Cyber Security
Mitigating DDoS attacks with network function virtualization
Published
4 years agoon
By
GFiuui45fgDistributed denial of service (DDoS) attacks are more than an inconvenience; they paralyze operations and cause significant direct and indirect costs to those affected. Over 23,000 DDoS attacks are recorded per day, leaving companies to deal with disrupted online services. Recently, New Zealand’s Stock Exchange (NZX) was hit by a large DDoS attack for four consecutive days which led to a stock market closure that barred many from trading.
While DDoS attacks similar to New Zealand’s aren’t specifically targeting communication service providers (CSPs), CSP services are collateral damage as attacks pass through their networks to reach their victims. Bursts of extreme DDoS traffic can prevent service delivery and even cause high infrastructure costs due to failures of routers, servers, and other network elements.
Currently, there are two common approaches to DDoS detection and mitigation for both CSPs and enterprises: inline solutions and scrubbing centers. Scrubbing center solutions typically sample the traffic flows. When they detect attacks, they reroute all of the traffic to areas where the attack is removed, and the clean traffic is routed back into the CSP network via virtual private network (VPN) or generic routing encapsulation (GRE) to avoid routing loops. Inline solutions, on the other hand, detect and stop DDoS attacks at the edge of the CSP network without regard for the size or duration of the attack, allowing only clean traffic to pass through. However, both solutions must be implemented at every point of the network for complete visibility and protection, which often leads to high costs.
Luckily, network function virtualization (NFV) is a game-changer that is more cost-effective at addressing DDoS with its demand-based utilization of virtualized resources for 5G and LTE services.
Growing DDoS Attacks
With vast increases in data traffic expected from 5G, new vectors open for cybercriminals to conduct DDoS attacks. This problem is exacerbated by the growing number of IoT devices and their limited cybersecurity measures, which provides cybercriminals with a wider landscape for launching attacks to hack and trigger DDoS assaults. Coupled with the fact that DDoS attacks are easy to launch using for-hire DDoS botnets, which can cost as little as 100 dollars per attack, businesses face more frequent and diverse threats than ever before.
The main motivator of deploying these attacks is financial gain. For example, in the case of NZX, they were given a ransom demand that threatened a shutdown of the stock market. But other motivators do exist. Cybercriminals may simply want to inflict harm on a company by slowing down their business operations or create distractions to steal business secrets.
Scrubbing Centers Solutions are a Thing of the Past
As mentioned earlier, the two main approaches to mitigating DDoS traffic are scrubbing centers and inline solutions. Scrubbing centers can be inefficient since they must route all the traffic. For this reason, network monitoring processes, such as Cisco NetFlow, are often used to sample traffic and send it to a scrubbing center to detect attacks. However, enabling these types of network monitoring processes involves additional overhead.
Scrubbing centers also have multiple disadvantages, largely due to the process of tunneling back clean legitimate traffic into the CSP network. Rerouting traffic adds an IP overhead and can cause lower performance with increased latency and packet fragmentation resulting in slow applications, VPN failures, and more. This latency negatively affects user experience, especially in data-heavy applications such as video streaming and online gaming. Rerouting also requires network routers to publish and propagate new routes e.g. BGP/OSPF), which can take two to three minutes during a large attack where every second is critical. Additionally, third-party solutions are not one-hundred percent effective since they only sample and inspect incoming traffic, not outbound.
NFV Offers a Scalable and Efficient Inline DDoS Solution
Unlike scrubbing centers, inline solutions are more accurate because the attack pattern is formed from processing information extracted from deep packet inspection (DPI) instead of aggregate statistics resulting in general patterns that may lead to over-blocking legitimate traffic users. However, since inline solutions monitor all traffic and stop attacks at the point of detection, they require a greater capital expense compared with scrubbing centers to guarantee reliability, throughput, capacity, and scalability at every point of the network.
To further protect the network from 5G’s expected data traffic increase, CSPs would theoretically need to allocate compute resources to handle any attack at every viewpoint. While this is not economical, multiple edge compute (MEC) and NFV can enable a cost-effective solution for DDoS mitigation by avoiding the over-allocation of dedicated infrastructure. This is because these solutions can identify the areas of the network that require specific protection rather than securing every endpoint.
NFV provides a scalable DDoS solution that can be deployed at the exact edge location required to meet and mitigate every level of attack. When inline DDoS detection and mitigation is implemented at the MEC, using NFV, the attacks can be mitigated as close to the attack source as possible. Such an architecture only utilizes shared resources that are needed among a host of virtualized edge compute functions. This makes inline DDoS detection and mitigation faster, more accurate, less expensive and keeps harmful traffic from getting past the edge into the core of the CSP network.
DDoS attacks may be growing in frequency and easier to conduct for cybercriminals, but with the right resources provided by a cloud native DDoS solution, CSPs and specifically 5G operators can lower TCO without compromising on protection from harmful attacks.