cicadas right now. Around here, it's just it's just way too hot first off. But second to the Cicadas would you typically pop out in Phoenix in like August, when we start getting more rain, but it's just it's too hot and too dry right now.

John McArthur
Got it. Got it. Well, I'm sure they miss you on the East Coast, then.

Matt Wilson
Yeah, I'm not sure I missed those. They were like a good freight train outside my house every morning.

John McArthur
There you go. Alright, well, let's get started. And let's just ask to start with the basics. How did how did you get started in network security?

Matt Wilson
Yeah, so I realistically, you know, any, anyone who kind of owns a network, you are somewhat responsible for network security, right? So, my background is in engineering on the network engineering side of things. And, and we got into to network security pretty early on in my career. So after, after college, I went to go work for a big carrier. And in that carrier, we went on - carriers, at the time didn't really care so much about security, but it's more just how quickly can I pass bits around and you know, all those extra services were kind of the customer’s issue. Then I moved into, like a consulting space where well, you know, where now I was that customer. And now we were the ones building these networks for customers. And you had to take into account network security that kind of migrated into and I was able to carry forward that same sort of mentality when I went back into the service providers space. And realized really early that really kind of what was coming next in the early 2000 is from a carrier perspective is how you could add value, how you could provide a better service to your end customers was by bundling together, not just here's your internet pipe, but what sort of internet service, you know, security services could I place on top of. So, it seemed to be a somewhat natural transition, at least for me, it felt that way.

Paige Enoch
Gotcha. Gotcha. So, in those kind of early days, who were some of the first customers that you were protecting from DDoS attacks?

Matt Wilson
Oh, yeah. So, what ended up happening as I was back in Phoenix, so that's where I'm from. I was back in Phoenix, and I was running an ISP here. And we were kind of a data center slash ISP, and we provide added services to a bunch of customers. Well, we had a built-in product that was kind of like our, in our company was sort of our sister product, that was a content company. So, we had a lot of bandwidth, which, you know, at the time today, people would laugh, but, you know, at the time, it was 20 to 30 gigs worth of capacity, right. And this, this capacity was all outbound. So, it was we were pushing content to the to the world. So, we had a lot of available capacity inbound, well, in the DDoS world, that was sort of a natural fit. So, there was a gentleman who had started a DDoS protection company, and his name was Barrett Lyon. And, and Barrett came to us. And he, he said, you know, I need inbound bandwidth. And I need a lot of it, right, because, you know, these attacks are taking down carriers, or they were taking down carriers, but they were also taking down some of his clients. And he said, I could use your bandwidth, could I put my gear in your data center, and, you know, we'll fight these attacks, and you know, our customers will be happy. Well, you know, come to find out a lot of those customers were offshore gaming customers, right, these were, you know, Costa Rica, and gambling sites, things like that. And so, it was, it was kind of an interesting time, you know, his service grew beyond that. But, you know, some of these they weren't your, what we have today, DDoS is a is a an extremely common problem that it kind of spans across all industries, from banking to energy to ecommerce, you name it, and back then it just kind of really wasn't the case. It was, it was, you know, gambling, it was people selling bootleg erectile dysfunction pills. It was you name it; it was a lot of different things. It was a very different time for this, you know, that started to change. I mean, it did change in about 2008, the attackers realized that, you know, geez, it's not just these other sites that have a lot to lose, but banks do, and I can use this for a lot of different reasons. I can use it for anti-competitive I can, I can launch an attack, against somebody just for political reasons, right. So, it's on a nation state attacks. And it really exploded, I would say in about 2008 is when it really, really kind of went widespread. And the problem just kind of continues to get worse and worse.

John McArthur
Let me ask, in those, in those earlier days, who are generally the major adversaries trying to take down these gambling outfits, or fake pharmaceuticals, and what were they, you know, I'm sure things have changed, techniques have changed. But, you know, how were they launching their DDoS attacks back then?

