Scaling protection, not costs: Rethinking DDoS mitigation for the botnet era
Statistics are never taken as seriously as when they apply directly to us. Sometimes, not even then – even when we look at security-related stats.
Are we scared by DDoS stats?
When we talk about the incredible rise of Distributed Denial of Service traffic, now surpassing growth figures of any other type of traffic, fueled by the growth of IoT (and insecure IoT) and multi-hundred megabit (and even multi-gigabit) connectivity, and say that there is a rising growth potential of multi-terabit attacks, is anyone scared?
When we note that over 40% of all security incidents are DDoS-related (see Verizon Data Breach Investigations Report 2023) or that over a million botnet-controlled devices today generate over 40% of all DDoS attack traffic (see Nokia Threat Intelligence Report 2023), what does this mean and how does this affect service providers and network operators?
The answer may be simpler than expected. You must stay a few steps ahead of malicious parties and criminals. Using decades-old gigabit-scale DDoS security technology to address AI-driven botnets capable of launching DDoS attacks at a terabit scale is *not* the way forward.
Network-based DDoS security: A new generation of DDoS security for a new generation of threats
A new generation of network security threats requires a new approach to detecting and neutralizing so they affect network services and customers as minimally as possible. The new approach to network security must address all key security considerations: scalability, performance, and cost, without sacrificing one for the sake of others.
Let's take scalability, for example. Adding security capabilities to the network through overlays (equipment and management) results in a never-ending game of upgrades and field replacements.
Understanding that the only thing scaling at the traffic-scale level is the network itself, we have been proponents of network-based security, where advanced and sophisticated network elements – routers (such as Nokia Service Routers or Service Interconnect Routers, powered by FP4, FP5 or FPcx processing technology), are used to surgically and at scale remove all DDoS traffic at the network edge. This security-by-design approach enabled us to get closer to the ideal of a self-defending network, where automated DDoS defense becomes an intrinsic network capability, not an add-on feature.
And, thanks to the great processing capabilities of FP4/FP5/FPcx network processors, there was no sacrifice – deterministic performance with multi-terabit scale was ensured under all network conditions.
Also, this approach was 65%-85% more cost-effective than traditional scrubbing center approaches.
Expanding network-based DDoS security beyond routers
But, unfortunately, things are rarely that simple. Using advanced network routers with built-in security features is not always possible.
There are cases where older routers deployed in the network do not have enough processing power to take on additional security-related tasks. And there are many cases where the organization or mode of operation of networking and security teams drives the requirement for dedicated security enforcement elements, which also need to be under the ownership and control of security teams.
They are not out of luck: the network-based security concept can be extended through a dedicated DDoS mitigation platform built with the same goals in mind – bringing the best of networking and security worlds together - on a platform powered by the latest generation of highly capable network processors, satisfying the same multi-terabit scale, deterministic performance and lower cost objectives.
To this end, we are introducing a dedicated platform for DDoS mitigation - Nokia 7750 Defender Mitigation System (DMS) – in addition to network-based security delivered by IP routers. With this expansion, our DDoS security solution (based on Deepfield Defender) provides even more flexibility for deployment, allowing service providers to offer the highest levels of DDoS protection to their customers and equip their security teams with the latest technology to fight against the new and future DDoS threats.
This deployment flexibility allows network security to expand from peering edge to all types of network edges and neutralize DDoS threats from outside (inbound DDoS) and inside (outbound DDoS) with maximum efficiency and minimal impact on the network and services.
Today's state-of-the-art technology can also help pack the needed capacity, along with performance and cost, in a compact form factor that would address other important requirements such as power consumption and sustainability.
But to get there, we must abandon the 20-year-old technology and approaches that served us well but, alas, are choking under the new types of threats, bringing the cost of security through the roof.
We must take the security-related stats seriously, too. They are sign-of-the-times, telling us that we need better security solutions for these times - and the future.