Edge Distributed Denial of Service (Edge DDoS) service description

(a) Description of Services: Bell will provide the Network DDoS Security services (“Services”) described herein. The Services are managed security services, providing threat detection and mitigation for distributed denial of service attacks from within Bell’s network. The Services provide for the monitoring, verification, and blocking/filtering of DDoS attacks before they reach Customer’s routers or firewalls.

Edge DDoS: Covers standard volumetric attack vectors

The Services provide the Customer with all of the standard detection and mitigation capabilities along with the reporting as described in the following features of the Services:

1. DDoS Mitigation Process:

   When a Known Attack occurs:

   • An alert is reported and documented
   • Mitigation starts automatically.
   • In the scenario where a volumetric DDoS attack occurs at such volume that it is over the subscribed Bell BID OE internet bandwidth associated with the Service, an alert is raised, reported and documented. Bell operations staff will redirect that traffic to volumetric cleansing facilities within Bell’s core network to assist in volumetric cleansing.

   When an Unknown Attack/Event is suspected:

   • This kind of attack includes a potential threat that either Customer reports to Bell or Bell’s infrastructure identifies as potential threat that requires further investigation.
   • Once validated as malicious, Bell will notify Customer’s “Security” and “IS&C” departments prior to any action being taken by Bell which may include applying a combination of blocking and filtering to either filter attack traffic or block the offending source IP Address in the most efficient manner possible
   • Bell deploys Updates as appropriate and /or takes the required corrective measures.
2. Types of Attack: The types of attacks that will be monitored by Bell include:

   Attack Vectors	Edge DDoS*
   Flood/Volumetric Attacks
   TCP Syn + ACK Floods	✓
   TCP Fragment Floods (packet anomaly)	✓
   TCP Reset Floods	✓
   TCP Stack Resource Floods	✓
   TCP FIN Floods	✓
   UDP flood attacks	✓
   ACK Floods (packet anomaly)	✓
   IGMP Floods (multi-cast attack)	✓
   ICMP flood attacks and reflected attacks (e.g. smurf attack, ping flood)	✓
   Concurrent Connection Attacks	✓
   GRE Floods	✓
   IP fragmentation (e.g. tear drop attack)	✓
   DNS Query Floods / amplification attacks	✓
   RFC Violation Attacks (packet anomaly)	✓
   Memory Allocation Attacks	✓
   SIP Attacks	✓
   UDP Attacks	✓
   Enhanced DNS Protection	✓
   Small Volume Burst Attack Protection	✓
   Behavioral Denial of Service	✓

   * In the case of Edge DDoS, there are volumetric thresholds that must be exceeded before the noted protection is applied. All traffic is sent, as directed, to destination until such threshold has been reached. Only after such volumetric thresholds are reached, will traffic be diverted to scrubbing center to be inspected.

3. 7x24x365 Monitoring: Bell will maintain a staffed and secured security operations environment for the management of security and incident requirements; and management of security appliances is performed through the network operations team(s).
4. Initial Setup and Configuration: During the initial setup and configuration of the DDoS Security Service, Bell will conduct tests on the connection, setup and configuration of the Customer’s traffic routing and DDoS mitigation infrastructure configuration. These tests may include such actions as sending malformed packets or simulated volumetric attack traffic to the Customer’s infrastructure to ensure the appropriate flags and redirections occur within the Bell network necessary for the DDoS Service to be effective. This testing phase will be coordinated with the initial configuration, coinciding with the initial maintenance window required for the initial implementation. These tests are intended to confirm the successful setup and configuration of the Service. While highly unlikely that these tests would result in the Customer’s infrastructure being affected, this could occur, and the Customer understands and accepts the risks this presents.
5. Change Management: Bell will provide a process that allows Customer to request changes to the IP address ranges currently being monitored, changes in bandwidth, options, reporting IDs and notification settings. Fees applicable during Regular Business Hours are reflected in the Fees section of this Service Schedule. Fees for work outside regular business hours will be provided at Bell’s current overtime rates (4 hour minimum) or the rates as reflected in the Fees section of this Service Schedule (whichever is higher). Fees set out in Table 2 will apply.
6. Bell Service Desk/ Single Point of Contact: Customer shall have a 7x24x365 Bell single point of contact for all inquiries or change requests.
7. Soaking Period: Upon successful implementation of the Service, the Customer’s traffic will be directed through the Distributed Denial of Service detection infrastructure. During the first fourteen (14) days, the infrastructure will be learning the typical traffic patterns for the Customer. During this period of time, known as the “soaking period”, the SLOs around threat detection, mitigation, meantime to respond, notify and mitigation are not applicable. The “soaking period” may be extended or abbreviated if mutually agreed upon by the Customer and Bell Canada.
8. Reporting:
9. Monthly reporting: Monthly reporting will be available through Customer access to the Bell Business Self-Serve Portal (BBSSC). Initial login ID’s and passwords will be provided in the DDoS Security welcome package. Log Retention and recovery: Bell retains logs in raw data format as per regulation compliance for 12 months. In order for Bell to retrieve such raw data logs, and provide it to the Customer, the Customer shall be required to provide written request, including legal justification. The Customer can raise such request from BBSSC portal under “Technical Inquiries” with clear justification. Upon receipt of such request, Bell shall validate the requirement and, upon such validation, shall provide necessary log data within 7 business days.