Matt Wilson
Yeah, so that there's some really crazy stories from back in the day, you know, some of the original attacks against the gambling sites were, oddly enough, it was like, these were Russian mafia, you know, organized crime, Eastern European organized crime groups. And, you know, what had happened is, well, there's some rumors about what happened. But really what had happened was, you know, these, these groups realized that, that they could launch some attacks fairly easily, the botnets were fairly easy to build, you know, they were doing bots for like spam and things like that anyway. And so, it became really simple as part of some of these operations to well, if I'm, I'm not just sending spam, I'm not just, you know, taking over passwords, things like that. I can just send a bunch of traffic at somebody's site from 1000 devices on the internet. And those 1000 devices now can overload send enough traffic to overload somebody's site. And, you know, these a lot of these gambling sites, you know, like I said, they're down in Costa Rica. And at the time, I think all of Costa Rica was off of like, a single OC 3, which is 155 megabits per second, for people who've never talked SONET before. You have to feel like you have to be somewhat old to know what SONET even is but the, you know, so it's like 155 megs, so if I sent 200 megs the entire country was offline. And then that actually happened a few times, you know, and backup was satellite at like, you know, 10 megabits, I think it's more like 1.5, like a tier one type of capacity. So, you know, the backups didn't really help a whole lot. And the attackers just went after that. And so, you know, you could take down huge swaths of the internet, huge parts of the world, not just the sites and so, you know, the attackers realize that I could, by doing this, I'd send a threat and just demand $50,000 sent by Western Union. And as part of that you either paid or you got attacked. And you know, the thing that was really bad is that even if the attack happened, it didn't just affect them, it affected everybody that was hosted down there. You know, everybody was was subject to this. And so, it really became a huge problem back in those early days. But it did kind of change, like over time, I would say one of the big turning points is the early days of Anonymous. Anonymous started attacking the Church of Scientology, right, there was lots of news about this, I'm not really saying anything proprietary or anything. There, they started attacking Anonymous and, and, you know, at first, it was telling people in chat boards to just go to their browser and hit refresh a lot, which, you know, was really quite easy to block and kind of rudimentary, it's sort of the equivalent of smashing rocks together for DDoS. But then, you know, then the two of the low orbit Ion Cannon tool came out. And that I want, I want to say didn't really change the game, but it did start to right, it was a, it was a stressor tool. It was it was an open-source tool that people could use to test their own network. And they just told everybody to go download it and start launching these attacks. You know, I think what people didn't really fully grasp at the time is that all of those attacks were, you know, in the TCP world, they were stateful, which meant that there was no spoofing. We had everybody's IP address. And of course, during that time the FBI comes knocking with a warrant and says, well, you know, these guys have complained, the churches complained, and we want to, you know, we need your logs. And so, we would give him the logs of all these IP addresses that were that were hitting our clients that we are blocking, and fighting until we gave him, you know, had to give up everything we had, because we had a warrant. So, you know, I think there was a few arrests around that. Not a lot. But the part that always cracks me up is that people started calling us, they would literally call us and leave us voicemails, like threatening us to try to overwhelm our support line and things like that. And so needless to say, some of those voice recordings got sent off as well. But it was it was definitely a wild time. Very wild time in the internet.

Paige Enoch
Wow, that does sound wild. And so, if we think about ransomware, now, we know that it's the latest and biggest threat to enterprises. But during that time, can we think about cyber criminals threatening to kind of enact a DDoS attack as a precursor to ransomware?

Matt Wilson
Oh, you know, yeah, I mean, I think you certainly would, right? Because there's a lot of reasons why people are launching any sort of attack, right, whether it's DDoS, or ransomware, or anything. And, you know, in those days, it was, you know, it was a lot of what we used to call script kiddies, right, it was kind of, you know, people that simply wanted to do something to prove that they could do it, right. I'm going to, I'm going to take down, you know, somebody's Minecraft server Doom server, because, you know, the guy beat me. Or it's, you know, it could be anti-competitive. We had a lot of cases where somebody hired an attacker to attack a competitor, and to take them offline, you know, and they would do this during kind of peak periods, and, or during kind of heavy times, where normally business would be big, like, during that Black Friday kind of sales, or in the gambling world, it was during like Superbowl or Grand National racing, if you're in the Europe sort of thing. And so they were, it was a lot of anti-competitive. Well, I think what you've seen is, is a lot of this has kind of migrated to, well, not only can I disrupt, and I can, I can send extortion letters, I can also get money, there's a lot of value in this data that I can gather. So, you know, by launching any sort of attack, I can, I can grab the data, I can keep the data, I can sell it, I can leak it, you know, and I think as we've seen, this problem just continues and continues and continues and there is no end in sight for any of it. Right? And I think one of the sad things is it becomes somewhat passe at this point, hasn't it? Where now it's just you know, the news of yet another company getting hacked, or yet another company, you know, having ransomware and being taken offline for that just almost seemed just like par for the course it's another piece of news that you just kind of go “Oh, yeah, my password was stolen again. Okay, you know, time to get a new time to get a new credit card”, right.

John McArthur
Hey there, I wanted to take a quick break from the podcast to bring up this interesting DDoS fact. Did you know the first DDoS attacks occurred over 20 years ago? From technologyreview.com, July 22, 1999, is an ominous date in the history of computing. On that day, a computer at the University of Minnesota, (go Gophers!) suddenly came under attack from a network of 114 other computers infected with a malicious script called Tree New. Tree New consisted of a network of compromised machines involving masters and daemons, allowing an attacker to send denial of service instruction to a few masters, which then for instructions to the hundreds of daemons to commence a UDP flood against the target IP address. This code caused the infected computers to send superfluous data packets to the university, overwhelming its computer and preventing it from handling legitimate requests. The attack knocked out the university computer system for over two days. What interesting cyber security stories do you want to share? Reach out to us at Lock and Shield at team dot Neustar. That's L O C K A N D S H I E L D at team dot Neustar. Now back to the podcast.

John McArthur
Let me ask you because it sounds like there's been an evolution in some of the techniques and sophistication you mentioned in low orbit Ion Cannon? I remember that back in those days. But is it harder or easier today to defend against DDoS attacks? Because I'd imagine, you know, obviously, the sophistication of the tools used to prevent or stop these attacks is improved as well. So, is it gotten easier? Or is it still? Is it still a game of cat and mouse catching up with the criminals and their advances as well?

Matt Wilson
Yeah, I mean, I think you see corollaries in this across, you know, all crime, right where the instant you the attackers, the attacker will start. And then the instant that the defender put something up, the attackers will kind of change a vector, and they'll find a new way around something, and they'll find a different way to do it. So, I mean, I think just the cat and mouse get cat and mouse game 100% concerns, right, every single time we get like, you know, there'll be an attack that will come in, it can be devastating for you know, a short period of time. If it's something brand new, but then the problem is, is that the tried and true methods still work. Right? So, both on the offense and the defense, the scale has gotten bigger. So, at the same time I it's a weird answer, because I think while the tools have gotten more commonplace to launch attacks, right, you can, you can, you can go and you can rent botnets for a few dollars a day type of thing, you know, for a bunch of these botnets. And it's, it's really easy to do this, you know, and they're just they're online stressor tools is what they what they're kind of considered. So, they're very easy to go get, there's a lot more devices on the internet than there ever was before. So, it's easier to scale attacks, it's easier to really throw a lot of traffic at somebody or even not, even if it's not a lot of traffic, a lot of connections at somebody, so that can be almost even more damaging. And so, you know, I can send a lot of really, really small packet sizes, and that can be problematic. So, with the explosion of like IoT, the explosion of the internet simply growing, places that didn't have good internet connectivity, mobile now is so much more ubiquitous. While, yeah, our techniques and things that we do have advanced the size of our networks of advanced our tools that are available to us have advanced, the attackers are continuing to advance as well. So, it's very much an arms race. And you know, like I said, I think that you see corollaries to that all the time, you know, the, if someone really wants to get into your house, you know, the first time they can just walk up, unlock, unlock the door. So you lock the door, and then the next time they smash the windows, so you put in an alarm, and then the next time, you know next time you have the alarm, they figure out how to get around your alarm and you know, then you get a dog and then they just figured out they can you know, throw something at your dog, a sleeping pill at your dog, and now they can get in just fine. Right? I mean, it's just, it's just like this nonstop over and over and over again. You know?

