Expansion of the Internet Necessitates Network-Based DDoS Defense

Distributed denial of service attacks have been around for 20 years, and they continue to evolve and adapt in the attempt to cause increasing damage, whilst attempting to evade DDoS defense solutions. It’s a constant cat and mouse, “tit-for-tat” game between black hats and white hats. To date, traditional DDoS defense systems have relied primarily upon on-premise scrubbing centers, or cloud-based scrubbing services. Although such systems have proven a certain level of effectiveness in preventing widespread carnage on the Internet, these traditional defenses remain complex, costly and time-consuming for network operators. With attacks increasing in frequency, intensity and technical sophistication, traditional DDoS defense has grown more resource-intensive, requiring additional investment in experienced analysts and the supporting infrastructure needed to detect and mitigate against attacks, increasing both CAPEX and OPEX.

A major factor that necessitates the evolution of DDoS defense systems is the continued scaling-up of Internet access, backbone and cloud connections. This continued expansion at the access and multi-cloud edges will ultimately drive a fundamental shift, from the “bolt-on” scrubbing center approach to DDoS defense, to network-integrated solutions enabled by advanced next-generation networking technologies. Specifically, Corero has found that recent breakthroughs in programmable silicon, software-defined networking (SDN) and machine intelligence powered by Big Data analytics, are enabling new network-based DDoS defense solutions that are dramatically more effective and less costly to implement than traditional solutions.

Leveraging Powerful Silicon and SDN

Powerful ASICs from networking equipment manufacturers and merchant silicon vendors already support flexible methods for filtering packet flows in-line at the silicon level. Routers based on these ASICs can be reconfigured on-the-fly with flexible rules to filter and drop packets based on data in both the packet headers and payloads. This allows malicious flows to be blocked using criteria for matching complex attack vector signatures. The latest generation of DDoS protection solutions can use standard SDN protocols, such as NETCONF, to automatically distribute these complex DDoS mitigation filtering rules to edge routers, from a centrally located controller.

Sampling DPI for DDoS Detection

A key capability in these latest routing ASICs, is their ability to inspect packet header and payload data based on a specified offset and number of bytes. Because these ASICs operate at line-rates, packet flows can be continuously sampled, with raw packet data sent to a central location for comprehensive deep packet inspection. Analysis of sampled packet data has proven to be highly accurate for identifying malicious DDoS traffic and sampling overcomes the challenge of backhauling large volumes of traffic.

Enabling Defense with Big Data Analytics

Real-time Big Data analytics has proven to be a key enabler for taking DDoS defense to the next level. Big Data analysis engines provide the massively scalable compute and storage capacity required to ingest and process an exponential volume of critical network telemetry such as flow metadata and sampled DPI to generate actionable security intelligence. Big Data analytics also provides the foundation for applying machine learning and AI techniques that further speed up and improve the effectiveness of DDoS defense solutions. These techniques are essential in thwarting future, complex, multi-vector attacks, that otherwise require the intervention of experienced security analysts.

These technology breakthroughs enable automated DDoS protection that can consistently achieve complex attack detection and mitigation within seconds – not the minutes or hours of legacy solutions. An automated system can immediately detect malicious packet flows, formulate mitigation filtering rules, and reconfigure routers with these rules, on the fly, without any intervention from security analysts or network operators.

Currently, many Internet Service Providers are deploying these enabling technologies as part of their existing Internet routing infrastructure; in the future, many more will need to do so, to successfully defend against more powerful, frequent and sophisticated DDoS attacks. To further understand the weaknesses of traditional DDoS defense and the strengths of the latest network-based solutions, download Corero’s whitepaper, “Corero Powers Next Generation DDoS Defense.”

For over a decade, Corero has been providing state-of-the-art, highly-effective, automatic DDoS protection solutions for enterprise, hosting and service provider customers around the world. Our SmartWall DDoS mitigation solutions protect on-premise, cloud, virtual and hybrid environments. For more on Corero’s diverse deployment models, click here. If you’d like to learn more, please contact us.

Sean Newman is VP Product Management for Corero Network Security. Sean has worked in the security and networking industry for twenty years, with previous roles including network security Global Product Manager for Cisco, who he joined as part of their acquisition of cyber-security vendor Sourcefire, where he was Security Evangelist and Field Product Manager for EMEA. Prior to that he was Senior Product Manager for endpoint and network security vendor Sophos, after having spent more than 12 years as an Engineer, Engineering Manager and then Senior Product Manager for network infrastructure manufacturer 3Com.