How to make your IP network DDoS-safe, across all users
In 2016, we entered the terabit era of distributed denial-of-service (DDoS) attacks. Today, these network-level threats have grown bigger and hit far more frequently, and now have the potential to peak as high as 10 to15 Tbps. That’s big enough to take down the internet for an entire country.
5G made this inevitable, in the sense that it introduces more entry points from more locations. IoT alone connects an estimated 13 billion devices. And any one of these – even a compromised home router – can be the way in for a malicious attack.
Networks proved themselves indispensable during COVID-19, and our job is to ensure these networks are truly bulletproof. That’s why we need a new approach to IP network security.
Evolving the IP network security model
Today, we rely on an IP network security model built around security appliances. From firewalls to scrubbers, an industry has developed around IP networks to secure it from attacks. Terabytes of suspect traffic are diverted from peering points to centralized appliances, where traffic is scrubbed, and clean traffic is re-inserted into the network. It is expensive, operationally complex, and adds latency. What is worse, it isn’t possible to scale it for all customers, leaving most customers, other than the very largest, unprotected.
Another issue is encryption, which is critical to ensuring the integrity and confidentiality of data on the user, control and management planes. Network operators must be able to encrypt all these layers, locking down their entire network infrastructure. Unfortunately, even with a solution such as MACsec, which is silicon-based and thus faster, packets must be unencrypted at every router hop in IP networks, adding risk and complexity. Alternatively, IPsec provides end-to-end protection but consumes compute resources at a high level and adds latency. Neither option supports native encryption for MPLS or segment routing flows and slices, which are becoming the preferred way to engineer networks.
The only realistic way to address these various issues is for the IP network itself to provide a fully integrated, line-rate capability to secure traffic, no different than packet forwarding. It must be done at both the hardware and software levels. This will lower the cost, make it highly scalable and, finally, provide real security. Want to encrypt a flow or slice? Hit a switch and it’s done. Turn on DDoS filtering at the edge with no additional planning or expense. Performing at line rate, it has zero impact on latency and eliminates complexity.
Deep DDoS protection
If we look, for example, at the Nokia Deepfield big-data DDoS analytics, we can see how this works in practice. Deepfield Defender detects DDoS attacks and maps their distribution, providing a holistic understanding of where attack traffic is coming from. It then optimizes the detection and mitigation capabilities of the network silicon at the heart of Nokia 7750 Service Router (SR) product lines. As a result, the edge of the network becomes a first line of defense for filtering volumetric DDoS traffic. The 7750 SR deals with the bulk of the attack traffic, leaving more expensive scrubbers to focus on more complex but lower volume application-level DDoS attack traffic, while still providing protection for all customers.
One of the ironies of DDoS is the way routers become complicit by forwarding attack traffic. We can save the router from becoming an unwitting accessory using a combination of hardware and software. The FP4 and FP5, Nokia’s industry-leading network processors, provide the hardware horsepower for filtering the traffic at line rate. And they deploy almost instantly thanks to the Nokia Service Router Operating System (SR OS), which coordinates the defensive perimeter. In this way, they can sniff out complex attacks, at more than a 5-tuple filtering level, with no effect on the performance of other services running on the same chipset. What is best, you can turn it on whenever and wherever it is required, protecting every data center, every network service, and every customer — for a fraction of the cost of appliance-based approaches.
Improving on MACsec
Our latest network silicon, the FP5, also adds ANYsec, an upgrade to MACsec that provides line-rate encryption, especially for latency intolerant services. As well as Ethernet and VLAN, ANYsec also provides encryption for MPLS and segment routing. It enables network operators to encrypt individual network slices, switch or route them natively across an IP, MPLS or segment routing network, and unencrypt them on network egress. They can turn encryption on whenever and wherever it is required, no matter the network service or underlying network transport being used. It can also be used along with DDoS protection with no performance impact on any other network functions.
Nokia is taking a comprehensive approach, implementing security considerations into every layer of routing software and hardware, making sure it can be used effectively at scale. Visit our IP network security website and read more in this Financial Times article.