(a) Termination Fees: In the event the Customer terminates this Service Schedule prior to the expiry of the Initial Service Term or then current Service Renewal Term, the Customer shall pay to Bell all Fees, Taxes and Late Payment Charges due for the Terminated Service up to the date of termination. Customer shall also pay to Bell (i) 100% of the reasonable out-of-pocket expenses that Bell incurs or will incur in connection with its contractual arrangements with the Bell Providers, and (ii) an amount equal to 50% of the remaining monthly Fees for the Terminated Service that would have been payable to the end of the Service Term (collectively, the “Termination Fees”), plus Taxes on the Termination Fees. The Termination Fees are reasonable estimate of Bell’s liquidated damages and represent consideration for the Services and are not a penalty. In the event that a payment to be received by Bell for Termination Fees would be deemed by the applicable tax legislation to include an amount of GST/HST and/or QST or other Tax, the amount of Termination Fees payable by the Customer shall be grossed up by an amount equal to the amount of GST/HST, QST and other Taxes that would be deemed to be included in such payment

(b) Authorized Users: Customer shall designate Authorized Users, and only such Authorized Users may use the Services. If an Authorized User is not an employee of Customer, Customer shall execute and maintain agreements with such person(s) to bind them to the confidentiality and use restrictions contained in this Service Schedule and the Agreement.

(c) Restrictions on Use: Customer shall not directly or indirectly (i) use the Services for the benefit of any third party; (ii) use the Services or any information in or from the Services to create any database, software or service that is similar to or competes with the Services; or (iii) copy, distribute, modify, create derivative works of or translate any data or materials, including the Services and software, provided by Bell or any Bell Provider pursuant to this Service Schedule. This Service Schedule does not convey to Customer any ownership rights in the Services, any information or materials provided by Bell or any Bell Provider pursuant to this Service Schedule, or any intellectual property rights in the Services, which shall remain with Bell and any Bell Provider.

(d) Passwords: Customer shall be responsible for maintaining the security of the passwords assigned and created and shall be responsible for requesting any password changes or Updates. Passwords will not automatically be updated. Bell assumes no liability or responsibility whatsoever for Customer passwords, including misuse and security thereof. Bell shall be entitled to rely upon any directions received though a valid Customer password.

(e) Disclaimer: The Bell DDoS Service, as described in this Service Schedule, provides mitigation services, providing threat detection and mitigation for distributed denial of service attacks from within Bell’s network and may cause disruptions to Customer’s network by blocking and dropping any traffic associated to IP addresses identified as part of a DDoS attack. Customer accepts the risk of experiencing a DDoS disruption of service affecting the operation of Customer’s network in the event that traffic is blocked or dropped from the source IP address. Bell hereby expressly disclaims, and Customer expressly acknowledges, that Bell shall have no liability for any claims, damages or losses hereunder, for any cause whatsoever and regardless of the form of action, arising from traffic blocked or dropped from the IP source address and from any disruption to the operation of Customer’s network that may result therefrom.

(f) Bell will make reasonable commercial efforts in performing the Services hereunder, including but not limited to the Bell DDoS Service. Customer expressly acknowledges, that Bell shall have no liability for any claims, damages or losses hereunder, for any cause whatsoever and regardless of the form of action, arising from any attack that is not mitigated by this Service.