Paige Enoch
So, we've talked a lot about DDoS attacks becoming much bigger and much more prevalent. Could you speak to the evolution of WAF?

Matt Wilson
Yeah, absolutely. you know, so kind of along the same lines as what we were just talking about, where like this continuing evolution and this arms race? Well, one of one of the ways in which attackers have evolved is over the years as they've started going deeper and deeper into the application. And so, you know, some you know, while this has always happened, we've always had attacks against whether it was, you know, DNS as an application or HTTP as an application. You know, a lot of these attacks were kind of continued to be volumetric of sorts, right? So, I could still send an HTTP request, I can just send a lot. Well, you know, as software has gotten more and more complex, as websites and the capabilities of websites have gotten more and more complex, or just more things have gone online, there's more opportunities to take advantage of the vulnerabilities in all of this software that exists. And that's kind of where things like WAF and Bot Management have come into play, where, you know, kind of the next evolution from DDoS was heavily going into the WAF space, which is that web application firewall, which kind of was taking the concept of like what you used to do with like, literally firewalls, but firewalls weren't really well suited for this, right? Because firewalls are more about protecting like your individual desktop, and your LAN, then it was necessarily your internet facing capabilities. So, like your web servers, or mail servers, things like that. And so, what really evolved was this idea of the web application firewall, which goes deeper into the HTTP HTTPS stack, to do more enforcement to protect the application. And what's kind of interesting about it is, is, these aren't things that are volumetric, this isn't a volumetric kind of attack. And these are literally one two packets, type of attack that, you know, you don't need huge amounts of traffic, in order to take advantage of a vulnerability in some software, you just need to be able to get to it from anywhere on the internet. And so that's why kind of WAFs evolved, to sit in front of things. And, you know, like, there's, there's the classic cases of things like Sequel Injection, or Cross Site Scripting, which you know, kind of everybody's heard about forever. And there's kind of perfectly legitimate use cases around this. But there's also nefarious use cases. And so often that this is kind of the things that WAF have evolved to take advantage of. And then, you know, the second you did that, now, you had people that, at the same time the attackers have, have continued to evolve, they still use the DDoS, they still use WAF, or add kind of application attacks in the in your kind of your traditional OWASP, top 10 type of attacks. And now they've started looking at more sort of human-like behavior. So, things like account takeover, you've started to look at things like credential stuffing kind of testing accounts, you've started to look at things like, you know, like, website scanning, or, you know, scanning, you're ripping content off to reuse it with other sites and kind of aggregate sites. And that all those a lot, a lot of those things will fall under like the Bot Management side. So, the idea is that, you know, a browser can look, or an incoming connection, can look extremely realistic in that world. So, there's a bunch of techniques that you use to try to decipher out the stuff that is more human-versus not-human- like, what is a Bot on the internet attacking. And so that bot, it doesn't really matter. Like, you know, we can use a lot of our normal techniques if it's volumetric. But for a lot of these Bots, it's more one two connection type of things. But they're doing things in a certain way with certain patterns and certain, you know, grammar or things like that in a way that doesn't look human-like. And so, Bot is about detecting the behavior of the inbound connections, not just protecting the site itself. And that's really the evolution that you see where this is going.

