Current Filter: >>>>>>

   

Not that we needed reminding, but the recent hack on Carphone Warehouse shows that DDoS attacks are a growing threat for any Internet connected business housing sensitive data such as credit card details and other personally identifiable information (well that narrows the field of impact!).

As businesses put more of their assets into the cloud, mitigating DDoS attacks requires real-time protection at the Internet edge. As such, DDoS is a growth area for Internet service providers (ISPs) given their bandwidth capacity and volume of customers.

This DDoS problem actually provides ISPs with a golden opportunity to provide sophisticated DDoS protection as a service, and this of course opens up a new revenue stream that could also build customer loyalty. By taking advantage of dynamic mitigation bandwidth licensing, providers can scale their mitigation services to meet the demands of the evolving DDoS threat, without breaking the budget. This approach enables providers to extend their mitigation offering further by providing DDoS Defence-as-a-Service offerings to subscribers.

To understand the advantages of dynamic mitigation bandwidth licensing, it's useful to consider how DDoS protection has evolved from the early days of desperation into a more rational and targeted response. This is a key component in any DDoS preparedness plan.

When DDoS first surfaced as a method of cyber-attack, Internet providers responded with unsophisticated techniques such as Blackhole routing. An ISP would advertise a null-route for the victim's IP address, effectively blacklisting them, so that all traffic destined for that address was discarded by upstream peers. Doing this protected other customers using the infrastructure but completely denied service to the intended victim.

The next wave of response was to utilise off-site scrubbing centres by injecting a new route to divert bad traffic to a central location for inspection and mitigation. This rerouting of DDoS flows allowed removal of some enemy traffic and helped to get customers back up and running. Unfortunately, the average time from detection to mitigation in a scrubbing centre environment is 30 minutes, but as the majority of attacks are shorter in duration than this, many attacks still go unchallenged.

In addition, out-of-band scrubbing centres also require human intervention, meaning that costs can escalate rapidly. Furthermore, in this mitigation scenario, detection is performed using coarse sampling techniques that are only sensitive to the largest of attacks and again, a high volume of attacks go undetected and are never passed through to the scrubbing operation, allowing attack traffic to pass to the intended victim.

Given these limitations, it's no wonder that organisations are now looking to their ISPs and carriers for a real-time solution to protect them from the increasing DDoS threat. The time has come to get off the back foot and move to a dynamic, rather than reactive, stance.

The next generation of DDoS mitigation requires a high-performance, in-line, DDoS removal engine that can mitigate attacks in real-time. Because it is always on, this type of automatic attack mitigation provides continuous visibility and forensics. As a result, the time from detection to mitigation of an attack shrinks to almost nothing, because it eliminates the need to manually analyse events and reroute traffic for cleaning.

As ISPs change their approach in dealing with the DDoS threat, pressure mounts to maintain their credibility and protect their customers from avoidable DDoS attacks. If a provider propagates a DDoS attack that results in the loss of a customer's data or effectively shuts their site down, this will harm that service provider's reputation and potentially their revenue as well. ISPs therefore have both a responsibility and an opportunity to offer smart pipes, enhance the user experience, and improve DDoS protection across their infrastructure. NC