Rethinking DDoS Security for the Era of Cloud and 5G

PinIt
DDoS

The enormous capacity offered by 5G and cloud offer unprecedented opportunities for DDoS attacks. What you need to be considering.

Our way of life, the global economy and public safety increasingly depend on interconnected digital systems. Communication networks play a crucial role in enabling humans and machines to interact instantaneously, intuitively and securely. The cloud has become an indispensable application resource and content repository, with massive amounts of compute and storage capacity hosted in countless interconnected data centers all over the world.

The stage is set for the next evolution phase with 5G communication technology as the key enabler for a digital transformation that is rearchitecting communication infrastructures, revolutionizing industries, shaping our digital society and powering smart cities. 5G clearly represents an enormous potential for new applications, experiences, and business opportunities, but it also exposes us to new threats.

The enormous capacity, connectivity and new low latency services enabled by 5G offer unprecedented opportunities for cybercriminals to launch large-scale Distributed Denial of Service (DDoS) attacks on valuable online assets and vulnerable infrastructure. The costs for businesses already average over USD 100,000 per hour, with over 80% of enterprises experiencing at least one attack per year. The potential consequences for industries are far greater as

See also: Cloud computing driving uptake in manufacturing IoT

DDoS attacks can harm productivity and sabotage automated manufacturing processes by slowing down latency sensitive control applications and severing connections with the cloud. DDoS attacks on public utilities and smart city infrastructure can cause severe damage and endanger public safety by disrupting time-critical fail-safe mechanisms and essential, mission-critical services.

When communication service providers allow their networks to propagate volumetric DDoS attacks it may damage their reputation, impact their ability to acquire and retain customers and jeopardize peering relations with other networks.

It is therefore essential to protect the network, its users and their valuable payload against these cyber-attacks, but most networks lack the inherent capabilities to do so efficiently. The internet we have today is founded on the basic tenets of unfettered access, the “end to end principle”, and a “don’t be evil” moral code and the routers powering the internet emphasized connectivity, capacity and cost per bit over security and assurance.

While perfect for binge-watching Netflix, most routers are simple forwarding devices that have limited visibility and control over the traffic flowing through them. They’re built to deliver data packets, and what’s inside is not their concern. This opens the door for abuse and cybercriminals don’t make it easy to distinguish between legitimate traffic and DDoS packets by setting an “evil bit” in the packet header.

There are “evil bytes” or bit patterns in the IP payload itself that can identify DDoS packets, but this requires deep packet inspection (DPI) techniques that are typically only supported in specialized security appliances such as firewalls. However, the capacity of these appliances is orders of magnitude lower and their cost per bit orders of magnitude higher than routers, which makes it cost prohibitive to protect more than a very small portion of all network traffic.

When a network element or a connected user experiences a DDoS attack, the common practice is to selectively redirect contaminated user traffic to scrubbing centers that are equipped with a large stack of security appliances to cleanse any DDoS traffic.

When it rains, it floods

This conventional DDoS protection approach works to a degree, in the same way, an umbrella protects a single person against the rain. But volumetric DDoS attacks are the cyber equivalent of Category 4 and 5 hurricanes, flooding websites with terabit level traffic surges that can cause internet brownouts and widespread service outages. And unlike hurricanes, volumetric DDoS attacks are man-made disasters.

They range from random acts of vandalism and racketeering to meticulously planned acts of industrial sabotage or cyber warfare designed to inflict maximum damage. Attacks can apply a variety and combination of attack methods and launch from anywhere on the internet, from locally infected users or compromised servers in a cloud data center.

They’ll strike at peak hours when the damage potential is highest and network resources and operational personnel are already stressed. It takes considerable skill and effort to discover the latest security vulnerabilities, design attack tools, and marshal botnets, but all it takes to order a volumetric DDoS attack is forking over a few bitcoins and punching in a URL or IP address.

See also: 5 tips to keep from getting trapped in the cloud

Moore’s Law in combination with 5G access speeds will make it possible to launch terabit-level DDoS attacks with far fewer hijacked devices than the estimated 100,000 devices it took the Mirai botnet just a few years ago. As DDoS attacks increase in frequency and magnitude it becomes increasingly cumbersome, cost prohibitive and time consuming to address DDoS security threats with conventional methods that rely on manual intervention and redirecting contaminated traffic to scrubbing centers for analysis and cleansing.

