This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
It's easier than ever for a malicious actor to launch a DDoS attack against practically any target in the world. Groups like Lizard Squad sell DDoS-as-a-Service for only a few dollars per hour. Some attackers won’t end their attacks until a Bitcoin ransom is paid. Consequently, there are now more attacks on more organizations worldwide than ever before. Akamai recently reported a year-over-year increase of 180% in the number of attacks it saw through its network.
Not only are attacks becoming more frequent, they are getting larger, too. Some recent attacks have exceeded 200 million packets per second (Mpps). An event of this size is sufficient to bring down a tier 1 router, the kind often used by Internet Service Providers (ISPs).
As the nature of DDoS attacks change, so too must the mitigation techniques used to combat the attacks. Cloud DDoS mitigation provider Nexusguard has recently implemented what it calls a game-changer in this space.
Nexusguard's expertise is in mitigating large and complex DDoS attacks. In 2012 the company developed its own mitigation platform. In addition to protecting end user organizations, Nexusguard works with the broader Internet supply chain. That means partnering with service providers, hosting companies, and content delivery networks to extend Nexusguard's scrubbing infrastructure and technology into their networks through an initiative called "service provider enablement."
Working with these partners complicates matters for Nexusguard because it now needs to make decisions faster than ever. When there is one DDoS attack targeting a single customer, Nexusguard easily applies its mitigation science to quell the attack. But when the company is handling traffic for service providers, there might be hundreds of end customers affected during an attack. That’s a complex task that requires a lot of maneuvering at L3 and L4 on the network side, and L7 on the application side.
When an attack on a service provider happens, even before the mitigation can take place, Nexusguard has to ensure all the traffic can be routed to its scrubbing centers. These decisions have to be made at scale. For example, when an ISP swings a block of IP addresses to Nexusguard, it might be 256 routing decisions that have to be made quickly. Even a team of the best network engineers can't handle this all at once manually, so Nexusguard looked for a solution to help it make intelligent routing decisions automatically. What the company found is a Software Defined Networking (SDN) solution called PoP Manager from Serro Solutions. (See Real business opportunities that are only possible through SDN.)
One of the functions of cloud-based DDoS mitigation is route engineering to send the traffic to a scrubbing center where the actual mitigation takes place. Traditionally smart people make those decisions, but it's too unwieldy when the engineers are under time pressure and handling concurrent attacks, and there are too many peering partners to consider. This is where mistakes happen. But SDN takes much of the human decision-making out of the process for Nexusguard.
There is a baseline interaction between the Nexusguard data processing infrastructure and the Internet. This is primarily using border gateway protocol (BGP) and communicating reachability information to service providers. There are mechanisms and control structures within that reachability distribution that allow Nexusguard to signal to a service provider to send a particular customer's data in one direction or another; for example, to the San Francisco PoP, or the Miami PoP, or elsewhere, depending on what's going on. The extent of the effectiveness to request that behavior from the Internet requires some ability to make a change, detect what happened, and decide that something else needs to change. The net result is to control the flow of Nexusguard's customers' data through the cloud data processing infrastructure.
Once that data arrives in a Nexusguard scrubbing center, the mitigation secret sauce kicks in to analyze the traffic and detect the attack packets. Nexusguard's system is then going to let the SDN net know that something is going on with a particular flow which is a very specific distinction of packets of data. What to do with that flow comes down to a business policy.
Based on some of the details that the Nexusguard attack sensing technology determines, it can feed those parameters to the SDN net. SDN essentially turns those parameters into router instructions and applies those across the entire system. This solves a host of problems all at once -- sensing, parameterizing, and then turning those parameters into configuration changes on routers to influence the global routing table based on the end customers as the target.
The benefits of this approach are myriad. End customers and ISPs receive faster mitigation of attacks because the complex decision making is now done by machines, not humans. Also, no customer needs to be null-routed in order to preserve service for all other customers of an ISP. Nexusguard saves on operational costs by routing traffic to lower cost network segments. This helps to avoid bandwidth overage charges, and the savings are enough to pay for the entire SDN solution. At the same time, the automated routing can take into account factors such as who the end customer is and what priority that customer's data has and appropriately route a customer's traffic according to policy.
This PoP Manager SDN solution bridges the gap between the technical aspects of DDoS mitigation, like identifying them and mitigating them, and the business side, which is resource management and business policy. This is something that happens naturally with a knowledgeable engineer who knows the business side and the underlying technology, but it's on a human timescale. The SDN solution happens on a machine timescale, which offers rapid response, continuous availability, and reliable accuracy. According to Nexusguard, this is a game-changer, and it's the future of cloud-based DDoS mitigation.