John McArthur
So Matt, let me ask you, because you've talked, you talked a bunch about network security and DDoS, and application security and the WAF. We know over the last decade, or decade and a half, there's been a major transition of enterprises, companies moving their infrastructure from being on premise to in the being in the cloud, hosting in the cloud. How has that impacted networking applications, network and application security from your standpoint?

Matt Wilson
Yes, I mean, what that's really done is it's somewhat de-emphasized the network side of, right. So, what you've been able to do, and this is, the whole purpose of going to the cloud is, I no longer have to maintain the hardware infrastructure, right? I no longer have to maintain the network, I can basically take that the network piece, and I kind of push the onus of that off to my cloud provider. And so like, in this case, you know, while there is still DDoS is still a problem. And while you’re kind of pushing the onus of protecting this to that cloud provider, who now has huge networks with tons of compute to be able to handle connections. Now, the downside of this is that with all that compute, they've got the ability to do kind of scale groups and things like that, and auto scale your site to be able to handle the amount of inbound traffic, that, there's still a DDoS component to that, right, because I can scale up automatically to fight a DDoS, or to handle more inbound connections, whether they're legitimate or not. But it doesn't really, you know, in the end, you're going to pay for that, right, you're paying for that scale. And so, while there are some DDoS components in there, and you can buy some DDoS services in each individual cloud, what you don't really know in a lot of this is kind of the capabilities that are of what that can do to protect your site. Then the same thing goes on like the WAF side, where you're kind of protecting your application and you're protecting your application firewall. With an application firewall, you don't know what the capabilities are. And now increasingly, I think something like 70% of our customer base is either multi cloud or on their path to multi cloud. Right. And I heard this from a customer in a webinar I did the other week, I said that he made the code that like, yeah, we were collecting clouds, like their Pokémon. Instead, it's really hard on the security side of things, because now I've got, you know, these X number of cloud environments, and cloud native sounds really, really interesting. Because you know, you can add it on, it can be fairly cheap. But what I don't have is consistency of policy across all of it. And, you know, even if they do block some stuff, I don't really have any assurances that that block is, is I have to like manually take that block from one and put it into another. So, this is where, like, from our perspective, what we've done is a lot of the capabilities that we've had, for a long time, while we've always been able to protect the network side of things, a lot of the capabilities that we've that we've had also protect the cloud environment. And so, the customer can really kind of like seamlessly take this. And it's a really good story to tell when somebody is in the middle of cloud transitions, where you have this on premises, and we want to protect the network of your data center there. And as you're migrating to cloud environments, to be able to add those into that same service and have like a seamless interface, a seamless experience, and a consistency of the policies that you're putting in place across that entire spectrum. And so, it's been interesting, you know, to kind of like tell that same story as you migrate. But it is there's a lot of power behind it, right? Because it is this idea of, we tried to make it simple. And then by the nature of what we do, we're simplifying that transition for the customers, while still allowing them to stay secure.

John McArthur
Hey, there, are you looking for a web application firewall to protect your most critical online applications? Neustar's UltraWAF provides a powerful, yet easy to manage tool for protecting your web assets from today's application attacks. Through our intuitive and easy to use API, or through our comprehensive APIs, you can apply a seamless level of security policies across your entire web infrastructure, regardless of whether it's located in a public cloud, private cloud, private data center, or spread across them all. Backed by Neustar's UltraDDoS protect platform, we will ensure your applications are Always On, Ultra Secure. To learn more, please visit home dot Neustar and navigate to the Security Solutions section. Now back to the podcast.

Paige Enoch
So, we've talked about some of the kind of historical adversaries or who the adversaries were in the early days, but who are the current adversaries now?