(g) Confidentiality: The methods and techniques by which Bell performs the Services are Confidential Information of Bell, and if any of such Confidential Information comes into the possession or knowledge of Customer by any means, Customer agrees to treat such Confidential Information accordingly. This Service Schedule does not convey to Customer any ownership rights in the Services, any information or materials provided by Bell or any Bell Provider pursuant to this Service Schedule, or any intellectual property rights in the Services, which shall remain with Bell and any Bell Provider.

“ASN”

means Autonomous System Number.

“Authorized Users”

means individuals identified by Customer as having the authority to make change requests or receive notifications regarding service disruptions.

“BID OE”

means Business Internet Dedicated (BID) service Optical Ethernet provided by Bell

“BIS”

means Business Internet Service provided by Bell

“DDoS”

means distributed denial of service.

“Known Attacks”

are DDoS attacks that the infrastructure put in place within the Bell network can determine in an automated fashion that the traffic is in fact attack traffic

“Unknown Attacks”

are DDoS attacks that the infrastructure put in place within the Bell network cannot immediately confirm are in fact attack traffic, but either the Bell infrastructure has raised an alarm as to the potential for the traffic to be attack traffic, or the customer has contacted Bell through help desk or self service functions within the Bell business portal to inquire about the existence of potential attack traffic.

“In the Bell Cloud” or “In the Cloud”

means a collection of devices that are part of Bell’s infrastructure providing communication between international networks and associated Internet access to customers. This collection of devices includes security appliances used by the DDoS protection service.

“Internet”

means a shared global network of routers linked by various transport technologies connecting millions of computers using the TCP/IP protocol suite.

“IP Addresses”

means an identifier for a computer or device on a TCP/IP network. Networks using the TCP/IP protocol route messages based on the IP address of the destination. The format of an IP address is a 32-bit numeric address written as four numbers separated by periods. Each number can be zero to 255. For example, 1.160.10.240 could be an IP address.

“IT Assets”

means information technology systems used to perform a business operation or hosts a business application.

“Non-Regular Business Hours”

means all hours that are not Regular Business Hours.

"MTTN" - Mean Time to Notify

- "Time to Notify" refers to the time elapsed between Bell detecting an incident and notifying the Customer of it. “Mean Time to Notify” is the average “Time to Notify” in a calendar month. MTTN is a baseline service level that Bell will always offer for any managed service with monitoring and event management. MTTN does not apply to reactive incident tickets, where Customer reports an incident.

"MTTRespond" - Mean Time to Respond

- Time to Respond is determined by the elapsed time between an alert being raised within the MS-SOC, or a help desk security incident ticket being created, and the time analysis begins on a suspected attack. MTTRespond is averaged over a single calendar month for all applicable Bell Measured Security Incident Tickets. In this timeframe, ticket get assigned to an agent to perform Incident enrichment and investigation tasks. Ticket status changed to "Containment" until attack is being mitigated and no further manual action is needed. SLO Clock stops under "Containment" status.

"MTTResolve" - Mean Time to Resolve (MTTR)

- means the time elapsed between incident identification and incident resolution, if the incident is resolved remotely. “Mean Time to Resolve” is the average “Time to Resolve” in a calendar month. Count of all "In Progress" status time for the same ticket until closure.

“Premium Standup”

Additional setup fees are applicable when the Customer wishes to expedite the turnup (in term of a reduction in the duration between contract signing and system turnup) and/or wishes the implementation to occur outside of regular business hours (i.e. outside of the 08:00 to 17:00pm E.S.T. window).

“Security Incident”

means the detection of a possible distributed denial of service attack directed at the ‘Customer

“Regular Business Hours”

means 08:00-17:00 Eastern Time Monday to Friday. Bell-observed holidays and weekends are considered to be outside of “Regular Business Hours”.

“Services”

means the Managed Proactive Threat Mitigation Services, including, the General MPTM Services and the Managed DDoS Protection Service.

“SLA”

– Service Level Agreement.

“SLO”

– Service Level Objectives

“SPOC”

means Single Point of Contact and is the designated contact person within Customer’s organization that Bell Canada interfaces with in providing support to Customer.

“Turn-Up”

means the tasks associated with connection and commencement of Services following installation and configuration of devices.

“Updates”

means a release of Software or framework which consists of minor correctional, bugs, fixes and enhancements without substantial added functionality or features and which is generally denoted in the revision number by a change to the number is to the right of the first decimal point (e.g. a change from 2.0 to 2.1).

Incident Report