These limitations make scrubbing centers themselves vulnerable to DDoS attacks by randomly attacking multiple targets or entire subnets, thereby forcing to redirect far more traffic than can be handled. Moreover, an increasing set of 5G applications such as industrial automation, virtual and augmented reality, haptic or tactile internet applications and mission-critical services require reliable, low-latency connectivity.

The added transmission delays caused by redirecting their traffic to an off-line scrubbing center would immediately complete the DDoS attack and break these applications. These are all issues that can’t be solved by bigger, better or more security appliances, but require a rethink of the entire security architecture.

Rethinking the umbrella

The era of cloud, 5G and the Internet of Things requires a far more scalable, robust, and cost-effective approach that makes the IP network an integral part of the security solution and a first line of defense against volumetric DDoS attacks, as opposed to addressing security gaps with point-solutions:

  • Distributed, in-line DDoS filtering at the network perimeter, as opposed to centralized, off-line solutions based on scrubbing appliances
  • Line-rate DDoS filtering with deterministic performance, as opposed to incurring additional round trip time delays by redirecting traffic
  • Full protection coverage of all connected users and traffic, as opposed to limited coverage and protecting only select high-value targets
  • 360° symmetric protection of the entire network perimeter, as opposed to asymmetric solutions focused only on the peering edge
  • Proactive and reactive DDoS protection and mitigation, as opposed to solely relying on reactive countermeasures on attack detection
  • Automated DDoS attack detection, analysis, and mitigation, as opposed to relying on manual intervention to stop attacks in progress

 

BylineImage_v2_nologo

Figure 1: Rethinking DDoS security by making the network part of the solution

A conceptual view of the DDoS target architecture is shown in Figure 1. This architecture leverages the latest developments in programmable routing silicon, AI and machine learning to establish a smart network fabric that can cost-effectively monitor data flows and scrub volumetric DDoS traffic in-line at the network perimeter, while significantly reducing the cost and time required to detect and mitigate these attacks through automation.

Recent breakthroughs in programmable routing silicon overcome the limitations of conventional router ASICs by leveraging massive parallel processing capacity to deliver terabit-level forwarding capacity in combination with stateless packet inspection capabilities that extend well beyond 5-tuple IP header fields into the actual data payload.

Border routers at the peering edge and gateway routers at provider edge and data center edge that are equipped with such silicon can cost-effectively and surgically mitigate volumetric DDoS attacks without the aid of dedicated security appliances. Besides being far more cost effective than conventional solutions based on scrubbing centers, in-line DDoS filtering capabilities at line rate allow extending coverage to protect all connected users and traffic, while ensuring that DDoS countermeasures do not break latency-sensitive applications.

Using the latest developments in cloud-based analytics, AI and machine learning enables closed-loop automation of DDoS detection, identification, mitigation and efficacy monitoring. Upon initial detection of a potential DDoS attack based on analyzing streaming telemetry data, packet samples from suspicious flows are collected and AI and machine learning techniques are applied to detect invariants that correspond with known or likely DDoS signatures. Once matching DDoS signatures are identified, corresponding DDoS filters are programmed on the routers to mitigate the attack and monitor the efficacy of the countermeasures. A final step is to record the DDoS signature and its countermeasures in a global library that can be automatically shared with the wider operator community.

Forecast and advisory

It will take some time to shift the current mindset in this new direction, but the technology foundation is there, and some urgency is warranted because 5G deployments are already taking off in the US and several other markets. We believe that this next generation architecture can elegantly coexist with existing security practices in a layered DDoS security model in which IP edge routers at the network perimeter become the first line of defence against DDoS attacks. This approach allows offloading of volumetric traffic from security appliances in scrubbing centers and redeploy them in data centers as the second line of defense against state exhaustion and application-layer DDoS attacks on service endpoints.

Arnold Jansen

About Arnold Jansen

Arnold is responsible for promoting products and solutions for the IP/optical networks group at Nokia. Arnold has held a number of roles in research and innovation, sales, product management, and marketing during his 25 years in the telecommunications industry. He holds a Bachelor degree in Computer Science from the Rotterdam University of Applied Sciences.

Leave a Reply

Your email address will not be published. Required fields are marked *