MCI offers DoS safety net

MCI last week announced its first service-level agreement that covers response time for denial-of-service attacks directed at its customers.

MCI last week announced its first service-level agreement that covers response time for denial-of-service attacks directed at its customers.

The carrier guarantees its security team will respond to DoS attacks directed at any of its IP customers within 15 minutes of when a user calls MCI and the carrier issues a trouble ticket.

The guarantee covers “how quickly we get our experienced security team engaged with the customer working toward stopping the attack and mitigate [the attack’s] impact on their business,” says Bob Blakely, senior product manager for security services at MCI.

If MCI’s security team does not respond within 15 minutes, the customer is issued a one-day service credit. That translates to a $20 credit for a customer that pays $600 per month for a dedicated T-1 line that supports its Internet access traffic. There is also a maximum of one credit per day.

The guarantee is available immediately at no additional charge to all MCI IP customers, including its dedicated Internet access, IP VPN, Internet Colocation and Web hosting service users.

Although MCI is promising it will respond within 15 minutes, the carrier says it’s typically much quicker than that. MCI responds to all DoS attacks “in about 5 minutes and much of the time much faster,” says Chris Morrow, network security engineer at the carrier.

Within those first minutes MCI’s security team typically “blackholes” the DoS attack traffic. In other words, it redirects the traffic away from the user’s site. Then MCI activates another set of tools that lets the carrier essentially find out where the rogue traffic is coming from and thwart the attack.

MCI has used the same practices and security tools for several months, Blakely says. What’s new is that the carrier now is trying to offer customers peace of mind that any DoS attack will be dealt with swiftly.

The SLA specifically covers DoS attacks that customers bring to the carrier’s attention. MCI, like its main competitors AT&T and Sprint, does not offer a proactive DoS service to customers, although all are promising to develop them.

Proactive DoS tools automatically notify the carrier that there has been a drastic change in traffic heading toward a specific customer, which is a telltale sign of an attack. Carriers would not have to depend on customer notification. Proactive tools pattern changes coming from servers on their network that could be acting as zombies that blindly send out massive amounts of traffic to specific Web sites that are under attack.

All three interexchange carriers say they will have proactive tools available to customers by year-end, but none would provide detailed information.

MCI is the only carrier offering customers an SLA that covers DoS response time, although the guarantee could offer more bite. The clock starts when a user calls MCI and the carrier issues a trouble ticket. The SLA would be more compelling if it wasn’t dependent on user notification and if there was a stronger credit behind non-compliance on MCI’s part.