How Queensland Sugar fought off a denial of service attack

Queensland Sugar has successfully fought off a denial of service attack with help from Telstra and a new email security appliance.

Queensland Sugar was the recent victim of an apparently unmotivated and extensive denial of service (DOS) attack, but managed to defeat the attack with the use of in-network security and filtering techniques.

The quasi-government body, which manages the marketing for bulk raw sugar, doesn't know what motivated the attack, which appears to have been planned over a considerable period of time.

"We saw some unusual traffic and we rang them," Andy Solterbeck, director of security services, enterprise and government for Telstra, explained during a presentation at the Gartner Security Summit in Sydney. Telstra provides network security services for Queensland Sugar.

While the command and control style traffic was unusual, initially Queensland Sugar said it was unconcerned. However, 10 days later, an attack began in earnest, making the site virtually inaccessible for four-and-a-half days.

"About a day and a half in, they gave us a call," Solterbeck recalled. "We saw a distributed reflected DOS attack. We saw huge amounts of traffic start to hit that web site. And this was not just generic traffic, this was mail traffic."

Telstra fought back against the attack using conventional network profiling techniques, Solterbeck explained. "The basic concept is pretty simple. You profile the network traffic, you look at it and you basically say what is standard traffic. If you get an aberration you either automatically or in agreement with a customer send it to a cleaning centre, take out the extraneous data and then re-present that to a customer environment. The attacks will start, they won't have any effect, and generally they'll stop."

"In this instance, we put a piece of IronPort infrastructure in and redirected all of the traffic onto that particular platform and started cleaning all the mail traffic. Once the attacker saw we were at the point of protecting that infrastructure, the attack stopped."

Why Queensland Sugar was targeted remains unclear. "We still do not know why," Solterbeck said. "We have no clue why they were going at these guys."

However, such events are becoming more common. "We have seen a substantive uptick on DOS attacks," Solterbeck said, noting recent "blackmail" attacks on gambling site operators as another example. "This one was unusual because it was huge and it was against a particular target."

Network protection will increasingly shift away from appliances to network-level protection, Solterbeck suggested. "The problem is that the security market is evolving to such an extent that what we end up with is a hugely complex set of related appliances."

Data cleansing techniques also aren't feasible for individual businesses, he said. "Try and do this with a piece of customer premises equipment on the end of a pipe, and it's impossible -- your pipes are not big enough to handle it."

"What you're going to see from Telstra is a significant move from on-network to what we would consider in-network. The ability to deliver clean pipe services is really where we're concentrating all of our investment right now."

Read more on Security policy and user awareness