Optimizing Carrier DDoS Mitigation Scenarios - Part 2- Peering Point Deployment

Stephen Gates
By | August 18, 2015

Posted in: Network Security Trends , ISP DDoS Protection

In an in-line peering point DDoS protection deployment scenario, SmartWall ® Network Threat Defense Appliances (NTD) are deployed on each of the Service Providers’ peering points to their upstream Internet bandwidth providers.  This ensures always-on DDoS attack mitigation services while benefitting from the highest levels of performance and security.  Not only will Service Providers be capable of defending their downstream customers, in this scenario the entire downstream infrastructure will be protected as well.  The Service Provider in this case can easily eliminate all downstream collateral damage that may occur as the result of a DDoS attack.   Their customers are protected, their infrastructure is protected, and their Services Layer is protected as well.

An in-line solution, deployed at the appropriate peering points can cost effectively scale DDoS mitigation operations from 10G up to 20G and even 40G at a fraction of the cost of other solutions, with a significantly reduced footprint – ideal for a modern and distributed network architecture. Reducing the overall operational footprint by automating a significant amount of the DDoS mitigation process and eliminating the attack as close to the entry point as possible, Service Providers are further enabled to provide real-time DDoS protection, and take advantage of comprehensive and continuous visibility into the network activity. Enhanced visibility allows Service Providers to easily identify what kind of traffic (good or bad) is coming from a specific link, a byproduct for future capacity and application planning delivering more efficient and cost-effective network re-designs and enhanced subscriber experience.  Below is a conceptual view of a Peer Point Deployment.

Peer Point Deployment

DDoS Protection

 

Benefits of Peer Point Deployment over other Scrubbing Approaches

For organizations looking to implement DDoS protection, there are unfortunately several issues with the existing scrubbing center approach, starting with the fact that these merely coarsely filter bad traffic. As such, they don’t provide the granular remediation required to be truly effective against more sophisticated threats that are geared to avoid detection.

Existing out-of-band scrubbing centers also require human intervention, so the costs associated with this approach are substantial; switching to the scrubbing center in each instance of a sub-saturation, short-duration DDoS attack will break the bank. And, as a particularly problematic point, this tactic adds latency to the remediation process. One of the biggest issues with the status quo is the fact that the average time that it takes from detection to mitigation in a scrubbing center is 30 minutes. Even the best-equipped organizations can’t get that time below 15 minutes; and those without big-company resources can take days to complete their mitigation efforts. In an always-on world where downtime is a problem, this can have serious consequences. Further, traditional scrubbing does not always address multilayer attacks.

You May Also Be Interested In: