Skip to main content

DDoS attacks are getting bigger and more sophisticated. Is your defense keeping up?


Today's DDoS attacks are becoming and more impactful and sophisticated than ever before. They affect service and cloud providers, critical communications networks, large digital enterprises, governments and private networks. These attacks have a significant network, financial and reputational/trust impact.

In May 2020, Amazon reported the mitigation of a 2.3 Tbps flooding attack. On June 21, Akamai reported an attack at 809 Mpps (418 Gbps) aimed at a bank, which lasted less than 10 minutes, and used a large number of new IP addresses.

While terabit-level DDoS attacks create the most immediate damage – in terms of service availability,  even lower-scale, harder-to-be-detected attacks can have a significant impact, too. DDoS – large or small - could also be a part of a multi-vector attack, aimed to create a diversion from some other malicious activity taking place – that could be even more damaging. During the last few months, we have seen a significant increase in DDoS related activity, as covered in our June blog on the Deepfield network insights in the time of the COVID-19 pandemic.

The rise of DDoS threats and attacks in the era of the cloud, 5G and the Internet of Things (IoT) is, in part, a consequence of the growth of all-IP networks. Today, there are more potentially insecure endpoints (driven in part by IoT), and each of these endpoints has access to more network bandwidth than ever before. Moreover, attacks can now come from both the outside (so-called inbound attacks) and the inside of service providers' networks (outbound attacks). So, your network security perimeter needs to be much larger, too.

Attackers are accessing millions of unsecured IoT devices and creating 'botnets' out of them. A botnet is a collection of remotely controlled devices that can be used to launch massive DDoS attacks. Unsecured workloads in large-capacity data centers can generate terabit-level attacks that can take large parts of network infrastructure out of service and degrade network and cloud services.

Attackers are also using combinations of techniques and vectors to "shape-shift" their attacks, changing the mix and intensity of DDoS attacks over time and across different parts of the network. These evolving attack techniques make it impossible to accurately and quickly detect the sources of DDoS attacks with legacy tools.

A more agile, precise and intelligent approach is required to thwart and minimize the security risks associated with DDoS threats and attacks. But - what exactly?

Decoupling security intelligence from policy enforcement

Legacy approaches to DDoS security have primarily been based on the use of Deep Packet Inspection technology and "bump-in-the-wire" hardware probes which are distributed across the network. To keep up with the latest network threats, these discrete hardware probes must be continuously updated. Besides, they need to perform processing-intensive analytics in real time and act upon it. With traffic volumes growing exponentially, and new threats exploring (and exploiting) the stateful nature of network protocols, legacy approaches lag in efficiency – both in terms of performance and costs.

Many service providers are looking for solutions that are more suitable for the cloud era.

Leveraging big data analytics for security is an excellent foundation for a forward-looking security framework.

Using a big data analytical platform opens the opportunity to "divide and conquer" two essential parts of security: intelligence/control, and policy enforcement. Indeed, we have already seen the separation of control and enforcement functions in the form of Software Defined Networking (SDN) or Control / User Plane Separation (e.g., CUPS and disaggregated BNG).

With the big data analytics approach to security used by Deepfield, security intelligence is decoupled (and centralized) from network-distributed policy enforcement and traffic cleansing. This decoupling allows for better and more cost-efficient scaling; the centralized "security control plane" can focus on context-aware tasks, monitoring real-time traffic patterns all across the network, and detecting new and emerging threats as they develop and evolve.

This decoupling of security analytics and intelligence, control and network enforcement lays the foundation of our insight-driven network automation.

Flow dagram

Expanding your security knowledge with the security context obtained from the internet
(Know your network but know the internet, too)

Deepfield Defender – our big data-based security analytics application, analyzes traffic patterns in real-time, and compares them against configured thresholds and standard ratios to provide fine-grain network behavioral analysis for fast detection and mitigation of DDoS attacks.

However, just looking at the traffic patterns in one's network may not be enough – especially today when most of the traffic flowing in and out of the network internet-related.

For that reason, it is imperative to understand what is taking place on the internet.

