|Issue:||Europe I 2016|
|Topic:||DDoS impact on mobile networks – Radio congestion|
|Title:||VP, Product Management|
|Organisation:||Corero Network Security|
Bipin Mistry, Vice President, Product Management, Corero Network Security
Mistry brings more than 26 years of industry experience in the enterprise and telecommunications industries to his role with Corero. Most recently, Mistry served as the Chief Architect Mobility for Juniper Networks. In this role, he worked with the CSN’s globally to help define their service and security needs in a rapidly evolving mobile environment. Previously, Mistry drove the Service Provider architecture and strategy for Cisco Systems, and ran then Voice over IP (VoIP) line for 3Com. He holds a number of patents, including one in API structure and interfaces specifically tie to mobile monetization.
To ensure customer reliability, experience and security, CSP’s and mobile carriers will need to protect their most valuable asset from congestion and downtime as a result of multi-vector, short duration DDoS attacks
The evolution of DDoS defence tactics
DDoS attacks against Corero customers grew by a third in the last quarter, with organizations experiencing an average of 4.5 attacks every day. This may sound like a meteoric rise, but it is hardly surprising given the proliferation of cheap and easy-to-launch attack tools. While most DDoS attacks were once launched by bad actors coding in their bedrooms to carry out protests – now, DDoS-for-hire botnets allow just about anyone to launch a crippling attack for just a few dozen dollars – with no coding skills required.
In many cases these attacks are merely a smokescreen, designed not to deny service but to detract attention from the real motive – usually data theft and network infiltration. According to our mid-year report, in the first half of 2015, the vast majority of DDoS attacks experienced by Corero customers were less than 1 one Gbps. Additionally, more than 95 percent of these attacks lasted 30 minutes or less. As attackers look for new ways to leverage DDoS attacks, they have realized that short duration sub-saturating attacks are more difficult to defeat, because they evade traditional cloud-based scrubbing centres.
Most Communications Service Providers (CSP’s) and Mobile Carriers have deployed some form of DDoS scrubbing complex in their network to clean large, long duration DDoS attacks. A scrubbing centre approach will not effectively mitigate the current DDoS threat because they are too short in duration and too small in volume to be re-directed to a scrubbing centre and simply appear as noise on a typical CSP/Mobile backbone network.
As mobile networks carry on increasing in capacity and performance, CSP’s and Mobile Carriers now offer transport services which utilize the high speed radio network (LTE RAN) as backup to their fixed connection or, as in the case for some European Mobile carriers, as a medium for increased capacity. A simple low level Destination IP (DIP) spray attack against these environments will result in radio congestion, collateral damage and impact to subscriber experience. It can also have the detrimental effect of reducing overall cell phone battery life. Even before these attacks hit the radio network they have the ability to impact the Mobile services complex, impacting hosted critical services such as Deep Packet Inspection (DPI) Firewalls and Carrier Grade Network Address Translation (CGNAT). If any of these services are negatively impacted internet connectivity, resource usage/reporting, customer billing and so on can be quite significantly affected.
To ensure customer reliability, experience and security, CSP’s and Mobile carriers will need to protect their most valuable asset from congestion and downtime as a result of multi-vector, short duration DDoS attacks.
How CSPs and mMobile cCarriers can do more to eliminate the DDoS challenge
As businesses put more of their assets into the cloud, effectively mitigating DDoS attacks requires real-time protection at the Internet edge. As such, effective DDoS visibility and mitigation is a must have for cConverged and Mobile mobile carriers.
We also believe that a hardened DDoS defence solution is the first step a CSP/Mobile carrier must consider before rolling out NFV services. Commercial and open-source hypervisor technology is enabling the new NFV economic model to emerge, but this same technology is tremendously susceptible to DDoS – a hardened edge with respect to DDoS will be essential to ensure that this new service model is not compromised by DDoS attacks.
Real-time DDoS mitigation tools which work at the entry point of the network interconnect
In order to keep up with the shifting and progressive range of threats, appropriate solutions need to be always-on and instantly reactive. It’s clear they also need to be adaptable and scalable so that defences can be quickly and affordably updated to respond to the future evolution of DDoS threats – whatever that may entail.
The most effective method of fulfilling these aims is to utilise in-line DDoS mitigation, coupled with industry disruptive, economically viable bandwidth licensing. With this technique, an in-line DDoS mitigation engine is employed but the operator only pays for the bandwidth of attacks actually mitigated. The benefit of this approach is that it delivers full edge protection for locations in the network that are most affected by DDoS, at a fraction of the cost of traditional scrubbing centre solutions. The desirability of these tools is due to the fact that they can be constantly on, with no need for human intervention, and they provide non-stop threat visibility, attack mitigation and DDoS forensics.
Another aspect of effective DDoS mitigation is security event reporting. One of the Achilles heels of traditional DDoS scrubbing centre solutions is that they rely on coarse sampling of flows at the edge of the network in order to determine whether an attack is taking place. DDoS attackers are well aware of the shortcomings of this approach and have modified many of their techniques to ride under the radar, below the detection threshold, in order to evade ever being redirected to a scrubbing centre. Your security posture will only be as good as your ability to visualize the security events in your environment, and a solution that relies on coarse sampling will be unable to even detect, let alone act on, the vast majority of the modern DDoS attack landscape. A robust modern DDoS solution will provide both instantaneous visibility into DDoS events as well as long-term trend analysis to identify adaptations in the DDoS landscape and deliver corresponding proactive detection and mitigation techniques.
Real-time responses are possible with new, high-performance, in-line DDoS defence solutions. DDoS attacks generally have a bell-shaped barrage of traffic. This is to throw off sample-based anomaly detectors – however it plays into the hands of DDoS mitigation solutions that utilize modern data analytics platforms that are optimized for detecting that a DDoS attack is underway before the system has reached a critical threshold. This is something that is simply not possible with legacy scrubbing-centre approaches.
A real business opportunity
Effective DDoS defence can be deployed either as an on-site solution or provided as a premium defence-as-a-service offering from an upstream Internet provider. Carriers are in a unique position to effectively eliminate the impact of DDoS attacks against their customers by surgically removing the attack traffic transiting their networks. In a recent survey, we asked enterprise IT teams about the role that ISPs should play in defending against DDoS attacks. Around 75 per cent of respondents indicated that they would like their ISP to provide additional security services to eliminate DDoS traffic from entering their network, and more than half would be prepared to pay for this type of premium service.
It’s clear that we are seeing only the tip of the iceberg in terms of size and sophistication of the DDoS attack landscape. So, what’s needed is a modern, fully integrated solution that can address the threat today and tomorrow, in real time—a solution that must be matched to the size of the threat. For carriers, this is an enormous opportunity to not only empower themselves to defend their own networks, but to also roll out DDoS protection services to their own customers, thus boosting customer loyalty and gaining new revenue streams.