Skip to main content

Let’s add layers of DDoS protection to your IP routers

Highway from above at night

If you are familiar with the seven-layer OSI model, you know that the two layers most pertinent to IP network operators are layer 3 (network) and layer 4 (transport). However, when it comes to distributed denial-of-service (DDoS) threats, you also need to consider layer 7 (application), which is often the primary target of DDoS attacks.

The conventional wisdom of the past 20 years has been to rely on specialized DDoS scrubbing appliances––in addition to other stateful security devices such as firewalls or intrusion detection and prevention systems––to inspect the traffic flows of individual packets to determine whether they are potentially malicious.

While this approach has served us well, it's not always the optimal response for today’s networks. The shift towards encrypted internet traffic (privacy protection is a good thing!) and the increasing demands of continued network traffic growth have made the inspection of individual packets less effective and not economically viable.

So, what if I told you that we can actually use routers to mitigate against a large portion of layer 7 DDoS attacks today? I can already hear people saying, “But…routers are all about layer 3!”

The reality is that the vast majority of today’s L7 DDoS attacks originate from botnets over the Transmission Control Protocol (TCP). (Application traffic over TCP can’t originate from spoofed sources, thanks to the TCP handshake requirement.) This means that if we can bring botnet awareness to the network, we can block the sources using L3/L4 access control lists (ACLs) on the routers instead of blocking all traffic based on what the traffic flows of packets look like.

What I just described is at the core of Deepfield Defender, our software application for DDoS detection and mitigation. Deepfield works by making sense of what routers in the network “see” by correlating traffic telemetry data from them with Deepfield Secure Genome®, our security map of the internet. It then “tells” the routers what to block when there is an active DDoS attack. In other words, Defender operates like the brains of the network by sensing what is happening and driving a response to protect the network and the services riding on it.

A young network security engineer in an equipment room working on adding layers of DDoS protection to IP routers

Let me give you a concrete, recent example from one of our customer deployments in Europe. Earlier this year, this service provider was getting attacked by a hacktivist group using a web DDoS attack vector (crafted HTTPS POST requests through residential proxies). The attacks were causing significant service disruptions to its subscribers.

The provider’s initial response was to use its existing DDoS scrubber to implement a “geo-block” and only allow traffic from within the country where it operates. This approach can work to some extent but usually leads to high false-positive rates that impact legitimate users outside the country. It also provides high false-negative rates because botnet and proxy traffic can originate within the country, too.

This service provider had recently added Deepfield Defender to its layered security approach (again, layers!), so it engaged the Nokia Deepfield Emergency Response Team (ERT) to help. Once we got the attack details, we developed a strategy that was far more effective and accurate and could be implemented quickly.

We created new detection and mitigation rules based on specific botnet and proxy sources to block malicious traffic directly on the peering edge using the customer’s existing routers. Even better, we did it through a quick Deepfield Secure Genome feed update. There was absolutely no need for updates or intervention on the local Deepfield deployment or the routers. If you’re interested in this example, I share more details in this video.

There is so much more that we can do with advanced routers like FP5-based Nokia Service Routers, thanks to their filter scale and programmability. You, too, can use your existing network investment to fight DDoS attacks more effectively and cost-efficiently from the network to application layer.

Let’s add those upper layers of DDoS protection to your routers today!

Jérôme Meyer

About Jérôme Meyer

In addition to being a Security Researcher at Nokia Deepfield and helping with the development of the Deepfield network security and analytics portfolio, Jérôme has been on the central board for EQUAL! — the Nokia LGBT+ Employee Resource Group — since 2009.
He graduated with a Master’s degree from the Institut National des Sciences Appliquées in Lyon, France.

Connect with Jérôme on LinkedIn

Article tags