Skip to main content

DDoS security

Everything you need to know about Distributed Denial of Service (DDoS)

What is DDoS?

Distributed Denial of Service or DDoS is malicious traffic that aims to deny access or degrade or stop connectivity for individual users, internet hosts and service provider network infrastructure.

Malicious players have been exploiting IP protocol and systems vulnerabilities for more than a couple of decades now to launch DDoS attacks on their targets: network hosts and systems. Some protocols, such as BGP and Domain Name System (DNS), have gained additional security features to make them more robust. Also, industry-wide initiatives using best practices have been implemented to curb DDoS traffic (BPM-23). However, many hosts still use protocols that rely on open principles set by the internet community a long time ago. Some of them never envisaged malicious exploits that could jeopardize the intended operation of router-based networks. 

What are the different types of DDoS?

Broadly, all DDoS traffic can be categorized into:

-  Amplification and reflection DDoS
-  Flooding DDoS traffic (using IP address spoofing or IP header modification, IPHM)
-  Application DDoS.

Please check out our application note, DDoS Protection for the cloud, 5G and IoT era.

How large is DDoS (danger)?

Over the last couple of years, DDoS attacks have grown significantly in peak values (expressed in Tb/s or Tbps), the absolute volume of traffic (bytes or TB) and frequency.  

These increases are mainly driven by the increased number of insecure internet hosts, network elements and IoT, and access to gigabit-level broadband connectivity.  

We entered the era of terabit-level DDoS attacks in 2016. By the end of 2021, as per our Nokia Deepfield report “DDoS in 2021”, the largest DDoS attacks exceeded 4 Tbps and are rapidly approaching the identified threat potential for attacks over 10-15 Tbps to be launched -  large enough to take down the internet for an entire country!  

Absolute volumes of DDoS traffic are also rising. DDoS attacks have become a daily reality for most networks. In the short period from early February to late May 2020, aggregate DDoS volume levels in the United States rose by more than 40 percent.  

This growth continued into 2021 and 2022 – we have seen anywhere between 100% and 300% growth of aggregate DDOS volumes in service provider networks. 

What is the impact on service provider networks?

Large-scale DDoS attacks can be fatal for network routers and infrastructure, disrupting connectivity and service availability for communication service providers (CSPs), enterprises and consumers. They can lead to losses ranging from thousands to millions of dollars.  

DDoS targets range from individual users to networks belonging to service providers, cloud builders and large digital enterprises.

While most DDoS attacks are a nuisance (e.g., to individual gamers), the bandwidth representing high- bandwidth and high packet intensity volumetric attacks are cause for concern. These attacks can inflict damage on connectivity and service availability and result in damages costing hundreds of thousands or even millions of dollars in production and operational losses. There are also legal costs. And it’s difficult even to put a price on reputational damage.  

Service providers are affected in several ways:

  • Their residential customers experience a degraded quality of experience (gaming, streaming, broadband connectivity)
  • Their corporate customers have degraded service or no service at all, affecting their Service Level Agreements
  • Attacks that are launched from their network on outside targets (outbound DDoS) may affect overall network connectivity (e.g., DDOS causing upstream congestion on the submarine of satellite connections) or may even be criminally liable

Botnet DDoS  

At the core of most DDoS attacks today are botnets. A botnet is a collection of compromised sets of individual devices – your home computers, routers, IP cameras, digital video recorders (DVRs) and even parking meters – end devices commonly called bots or zombies because they have been taken over by hackers. The infected machines are usually triggered and controlled from a command center, a compromised server or a remote computer used by a hacker or cybercriminal.  

Botnet DDoS traffic has exhibited significant growth since mid-2021. In marked contrast to the pre-IoT era, most of the largest DDoS attacks today exclusively leverage large-scale botnets. We see regular daily activity from over 250,000 bots aimed at targets worldwide.  

Attacks today are no longer coming from “outside” but are also generated from within service provider networks – by malicious users or hijacked devices. Botnet DDoS detection is also very challenging as traditional approaches such as thresholds or baselines are no longer effective.

Why is a new approach to DDoS security needed?

The DDoS threats of today and tomorrow demand a whole new way of thinking about DDoS protection. Legacy approaches that rely on hardware-based probes or Deep Packet Inspection (DPI) are no longer effective – they cannot scale beyond a very limited set of customers and systems. With growing traffic volumes, they also cannot scale cost-efficiently. 

Nokia DDoS security solution, centered around Nokia Deepfield Defender, combines big data analytics and programmability of the advanced, latest generations of IP network routers (such as FP4/FP5/FPcx-based Nokia Service Routers or Service Interconnect Routers) to deliver a next-generation DDoS detection and mitigation solution with significant benefits over legacy (appliance-based or DPI-based) approaches: better scalability, improved detection (with lower false positives), more agile and granular, network-based mitigation – and all this with much-improved cost efficiency.

DDoS in 2021

Nokia Deepfield Network Intelligence Report: DDoS activity and trends in 2021

DDOS thumbnail

Ready to talk?

Please complete the form below.

The form is loading, please wait...