DDoS assaults are more than an inconvenience; they halt activities and result in substantial direct and indirect expenses for those that are impacted. Every day, over 23,000 DDoS attacks are registered, leaving businesses with disrupted online services. New Zealand’s Stock Exchange (NZX) was recently struck by a massive DDoS assault for four days in a row, resulting in a stock market shutdown that prevented several people from trading.
Though DDoS attacks like the one in New Zealand don’t directly threaten communication service providers (CSPs), CSP systems are collateral damage when attacks move through their networks on their way to their intended victims. Due to failures of routers, servers, and other network components, bursts of excessive DDoS traffic will prevent service distribution and also result in high infrastructure costs.
For both CSPs and businesses, there are currently two traditional approaches to DDoS identification and mitigation: inline solutions and scrubbing centres. The traffic flows are usually sampled in scrubbing centre solutions. To stop routing loops, they reroute all traffic to places where the attack has been eliminated, and clean traffic is routed back into the CSP network via virtual private network (VPN) or generic routing encapsulation (GRE). Inline implementations, on the other side, identify and interrupt DDoS attacks at the CSP network’s edge, regardless of their scale or length, enabling only clean traffic to enter. However, for maximum coverage and security, all methods must be applied at any stage in the network, which also results in high costs.
ON THIS PAGE: Using network feature virtualization to mitigate DDoS attacks
Fortunately, network feature virtualization (NFV), with its demand-based use of virtualized infrastructure for 5G and LTE networks, is a game-changer that is more cost-effective at tackling DDoS.
With massive changes in data traffic anticipated from 5G, cybercriminals would have new vectors to launch DDoS assaults. This dilemma is exacerbated by the rising amount of IoT devices and their weak cybersecurity protections, which gives cybercriminals a larger target for hacking and triggering DDoS attacks. Businesses are seeing more frequent and complex threats than ever before, thanks to the ease at which DDoS attacks can be launched utilising for-hire DDoS botnets for as little as $100 per assault.
The primary motivation for launching these attacks is monetary benefit. In the case of NZX, for example, they were issued a ransom demand that threatened to close down the stock exchange. Other motivators, though, still exist. Cybercriminals may actually wish to cause damage to a corporation by slowing down operations or creating distractions in order to capture trade secrets.
Scrubbing centres and inline solutions are the two primary methods to mitigating DDoS traffic, as previously discussed. Since they must route all flow, scrubbing centres may be unreliable. As a result, network analysis tools like Cisco NetFlow are often used to sample traffic and submit it to a scrubbing centre for attack detection. Enabling these kinds of network monitoring processes, on the other hand, adds to the overhead.
Scrubbing centres have a number of drawbacks, mostly related to the method of tunnelling clean legal traffic back through the CSP network. Rerouting traffic adds IP overhead which can result in poorer efficiency due to higher bandwidth and packet fragmentation, which can lead to sluggish implementations, VPN crashes, and other issues. The user experience suffers as a result of this latency, particularly in data-intensive applications like video streaming and online gaming. During a major assault, rerouting often necessitates network routers publishing and propagating new routes (e.g. BGP/OSPF), which may take two or three minutes. Furthermore, third-party implementations are ineffective since they only sample and audit incoming traffic, not outbound traffic.
Inline solutions are more effective than scrubbing centres since the attack pattern is generated by manipulating details derived from deep packet inspection (DPI) rather than aggregate statistics, which may result in over-blocking valid traffic users. Inline technologies, on the other hand, need a higher capital investment than scrubbing centres since they track all traffic and avoid attacks at the point of identification, ensuring security, throughput, power, and scalability at any point of the network.
CSPs will potentially need to devote computing power to tackle every attack from any angle to help secure the network from 5G’s projected data traffic boost. Although this is not cost-effective, multiple edge compute (MEC) and network functions virtualization (NFV) will enable a cost-effective DDoS mitigation approach by preventing the over-allocation of dedicated resources. This is since, rather than protecting any endpoint, these strategies will define the areas of the network that need special security.
NFV offers a modular DDoS approach that can be implemented at the exact edge position needed to reach and mitigate any attack frequency. Attacks can be mitigated as near to the threat source as necessary as inline DDoS identification and mitigation is applied at the MEC using NFV. Only mutual resources are included in this architecture, which are shared by a variety of virtualized edge compute functions. This renders inline DDoS identification and mitigation quicker, more reliable, and less wasteful, while still preventing dangerous traffic from reaching the CSP network’s centre.
DDoS attacks are becoming more common and simpler for cybercriminals to carry out, but with the right services offered by a cloud native DDoS solution, CSPs, especially 5G operators, can reduce TCO without sacrificing security from harmful attacks.