Matt Wilson
Yeah, so what we've started to see are more and more nation state type of attacks. So, you know, on the government side of things, I mean, just going back, even I guess, maybe 10 years ago now, when the country of Georgia was invaded, not too long ago, back in 2013, when Ukraine was invaded, invaded. Actually, it's not right. It was in 2013. Whenever Ukraine was invaded, you know, when Ukraine was invaded, we saw attacks and cyber-attacks that happened around the same time. So, you know, while we've seen that as a prevalent way, because again, it is a great way just to disrupt networks. And across the board, it's kind of, I always equate it to like somebody is trying to pick your pocket. If my goal is whether I'm a nation state, or I'm hired to hack a company, or I simply want to hack a company because I want to steal all the passwords and all the data to sell it, or embarrass them or whatever the case may, DDoS is a really good way to get people's attention, right? If I can send a terabit per second attack at your network, that is attention grabbing, that gets ELT members on board, your executives are all on the phone, everybody's talking about how your entire network’s down, or at least like the public facing sites are, are down. Meanwhile, the attacker could have found that one part of your network that they could take advantage of. And they're able to come in from a vulnerability perspective. And now they're in there, they're stealing your passwords or stealing everything, but you're paying attention to the big, ugly attack. And that's, you know, this is why people buy like DDoS services like ours, right. It’s because to offload that and let the professionals handle that with a big network, it's not going to take you down, it's not something that's going to be a problem. And you can focus on the actual protecting your internal network. And, and then we can take over the WAF side of things. So, we can do those level protections as well. We can protect against the Bots. So, what you're still going to have, and there's always going to be that case, people always had need to protect their internal networks, looking for data exfil, things like that.

John McArthur
So Matt, you've talked a bit about, you know, how Neustar solution helps us customers, can you can you dig into that a bit? How does Neustar's UltraDDoS protect solution fit into the security ecosystem, and who are the target customers?

Matt Wilson
Yeah, so we are like, like more of like a mid-size, mid to large enterprise, we can really service anybody, but we really, really do target our service as an enterprise level service. And so, you know, with that we provide a gamut of services from that network protection, you know, having a 12-terabit network that is 100%, dedicated to fighting these attacks. And that attack doesn't matter whether it is a DDoS attack that is large, and we've got some of the largest out there, we get large attacks about every couple of weeks at this point, all the way down to very, very small attacks. And like I said, even the targeted attacks that fall into like the WAF, and Bot management space, to be able to protect against these types of things. So, our service really runs the gamut of being able to protect across that. And what's really interesting is that we do this through one network that can protect the entire customer. And we do it through one interface. So, there's not multiple networks here, this network isn't shared with other services that might also be high value. So, if there's ever a large DDoS attack, you may not be 100%, certain what you're getting, this is what we do, this is all we do, right? So, you know, as part of that we give you that seamless experience where, you know, you can see all of your DDoS attacks, you can see all of your application attacks all through the same interface, whether that's API or web, or you want us to web hook this out to your seam, whatever it is you're looking for, you know, our service has these capabilities built to do this. And the great thing is it's 100% managed, and backed by our SOC, which is a 24 x 7 SOC, that these are the experts that you get, you're not kind of calling someone who has to call somebody else and forward on tickets or anything like that. When you open a ticket, you call our SOC, you are getting the experts that are ones doing the fighting of these attacks. So, it's a little unique in that in that perspective, you know, we really strive to provide a high-quality service that is pretty easy to work with. And, and effective at blocking attacks. And so, like our customer base really runs the entire spectrum, as you can imagine, while we do have a lot of those kind of traditional kind of, you know, even some of the more established gambling sites, you know, poker, things like that, those all still exists, that's all still a problem. So, our customer base really runs the spectrum, right. So, we have some of the largest banks in the world on our platform that are we provide services for, you know, Law, a lot of financial services on top of not just public banks, but you know, financial services, energy companies, ecommerce companies, and media. And so, we really, we're able to do a lot of the kind of the largest companies in these spaces that we provide services to and we protect all of them. Doesn't really matter whether you're big or you're small. You know, we're able to protect all of these customers.