To get a better understanding of security-related aspects of the internet, we built Deepfield Secure Genome - a Nokia proprietary, security-related data feed. Using our own cloud-based infrastructure, we continuously probe and track billions of IPv4 and IPv6 addresses on the internet, map them to DNS names and employ advanced ML rules to further tag the addresses into security-related types and categories.

The resulting Secure Genome data feed is made available to our customers and their Deepfield deployments in real-time - in the form of continuous, daily updates.

Secure Genome provides a holistic security-related perspective of all internet applications and services and allows service providers to have a complete, real-time view of internet security.

It is a part of our more extensive Deepfield Genome data set, which also includes Cloud Genome.


Combining the insight from your network with the detailed security context obtained from the internet, we minimize both false positives and false negatives and deliver an umatched accuracy of DDoS detection.

Towards the self-defending network

Network security can also take advantage of the increased processing and forwarding capabilities of modern network elements – network routers.

With the latest generation of routing silicon, such as our the powerful, 3 Tbps Nokia FP4 network processor, routers have enough processing power to – in addition to their 'basic' routing and forwarding roles - perform advanced functions such as streaming telemetry and, in the case of Nokia Service Routers, additional, sophisticated security-related functions such as payload inspection. In other words, they have become the source of additional security-related intelligence that can be passed to the centralized 'security control plane.'

Routers are ideally suited to perform the role of network security enforcement points. Once a threat is detected, by the centralized security analytics/intelligence part, routers can be instructed in real-time (using NETCONF or Flowspec) to remove malicious traffic altogether or neutralize network attacks by diverting or rate-limiting the offending traffic.

With our insight-driven approach to network security, we have integrated Deepfield Defender and Network Firewall in a full security solution with Service Routers – to establish a secure, closed-loop automation mode. Effectively, we are turning the routers into a robust security perimeter - whether at the peering, access, or datacenter edge - which defends the network against the most impactful, volumetric DDoS attacks.

Genome diagram

Here, Deepfield Defender and Network Firewall represent the centralized security' intelligence and control'. Defender monitors traffic flows and network protocols used for DDoS attacks in real-time and benchmarks traffic volumes and query/response ratios against baseline values when no attacks are taking place.

Using NETCONF and BGP Flowspec, Deepfield Network Firewall can automatically install temporary or permanent Layer 3/Layer 4 ACL filters on routers. Routers can then surgically remove the most impactful and damaging DDoS traffic and deliver the most efficient protection against volumetric DDoS attacks or large-scale state exhaustion attacks (e.g., TCP SYN/ACK attacks).

network diagram

Our approach stops the most massive DDoS attacks – both inbound and outbound – while allowing existing/legacy scrubbing centers or other inline mitigation devices - to focus on lower-volume L4-L7 level filtering and protection (e.g., web application firewalls and load balancers).


Big-data analytics is an excellent foundation for an effective, future-ready and comprehensive multi-layer security framework that can protect against all types of attacks—from both inside and outside of the network.

With its real-time, end-to-end security intelligence, Deepfield understands the difference between normal network behavior and network traffic anomalies such as DDoS attacks. Combining detailed network insights from the network with the broader security context from the internet (from our Secure Genome), we can detect security-related anomalies with improved accuracy and agility.

Lastly, though closed-loop integration with the latest generation of routers such as Nokia Service Routers, we can create a superior defense against the most damaging volumetric DDoS attacks and a path to security automation.

Learn more about Nokia Deepfield DDoS solutions by clicking here.

For more detail about the Deepfield portfolio of network intelligence, analytics and security applications, please visit our web pages.

Share your thoughts on this topic by joining the Twitter discussion with @nokia or @nokianetworks using #5G #spectrum #covid19 #LTE #fiber #broadband

Alex Pavlovic

About Alex Pavlovic

A telecommunications engineer by training, Alex is Nokia Deepfield global marketing lead and a firm believer in cutting-edge technologies like 5G and big data-driven networking. To disconnect and recharge, Alex follows the lead of his whippets Ziggy and Kokko, practices the art of Tsundoku, and keeps the valves of his tube audio gear warm with jazz.

Article tags