Corero says its always-on DDoS defense system automatically safeguards service providers  

Legacy approaches and mitigation techniques don’t seem to be capable of fighting off DDoS attacks. Corero claims it can stop them instantaneously

This column is available in a weekly newsletter called IT Best Practices.  Click here to subscribe.  

The massive DDoS attack that was aimed in stages at DNS provider Dyn in October 2016 did more than grab headlines. It also served as a wake-up call to companies that provide the global Internet infrastructure, as well as downstream operators and service providers. Many experts fear this attack could prove to be a tipping point in the battle to maintain stability and availability across the Internet.

Research shows the attack originated from an Internet of Things (IoT) botnet that involved an estimated 100,000 devices. Dyn experienced packet flow bursts 40 to 50 times higher than normal, and unverified reports put the magnitude of the attack in the 1.2Tbps range. The attack used multiple vectors and required a variety of techniques to fight off.

While the Dyn attack had significant impacts – many East Coast users were unable to access various marquee brands for several hours – the size and scope of this attack was certainly anomalous by many standards. Most attacks are much smaller, but they occur much more frequently than most people suspect.

“Notwithstanding all of the news about Dyn and the Mirai botnet, the actual size of most DDoS attacks continues to be quite small in terms of the representation of the overall landscape,” says Dave Larson, COO/CTO of Corero Network Security. “93% of all attacks are still less than a gig, and that’s because they are being generated by scanning tools, telemetry tools and automated bots that are trying to do some kind of floor planning to look for vulnerabilities in environments.”

Larson says there is a tremendous amount of DDoS activity that is “under the radar.” Corero provides DDoS mitigation that is always-on, meaning it sees every packet entering a network, so the company sees more attacks on a relative basis than other DDoS solution vendors that don’t operate inline. “We literally see every attack, small and large, and we are able to count them and see how they are all related to each other in context,” says Larson. Corero observes an average of 4.5 attacks per day, per customer.

In the early days of DDoS attacks two decades ago, operators handled an attack with a null route; i.e., a remote trigger blackhole. If they detected something going awry, they would look at the victim – the IP that was targeted – and null route everything associated with the victim. This got the attack traffic off the operator’s network and stopped the collateral damage against other unintended victims. However, it sacrificed the victim in the interest of keeping the rest of the network viable. Unbelievably, this crude technique is still a common way in which service providers deal with attacks today.

A slightly more advanced technique involves routing the attack traffic to a scrubbing center, where it goes to an appliance that is manned by humans who attempt to remove the bad traffic and return the legitimate traffic to the target. This process is resource-intensive and thus expensive. Plus, there’s often a delay in starting up this mitigation tactic once an attack starts.

Corero’s SmartWall Threat Defense approach puts the detection and mitigation appliance at the network or peering edge and is designed to, the company says, provide always-on, instantaneous protection. The mitigation capacity is typically matched to the edge capacity of the network. As an attack comes in, it is detected and removed while good traffic is sent on its way. The company claims that 99% of all mitigations do not require any human activity by either Corero’s or the customer’s SOC analysts.

The solution is modular and scales in 20 gig increments. At this writing, Corero has a variety of customers that have deployed between 100 and 200 gigs of capacity, and there is one customer that has gone to 720Gbps.

Corero supports two types of deployments: physical in-line and virtual in-line. In a physical in-line deployment, the appliance sits just outside a customer’s edge routers, with the goal of removing all attack traffic before it touches any of the infrastructure. This approach works best for operators and service providers that need a maximum of 200G to 400Gbps of capacity.

For customers with bigger needs, such as a regional operator or a larger carrier seeking multiple terabits of capacity, Corero offers a virtual in-line configuration. In this case the appliance sits between an A/B high redundancy pair of routers on the edge and uses virtual route forwarding (VRF) technology in the edge routers. It could be a Cisco ASR, a Juniper MX or an Alcatel Lucent 7950 class device, whereby traffic hairpins out of the router into the array of SmartWall TDS and back, matching the capacity to whatever the maximum expected attack capability is.

Consider a company with 400G or 500Gb in a particular region that doesn’t expect to ever see more than 200Gb of attack. The operator could right size its always-on mitigation capability by setting the default routes so ISP traffic comes into the router, gets fanned out among the array of SmartWall TDS devices, and then returned and sent southbound into the network. This is done without any kind of generic routing encapsulation (GRE) and no route loops. The deployment can grow by adding SmartWall elements to the array if needed.

Corero says this allows it to deliver very high capacity mitigation for about one-fourth the cost of competitors’ solutions, with the ability to add more capacity in increments. What’s more, if any part of the array fails, the system loses a 10 gig component. Traffic routes around the failed unit but keeps going—a critical feature for an in-line appliance.

The instantaneous nature of Corero’s DDoS defense system enables providers to sign up their customers for various SLA service offerings for DDoS always-on clean pipes. Some ISPs use this as a way to generate additional revenue, while others give it away as a competitive advantage. Either way, the end customers see a benefit from never experiencing an outage due to a DDoS attack, even if the provider is being hit many times every day.

Corero aggregates all activity into a feature called SecureWatch Analytics, which is based on an OEM version of Splunk that is included in the solution. This allows customers to visualize and understand the DDoS environment as perceived by the Corero tool in their environment. The operator can generate reports to prove the value of this solution to its own customers.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:
Now read: Getting grounded in IoT