The New IP is the next evolution for carrier networks, allowing Internet providers to move from a fixed infrastructure to a more elastic, automated and distributed environment driven by SDN. The move to an all IP network and leveraging enhancements such as SDN/NFV and virtualization will invariably lead to broader revenue service opportunities and faster service delivery capabilities.
However, this evolution opens carriers to a more complex range of security threats, including DDoS, as their environment becomes more distributed and server- and application-centric. In fact, DDoS protection must be a proactive strategy, architected at the onset, and not considered an afterthought. As with any threat to the Internet-connected business, converged, mobile or wireline carriers have the opportunity to capitalize on the DDoS challenge and can better position themselves to offer a more robust set of subscriber-focused security service offerings with DDoS protection-as-a-service.
The DDoS threat in a carrier environment
In a large carrier environment, DDoS attacks have escalated from a nuisance to a sophisticated threat and an expensive problem to solve. Many equate DDoS with only a volumetric attack vector. This is not surprising, as these high bandwidth-consuming attacks are easier to identify. There has been an emerging trend where attackers have implemented more adaptive multi-vector methods to profile the nature of the target network’s security defenses, and subsequently selected a second or third attack designed to circumvent an organization’s layered protection strategy. While volumetric attacks remain the most common DDoS attack type targeting CSPs, combination or adaptive attacks are emerging as a new threat vector.
CSPs are selling security-as-a-service and protecting their networks in the New IP economy.
These attacks are too short to be re-directed to a scrubbing center and appear as noise on a typical CSP/mobile backbone network. Unfortunately, once they hit the networks, these attacks result in collateral damage, overall network congestion and the need to backhaul "dirty traffic" out of band scrubbing centers to eliminate attack traffic.
The evolution of the DDoS landscape can be detrimental in a carrier network, both from a cyber security standpoint and an availability issue that threatens their own network and that of their downstream customers.
Evolution of cyberthreat protection
As carriers move toward a more distributed architecture by deploying security services closer to the subscriber for protection and monetization, fragile and costly centralized scrubbing operations are becoming obsolete, while localized in-line DDoS mitigation operations are becoming the solution of choice for many. An in-line solution, deployed at the appropriate peering points or other network ingress locations, can cost effectively scale DDoS mitigation operations at a fraction of the cost, with a significantly reduced footprint -- ideal for modern and distributed network architectures. Reducing the overall operational footprint by automating a significant amount of the DDoS mitigation process and eliminating the attack as close to the entry point as possible, carriers are further enabled to provide real-time DDoS protection, and take advantage of comprehensive and continuous visibility into the network activity.
The opportunity for protection and differentiation
For carriers, the DDoS threat landscape presents a golden opportunity to modernize DDoS protection: gaining a new revenue stream in the process; specifically taking advantage of real-time DDoS mitigation through emerging and proven deployment models that are completely changing the economics of DDoS services such as dedicated in-line deployment of appliance-based DDoS mitigation at peering and transit points.
Alternatively, if an out-of-band mitigation strategy remains the preferred approach, these solutions can finally be deployed as a flexible scrubbing center operation with similarly improved economy and scale. This allows carriers to tailor precise DDoS protection for their customers as a welcome extension of their current service offerings. This is a significant revenue generating opportunity, which improves the carrier’s overall competitive value proposition, and provides an opportunity to offer differentiated value-add security services.
As the mindset of how to deal with DDoS mitigation in a carrier environment continues to catch up with modern technology, I recommend keeping these three key points in mind when choosing the appropriate DDoS mitigation strategy for your business and enabling DDoS defense as-a-service offerings:
- Deploy your DDoS mitigation in-line. If you have out-of-band devices in place to scrub traffic, deploy in-line threat mitigation equipment quickly that can inspect, analyze and respond to DDoS threats automatically and in real-time.
- Eliminate the delays incurred between the time traditional monitoring devices detect a threat, generate an alert and an operator is able to respond; reducing initial attack impact from hours to seconds by deploying appliances that both monitor and mitigate DDoS threats instantaneously, as they occur.
- Take advantage of the enormous opportunity to not only increase protection for customers, but to defend the carrier-owned infrastructure and assets, and also roll out profitable and effective DDoS protection services, thus boosting customer loyalty and gaining new revenue streams.
— Dave Larson is Chief Operating Officer at Corero Network Security. Special to The New IP