Paige Enoch
Thanks, Matt. That's a great overview. So same question for UltraWAF, where does it fit in the security ecosystem? And who are the target customers?

Matt Wilson
Yeah, so I think the customers there are fairly similar, right? I think, you know, anyone who has a website You’re running services, and whether you're small or large, you have one of the great things that WAF can do for you on top of protecting your website, and you have these vulnerabilities sitting behind the scenes. You know, while we can protect a lot of those, you know, sometimes new vulnerabilities are popping up all the time. So, one of the things that we that we offer, and this tends to be really, really valuable to like, small companies, but, you know, even for large companies is, you know, you have these really large complicated systems with, you know, lots of web servers, lots of applications running, going in, and patching for that latest CVE on any one of these things can be problematic, right? Because when you're doing patching, inevitably, there's a lot of kind of follow-on issues, right? So, I can patch for one thing and never leave that patch, I'll create four or five other issues that now I have to deal with. And that's whether that's because of versioning, or prerequisites and requirements, you name it. So, what are WAF lets you do is to find the CVE. And if it's something that can be blocked in the network, we can do that virtual patching in the network for you. And so, you know, this is why like a lot of the small businesses like this because, well, you know, as part of being PCI compliant, if I take credit cards, these are things where, you know, like a great case is Magento, right Magento being one of the kind of shopping cart platforms yet this is about to go One Dot Oh is becoming deprecated. Anyone who has one dot o is no longer going to be PCI compliant. And when you're out of compliance, there's a financial cost to this. So being able to come in and as sort of a stop gap be able to block a lot of the vulnerabilities that exist in these things, or PHP is another case, there's a lot of people using really old versions of PHP, and for a variety of reasons. And that's even large companies are doing this. But going back in and completely overhauling all of your platforms, your entire application to fit this, isn't always the most feasible way to deal with the problem. So being able to do some virtual patching to fill that is, is a huge use case behind using something like our WAF. So, it really fits into this where it what we see is a lot of the DDoS. The DDoS sometimes will fit with like the network guys, right? It's your network team. They're the ones who kind of handle the DDoS connection, because that's at the network layer, the WAF stuff will often be either with like the content, folks, the folks that run the websites, or you know, it's with the application teams basically. And so, in some cases, it's all in one. And you know, it's everyone, you know, the same group is doing everything within the company. But so, we our product really works across both of those sets of groups and solves both sets of groups problems we can handle on your network, we can handle your network security, as well as that application and protecting that application from, you know, a gamut of attacks, as well as would you know, kind of consider protecting and against the natural progression of software, as things become deprecated. And you have to redevelop for it you can use things like virtual patching to buy yourself time to do that patching. Because it's not always easy to do it right away.

John McArthur
Now, Matt, let me ask you, and I know you're aware of this. Both Paige and I are very, very much involved closely tied to Neustar's UltraGeoPoint product. So, let me ask you, how does how does something like UltraGeoPoint enhance the UltraDDoS protection UltraWAF offerings?

