The Oracle Internet Intelligence team monitors and reports on important issues that affect the security and performance of the global Internet.
I sat down with Dave Allen, Vice President of Market Strategy for Oracle Internet Intelligence, to find out how these efforts help enterprises -- including Oracle itself -- better understand the threats to critical Internet-facing assets. Allen explained why these insights are so valuable.
Can you tell me more about Oracle's Internet Intelligence program?
Dave Allen: When we think about the Internet, we think about the underlying structure of the Internet, such as how the Internet is routed, how information passes across the Internet, and the various paths this information takes. We use our corpus of almost 20 years of data to better understand deviations and anomalies that impact enterprises.
They impact enterprises because more and more computing workloads are being done in Internet-facing environments. Major corporations have a significant amount of IP space and a significant number of things in Internet-facing environments. Monitoring and understanding deviations about how those assets are reached, how they make themselves available to the public Internet, and how that changes and evolves over time is becoming increasingly important.
When it comes to Internet-facing assets, we think about how specific assets have been attributed to various entities or groups of entities over time. Let's consider a large technology company like Oracle, for example. Oracle has a vast number of IP addresses, which can be connected to various things. It could be web servers. It could be Oracle Cloud Infrastructure. It could be some legacy equipment and maybe some Internet of Things devices. All of these things make up Oracle as it presents itself to the Internet. When we think of attribution, we think of that.
You can also think about things that are not specific to companies or corporations, but something broader. For example, what are all of the assets in a specific country? What aspects of a particular pipeline are making themselves available, and what can we understand about those assets?
We also pay quite a bit of attention to the paths that information takes. We have a very large corpus of Border Gateway Protocol (BGP) routing data that tells us how the Internet is routed from the perspective of more than more than 400 telecoms globally. Additionally, we have a large corpus of domain name system (DNS) data. That DNS data includes both the authoritative side, which comes from the Oracle Dyn DNS network, and a vast recursive DNS network that enables us to understand what the things are that are being looked up on the Internet. On top of that, we collect hundreds of millions of traceroutes daily from more than 300 points of presence globally.
What types of insights are available to enterprises?
Allen: One of the things that many of the largest enterprises want is for us to alert them on anomalous behavior impacting their IP space as it's routed on the global Internet. For example, suppose that Oracle typically receives traffic in its Redwood Shores data center from two or three paths, which come through the state of California. If those pathways suddenly change, it could mean that someone else broadcast themselves to the rest of the Internet as Oracle through BGP, or that there are some other anomalous behaviors happening at the routing layer of the Internet. We would alert Oracle to that anomalous behavior and provide context as to what the suspicious behavior may entail.
In what ways can you help the public sector?
Allen: Both BGP and DNS have had very recent high-level security events which were observed broadly and affected large swaths of the public domain in various parts of the world. Many public sector agencies are tasked with understanding and taking some role to mitigate these types of attacks. But in many cases what we've observed both domestically and internationally is that many public sector agencies are flying blind when it comes to understanding the Internet. All of these agencies have important assets which are Internet-facing. For public sector agencies tasked with some level of oversight over those things, an understanding of how these things relate to the Internet is becoming ever more important. Given the global nature of our insights, we can help public sector actors in a large number of countries.
Can you talk more about the attacks you mentioned?
Allen: There have been two high-profile incidents that occurred recently. One involved a cloud company and the other involved a major payment provider. In both cases, we observed attacks at the BGP layer of the Internet that were launched by attackers who wanted to gain access to authoritative DNS services. That's in contrast to a BGP hijack directly at the origin server.
In these cases, the attackers attacked the BGP of the third-party DNS service, gained control of those DNS credentials, and altered the DNS. The initial BGP attack only persisted for a matter of minutes. But they altered the DNS in a way that ultimately had a long-lasting impact, because the DNS records were poisoned. Those poisoned records were maintained because the attackers also extended the time-to-live of those DNS records for days. In both cases, the victims were likely unaware of the underlying compromise for an extended period of time, even though the BGP compromise occurred for only a short period of time.
How does Oracle Internet Intelligence work with the rest of the Internet community?
Allen: Because the Internet is fundamentally a collaboration, we have to work with partners in the Internet community. It's not something that any one company can purport to influence on its own. It has to be done as part of the community. With that in mind, we recently announced a partnership with the Internet Society. Additionally, we've launched internetintel.oracle.com, where we make much of our data publicly available. We also use the site to alert the public and Internet community about of disruptions or Internet degradations which are occurring anywhere around the globe.