Sean Newman, director, Corero Network Security
Sean Newman, director, Corero Network Security

The sheer size and scale of ISP and Web hosting network infrastructure, combined with their huge customer-base, presents an incredibly attractive attack surface for hackers. Their multiple entry points and significant aggregate bandwidth act as a conduit for damaging and disruptive DDoS attacks. As DDoS attacks have evolved from simple, volumetric, attacks on a single target, to the Terabit-scale attacks today, that threaten to disrupt our collective internet availability; how has the service provider response evolved? Faced with devastating, botnet-driven DDoS attacks, based on code that is now available to all, can service providers and our wider internet backbone withstand the pressure?  

Service providers have long carried the burden of defending their customers against DDoS attacks. In the early days of attacks (c.2000), the primary goal was a simple need to protect their own networks, which was usually achieved by adopting less sophisticated techniques such as blackhole routing. A provider would effectively blacklist the IP address of the DDoS victim, so that all traffic destined for that IP was discarded by upstream peers. Doing this, protected other customers using the infrastructure. However, this also had the unfortunate side-effect of fulfilling the hacker's wishes by denying service to the victim, for the duration of the attack.

The next development in service providers' response to DDoS threats was the introduction of scrubbing techniques. Instead of injecting a null-route, when an operator observed a large spike, providers began to inject a new route instead.  By implementing this new route, operators could redirect all traffic through an appliance that inspected traffic and attempted to remove the DDoS attack traffic, allowing only the good user flows. While a significant step forward, this approach typically suffers from delays, in the order of minutes, due to traffic re-routing and human intervention, allowing modern attacks to do most, if not all, of their damage before mitigation engages.

Fast forward to today and we find vast improvements to DDoS mitigation technologies and techniques available to operators. High-performance, automatic, DDoS removal engines can mitigate attacks in real-time, and provide continuous visibility and forensics into any incursions on a network. The time from detection to mitigation of an attack has shrunk to almost nothing, because the need to manually analyse events and re-route traffic for cleaning has been virtually eliminated. This is highly significant as, alongside these developments, we have also experienced a significant evolution of the DDoS attack methods used by hackers, with the sophistication and range of attacks in use today being virtually unrecognisable from the simple saturating attacks of the past.

The sheer scale of the latest wave of Internet of Things-driven botnet attacks demonstrates the vital role of service providers in defending against DDoS attacks. Considering how botnets work – effectively acting like a giant cloud computer, launching their assault and then disappearing without leaving enough information for victims to trace their origins – the only robust defence involves protection well before attacks reach the users' networks. As a result, providers are increasingly being tasked with the goal of maintaining global Internet availability in the face of the ever-evolving DDoS threat.

And the pressure for providers to step up their game isn't just coming from customers, but from governments. The head of Britain's new National Cyber Security Centre caused uproar in the press recently, by suggesting that UK ISPs could restrict DDoS attacks across their networks by rewriting internet standards around spoofing.  While the success of such a strategy is still being debated, the announcement should indicate to the service provider community the possibility of regulatory pressure being introduced in the future, if changes are not achieved voluntarily. And, in the long run, that could be in everyone's best interests.  After all, there is a valuable business benefit for ISPs to position themselves as leading the charge against DDoS attacks, both in protecting their own infrastructure and enabling them to offer more comprehensive solutions to their customers, as a paid-for managed service.

As businesses put more of their assets into the cloud, effectively mitigating DDoS attacks requires real-time protection at the Internet edge. In addition, ISPs are moving towards a more expansive network architecture, distributed to provide services targeted at specific subscribers. This provides ISPs with a golden opportunity to provide sophisticated DDoS protection to their customers as a service – thus opening up a potential new revenue stream, as well as building on customer loyalty. By offering dynamic mitigation bandwidth licencing to their customers, service providers can scale the solution to meet their customers' needs – giving them an extra incentive to buy the services and take advantage of the efficiency savings and protection on offer.  As a result, service providers will likely find themselves at an important crossroads during the next year, with the opportunity to modernise their networks with automatic, always-on, DDoS mitigation systems – or else, battle a complex regulatory environment and risk a shrinking of their customer base.

Contributed by Sean Newman, director, Corero Network Security

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.