Matt Wilson
Yeah, so in our portal we use, we've been developing it to fit the concept of analyze, investigate, and action. And so, as part of the analysis, and as part of the investigate, we allow customers, as if you see an IP address in our platform, and it's an inbound IP, and you're not really sure what it's doing. We give you the ability to kind of kind of click and you can see you know that this enhancement of the data and you're allowed, you know, you can basically click on it and look over it and you can get all the IP geo information about that. We're also doing a well it's also the IPI side of things, right so you can, you're able to see all the information that we have about that IP address, or some of it. Do you know if it's all? I don't think it's all, but we allow our customers to see a lot of the information about those IP addresses that are coming into their network. We also do things like geo blocking, so that, you know, customers can select, and they can say, you know, I don't want traffic, particularly at like the WAF level, you can say, I don't want to see traffic that is beyond, you know, the US, for instance. And so, we kind of leverage a lot of the IP geo stuff in order to, to kind of help fence that, and anything that comes in from outside gets blocked, or rate limited, or whatever it might be whatever the customer is looking to do. And so we can do that, and can identify this so that, you know, if we have a lot of traffic, if a customer is, you know, only from the US, and they suddenly see huge, massive spikes from coming from outside the US, it's a very effective mitigation technique just to drop that traffic. And you know that not to mention, especially in the financial services world, you have a lot of customers who simply say, I can't operate outside the US, I have no interest in that. So just drop it, drop that traffic, because our customers should not be coming from there. We're only in the US. And so, you know, we do a lot of things like that. And that's kind of how a lot of our products start to work together in order to enhance the analysis and the investigate elements of this. And then based on those action, and block and do something on that. So that's kind of where we really tie these things together. You know, we're looking forward to continuing to doing more and more and more as we go forward.

Paige Enoch
Cool. So, what's next? What are the future plans for Neustar's UltraDDoS protect and UltraWAF?

Matt Wilson
Yeah, I mean, you know, in this world, we, it's a lot about adding capacity, both in terms of just sheer network capacity, you know, keeping up with the largest sized attacks, you know, we're at 12 terabits per second, but we're nowhere near the largest size of attacks. But it is kind of continuing, right? Like you, you want to always add more, and you want to kind of keep going there, as well as adding new regions new, you know, new areas in which we can service. So, you're going to be seeing that from us in the over the coming, you know, month, year, things like that. We're gonna continue to grow this network. And I talked a bit about the Bot management and the API protection. So, Bot Management is we're releasing kind of our first version of that now in like the next month, but that's going to be going public, we're going to be getting into more of the heuristic style. So, this is more looking at the behavior of that inbound connection that to your site, did they look like they're acting like a human? Do they look like they're acting like a Bot? We're adding those kinds of types of capabilities in a little bit later in the year, as well. And then I think probably in the early next year, we'll we're going to be fine tuning our API protections. And so, API, it's like a lot of things where we can protect API's today, right? So, we can use our WAF, we can use our DDoS. And we can protect these API's. where it gets interesting is being able to dive deeper into the structure of the API. And being able to look at like in how have the protections be aware of what type of API it is, is it JSON is an XML? What is it? And then being able to, to protect individual fields, whether that's for content or length or, you know, am I seeing too many entries, and somebody is trying to brute force a connection, as well as protecting, you know, credentials for the API. So, if somebody is, is coming in, and they're kind of, you know, abusing the same, you know, the same API key over and over and over again, but from a bunch of different IP addresses, you can start to protect those kinds of things. So sometimes it's just a misconfiguration. Sometimes it's malicious. So, we had the ability to kind of help our customers through that. And a lot of that, like I said, a lot of that exists today, some of the awareness of what the structure is. That's something that's kind of coming a little later.

John McArthur
All right, well, thanks for sharing. It's interesting to hear the future roadmap, future features coming down the line, unfortunately, with that, we've come to the end of our podcast. So Matt, many thanks for joining us today and sharing these fascinating experiences you've had in the cybersecurity space, a lot of interesting stories and insights there, so thank you for joining.

Matt Wilson
Yeah, well, thank you guys for having me. It's been fun. It's always fun to go back and reminisce.

John McArthur
Now. Certainly, those are, again, interesting as we think back to the early days of the internet, in the initial disruptions we've had from DDoS attacks. And let me say thanks always to Paige Enoch for joining me today and helping you produce our podcast.

Paige Enoch
Yeah. Thanks, John. And Thanks, Matt. That was really fascinating, and I definitely learned a lot. Thanks for having me guys

John McArthur
And for listeners. Thanks again for checking into the Lock and Shield show podcast. We'll be talking to you soon.

View Full Transcript
 

Let's Connect

Contact Me