Is it time to build an “SP Anti-DOS Alliance?”

(Last Updated On: February 11, 2018)

Is it time to build an “SP Anti-DOS Alliance” is the first of several blogs. It will be a brain dump of what collaborative actions have and has not been working within the industry.

Last week, I posted a Linkedin update on the Operator’s Security Toolkit. A long term colleague, Eddie Chan,  pointed out the following to my LinkedIn Update about the Operator’s Security Toolkit …

“I think the remote triggered black hole method can be extended to multi-SP’s. So that multiple SP’s establish out-of-band BGP peer can exchange blacklisted IP instantly and block such traffic automatically. In a sense, they form a security perimeter to shield DDoS from entering the SP alliance. When I was in Sprint I toyed that idea in the lab and got it to work technically.”

Eddie pointed out the benefits of an “SP Alliance.” Several Service Providers (SPs) can use these security tools to build a DDOS Shield. This collaborative use of the Operator’s Security Toolkit is one of the intended outcomes when you have all Operators deploying the same flavor of security tools. Imagine a Service Provider whose customer is attacked with a DOS attack. That provider uses BGP Destination Based Remote Trigger Black Hole (dRTBH) to push the DOS attack to the edge of their network. They then reach out to their SP peers and ask them to do to the same. That collaborative action will push the DOS attack back by another ASN layer. The coordinating SP will then put a call goes out the next level, pushing the DOS attack back to the sources used to generate the DOS attack (see illustration). This approach is feasible. It is not only feasible, and we know it works today.

An anti-DOS SP alliance ‘kinda’ exist today. In fact, Sprint has been part of it since 2002 when the security Trust Group NSP-SEC was created. What many do not realize is that the Internet and Telecommunications require inter-operator collaboration. Phone calls, packet, and Internet connections across the world do not happen by magic. There is no “authority” who governs. The Internet and the Telecommunications world happens through the magic of human collaboration between the Operators. This has been no different with there are DOS attacks. The community will band together to collectively work to protect their networks, their businesses, their SLAs, and their customers. This has been a journey that we walk through in the Operator’s Security Toolkit Workshop.

What will it take to create an SP Anti-DOS Alliance?


A functional “anti-DOS alliance” is only feasible if SP”s are ready to commit to specific frugal investments. These ‘ prudent commitments’ will not require millions of dollars in anti-DOS technology. The commitments will require a change of the SP’s attitude and approach to DOS. It moved from a model that “I’m island on my own” mentality to a model where the SP see their business, network, and services as part of a global interconnection system. This interconnected system requires security collaboration to push back against the DOS Storm that threatens their business. We can break this “change of attitude into three actionable changes which will Clear the Path for an SP anti-DOS alliance.


  • Attitude Change #1 – Your NOC, SOC, Security, and Operators Teams are your #1 DOS Defence. Tools don’t stop DOS attack. People stop DOS attacks. Those people are in your organization. For them to be effective, they need to meet, talk, interaction and build relationships with their peers in other Service Providers (SPs). Contrast the cost of a modern 100G anti-DOS appliance to a travel budget for 5-6 of your key operations people. What you will find is that the travel budget to allow the key people who are the first responders for DOS in your organization will have more success going to key meetings to collaborate with their peers. The first meetings your operations team will go will be one of the many  “Network Operations Meeting “ (NOGs). These are places where your operations team will, meet their peers, talk about DOS attacks, compare notes, and then figure out how to work with each other during an attack is one of the best “anti-DOS investments” any SP can make.


  • Attitude Change #2 – Help Customer Remediate Malware Infections. Malware infections are one of the core factors which contribute to the veracity of DOS attacks. The Service Provider currently views these malware infections with their customers as “not our problem.” Yet, when they get hit with a DOS attack, they want to complain to other SPs for now “cleaning up the malware on their networks.” Every Service Provider must be willing to work with their customers who are violated with malware to help get them cleaned up and then help protect them. This approach was codified in several areas of work. Notably the U.S. Anti-Bot Code of Conduct (ABCs) for Internet Service Providers (ISPs).


  • Attitude Change #3 – Focus on the People Behind the Attack. The only sure way to stop a DOS attack is to arrest the people who are behind a DOS attack. People – not machines – launch DOS attacks. Some think that attribution is impossible. DOS attack attribution, trackback, backtrace, and the hard law enforcement work is hard work. It is NOT IMPOSSIBLE. Read through the work on the DD4BC arrest (see INTERNATIONAL ACTION AGAINST DD4BC CYBERCRIMINAL GROUP).  DD4BC happened because investigative teams working in multiple organization, multiple SPs, and multiple law enforcement organizations adjusted their attitude and focused on collaboration. Peers worked together to collect evidence on who is behind the attacks, then work with multiple international law enforcement to put handcuffs on the dos perpetrators. All it took was the right attitude.

We know these three attitude transformations work. The change in attitude has a fundamental element to the few SPs who consistently succeed in fending off DOS attacks. For the rest of the SP community who embrace isolated reaction, there is no indication that they understand nor seek to understand how to build DOS residence. Effective DOS resilience requires SPs to foster an alliance of peers. It is only through collaborations that an SP is can effectively protect their business from DOS attacks. That is why it is critical for the attitude transformation to be the foundation for any SP Anti-DOS Alliance. Tools from Operator’s Security Toolkit are just instruments in a toolbox unless there is the right attitude to collaborate and take action.

Need Security Advice?

If you find your organization needs help and worry about the FUD from the industry, reach out and ask for help. You can reach me at Start with the Operator’s Security Toolkit. It is the no-nonsense security for all Operators. It provides details to help them build more security resilient networks. In the mean time, stay connected to the Senki Community to get updates on new empowerment and security insights.