Rising DDoS attacks drive a rethink of IP network security
For a small fee, starting at about $50 a month, a DDoS-for-hire “booter” website will offer an impressive menu of options. Hit an enterprise or gaming server or go after a service provider – right down to a specific subscriber. And IP-address spoofing can make that attack appear to originate from legitimate sites.
Now, consider that the volume and frequency of DDoS attacks is growing, particularly with the move to 5G, which introduces more entry points from more locations. With the growth of enterprise and IoT connectivity, smart cities and smart homes, the entry point for a DDoS attack could be a compromised home router.
“The entry point for a DDoS attack could be a compromised home router.”
Andrew Chant, Exponential-e
Consequently, the threat surface has grown frighteningly large. And DDoS attacks have grown in parallel, surpassing the 4 Tb/s level for the first time in December 2021.
It’s time for IP network security to get a rethink.
The rising threat
“The huge growth in connected devices, from laptops, to smartphones, to the mass of new IoT means there are more and more devices for the ‘bad guys’ to exploit,” says Andrew Chant, Director of Infrastructure at Exponential-e in the UK.
“Your average home probably has many devices that aren’t up to date with their software and contain known exploits and vulnerabilities that are just sitting there waiting for someone to take over, and when they do that’s another device that is weaponized,” adds Chant. “Therefore, DDoS protection has had to evolve.”
“An attack of that size could take out the internet of a small country.”
Rudy Hoebeke, Nokia
In fact, attacks now come from outside and inside service provider networks and are aimed at internet hosts and servers, customers, users, and network infrastructure.
“Only a few years ago we would talk about a terabit attack being the exception,” says Rudy Hoebeke, Vice President of Nokia’s IP routing and data centre switching business. “But that was when rogue attacks only spread through the internet.”
Nokia Deepfield, which focuses on big data network analytics and security, recently found that DDoS traffic has more than doubled since the pandemic began. Peak rates are expected to grow from 3 Tb/s to the 15 Tb/s range over the next few years.
“An attack of that size could take out the internet of a small country,” Hoebeke adds.
Built-in versus bolt-on security
“In the past, DDoS attacks were a relatively small issue, contributing to around 10-15% of peak network traffic,” says Manish Gulyani, who heads Nokia Deepfield. “Problematic traffic was redirected to specialized scrubbing, or traffic cleaning, centres run by security teams.”
But this is changing.
“Today, DDoS attacks are much larger, and DDoS traffic is there all the time, affecting services and connectivity,” Gulyani says.
Manual dedicated appliance-based methods just can’t grow in synch with the size and frequency of these attacks, says Gulyani. “The method of backhauling and scrubbing traffic is going to become far too costly to scale. And the impact on latency of transporting traffic back and forth from scrubbing centres won’t be tolerated for many 5G services.”
“The method of backhauling and scrubbing traffic is going to become far too costly to scale. And the impact on latency of transporting traffic back and forth from scrubbing centres won’t be tolerated for many 5G services.”
Manish Gulyani, Nokia
Hoebeke points to today’s security approach as the sore spot.
“Much of the problem lies in today’s IP network security models, which are based on bolt-on security appliances,” says Hoebeke. “These appliances add significant complexity and latency to IP networks. They also lack cost-effective scale to provide universal protection for all customers and network elements.”
A major rethink in security
To manage the growing threats of DDoS attacks, communications service providers (CSPs) need to radically change their approach to IP security.
“There has to be a major rethink in the way that CSPs structure their security organization,” says Gulyani. “Moving forward, network security teams should be integrated with network operations teams to allow for close collaboration.”
Hoebeke agrees. “IP network security needs to stop being an afterthought. It needs to become an integrated, line-rate capability that is designed into, and delivered by, the IP network itself – just like packet forwarding is today.”
Nokia is taking a comprehensive approach, Hoebeke says, implementing security considerations into every layer of routing software and hardware, making sure it can be used effectively at scale. “CSPs have the option to turn on DDoS filtering without having to plan ahead, encrypt engineered flows, or slices, at the flick of a switch – and do all this at massive speeds without introducing latency or impacting performance.”
