In-Line, Always-On DDoS Protection Makes Sense for Service Providers

DDoS is an increasing threat to the reliability and quality of service provider network operations. The chances of a service provider being impacted by malicious traffic scales according to several factors, including but not limited to, the number and size of connections to Internet Service Providers (transit and peering), the number of customers hosted or connected to the service provider network with public IP addresses, and the nature of the applications and services exposed by the service provider to the Internet at large.

DDoS attacks can be classified into several categories. One of the criteria for classification is the maximum size of the DDoS attack in relation to the aggregate capacity of the service provider Internet links. If the attack significantly exceeds the aggregate link capacity of the service provider it is known as a saturating attack. Such attacks are rare and most frequently are mitigated by requesting an upstream blackhole route for the victim destination IP address (dip). If the resource identified by the victim dip is critical to operations and cannot be sacrificed or blackholed, one alternative is to use a cloud scrubbing service for mitigation. In that case the victim traffic is routed to a third party data center where it is inspected and attempts are made to forward only good traffic to the intended destination. However, the scrubbing approach is a reactive one, and it most often requires human intervention.

In contrast, sub-saturating attacks are orders of magnitude more frequent and, as a result, cause more disruption. In analyzing our customer data, we have found that attackers are continuing to leverage sub-saturating DDoS attacks with increasing frequency, using shorter attack durations to evade legacy cloud DDoS scrubbing solutions to cause network disruptions and, in some cases, distract victims while other malware infiltrates networks and steals customer information and corporate data. As attackers look for new ways to leverage DDoS attacks, they have realized that short duration sub-saturating attacks are more difficult to defeat, particularly in carrier or service provider network environments that leverage coarse sampling detection techniques and centralized scrubbing centers.

Sub-saturating attacks are much better handled by deploying inline always-on protection in the service provider’s own network. Such protection can detect and mitigate attacks in real time without disrupting the flow of good traffic. The inline nature of this protection also provides unmatched real time detection and reporting of attacks delivering valuable insights into the nature of the attack. Corero Network Security offers inline, real-time, automatic DDoS protection solutions with its SmartWall® Threat Defense System (TDS)

The example below is a snapshot report of a large sub-saturation attack (in red) that was automatically mitigated by the Corero SmartWall TDS within a service provider network:

sub-saturation DDoS attack report

DDoS attacks can occur every hour, every day or every week. It is not practical or cost effective to handle these attacks with a swing to a cloud scrubbing service; they must be mitigated locally to maintain availability, performance and latency.

The Corero SmartWall TDS is typically deployed between the provider’s network (the protected network) and the raw Internet (upstream providers). This can be accomplished by a physical deployment in the fiber link or a logical deployment via switching and routing. SmartWall TDS continuously monitors and mitigates inbound network anomalies such as DDoS attacks, removing them from the traffic before it is passed to the provider’s protected network. This real-time admission control is invaluable for increasing the resilience and productivity of the provider’s network.

The Corero solution also offers the opportunity to monetize the DDoS protection by giving the service provider the ability sell-through the incremental protection service to their customers. We have multiple models we can share on how Corero customers generate managed security services revenue from their customers. For more information on this topic, see our recent on-demand webinar, Service Provider Deployment of DDoS Mitigation, which was led by Jeff Wilson, Cybersecurity Research Director and Advisor at Infonetics/IHS.

Leave a Reply