Is your DDos Mitigation Strategy Terabit-Proof?

Written by

A cloud-based approach to DDoS protection is central to the security strategies of many organizations. As DDoS attacks become much larger, frequent and more sophisticated, we need a new approach to mitigate them.

Record-breaking terabit DDoS attacks 
In February 2018, GitHub was hit by a record-breaking DDoS attack that peaked at 1.3 terabits per second. This record was short lived, because just five days later, NETSCOUT Arbor confirmed an unnamed service provider suffered a 1.7 terabit per second attack. Fortunately, its defenses proved strong enough to prevent any outages. 

The increasing number of terabit-level DDoS attacks stem from hackers that hijack thousands of poorly protected or unprotected IoT devices, including home routers, video cameras, smart TVs, and many others. These devices can be compromised en masse by a botnet that coordinate an attack to flood a company with bogus traffic to make their website and servers unavailable. 

In a recent report, Nokia found that 78% of total detected activity is due to IoT botnets, while an Akamai study showed that 99% of all DDoS attacks targeted the network infrastructure. Volumetric DDoS attacks that swamp network resources are the most potent and protecting against them is top of mind for most executives and recognized at board level. 

The need for a new approach to DDoS mitigation
CIOs and CISOs tasked with protecting their companies against DDoS attacks are rightly worried about the potential impact on revenues and reputations, as well as the cost to repair and recover.

Recognizing they cannot protect against all attacks, CIOs and CISOs want to understand and reduce the risk of attacks and mitigate against them quickly when they happen. Unfortunately, both the processes and tools commonly used today may not be up to the task because of the increasing size, frequency and sophistication of DDoS attacks. 

Most are not capable of reacting in real-time to high-volume attacks, giving attackers more time to cause disruption. Many rely on backhauling infected traffic to centralized or cloud-based scrubbing centers, adding to the cost to mitigate and impacting latency-sensitive traffic. 

Pulling the plug on out-dated DDoS mitigation
With DDoS threats becoming more sophisticated and relentless, we need a more cost-effective approach that provides three key capabilities:

  • Analytics with intelligence to monitor and recognize sophisticated attacks 
  • In-line packet filtering with massive scale at the network perimeter to protect against multi-terabit attacks in real-time  
  • 360-degree symmetric protection against external attacks from the internet and internal attacks from hijacked devices

This approach requires analytics applied not just to network information, but to context information gathered from cloud servers and IoT devices. This provides a more robust way to identify sophisticated attacks and their sources. It also distinguishes between unexpected but legitimate traffic bursts and harmful DDoS attacks.

Protecting against terabit-level attacks quickly and cost-effectively requires a distributed rather than a centralized approach - one that makes the IP network part of the solution to act as the first line of defence against attacks. 

Combining enhanced analytics and intelligence with massive packet filtering capacity provides an in-line approach that can be scaled to protect each interface at the network edge. 

It also avoids the cost of backhauling terabit-levels of infected traffic to centralized or cloud-based scrubbing centers and reduces the need for application level security appliances. The cost savings can be dramatic – up to 85% at current peak DDoS levels compared to centralized DDoS scrubbing – making this approach much more cost-efficient and future proof.

Leveraging cloud genome and custom silicon
Cloud genome analyzes billions of endpoints and determines how traffic from these sources flows through the internet to reach a company’s network. It ingests dozens of data sources to provide a real-time view of what’s happening. When combined with a company’s own network and enterprise analytics, it tracks traffic through their network and how it reaches end users.

With this information, CIOs and CISOs have intelligence that spans their network and servers as well as cloud and IoT traffic. For the first time, they can identify the potential sources of volumetric DDoS attack, so they can understand and reduce the threat risk.

To mitigate against terabit-level DDoS attacks quickly and efficiently when they occur requires routers with custom network processors. This enables in-line, line rate packet filtering at each interface that connects to the internet.

It provides scalable terabit DDoS mitigation that is robust and efficient, and filters threats in real-time when and where they occur – right at the edge of the network.  

The combination of analytics with intelligence and packet filtering on a massive scale gives CIOs and CISOs the visibility to detect and understand threat risks proactively. This improves the ability to shut down threats before they impact their network and servers, and most crucially, their customers and business reputation. 

What’s hot on Infosecurity Magazine?