Protecting networks at scale is hard. If every provider had only a few 1G links, the existing solutions might indeed be sufficient for another few years. But 1G connections are not the norm these days. Providers are packed with 10G and 100G links, most of them with dual connections for redundancy. Network security for large volume networks is failing and requires the security professionals to delve deeper into their approach to 100 Gbps DDoS protection. Protecting at Terabyte scale requires a shift in focus to cover many angles.
This series of blogs is going to dig into inadequacies of current security architectures for 100 Gbps DDoS protection. Existing solutions dramatically fall short in many areas such as rigid ASIC, unscalable NPUs, too much state and inflexible multi-vendor multi-vintage models. Each of these exposes valuable company assets to malicious attack. If you decide not to optimize all aspects of the security solution, you will be left with suboptimal layers, resulting in a number of elephants in the room including combined modes and architectural limits. We can’t afford to operate this way, especially when the largest managed services are dropping.
Examine all sides
For an accurate analysis, security enforcement should be considered from many perspectives. The core requirement for adequate protection is to look at all sides of the issue. Nothing should be left out.
The feature set and device functionality are the key areas, but architectural options and ease of implementation to current design are just as important. Cultural change is often overlooked. Centralized and distributed security designs are the ART of an engineer, and this topic is surely debatable, but you shouldn’t be cornered on one architecture design solely based on price. Many areas of networking need to apply, for example, the availability zones and failure domains.
Operator Ownership of the security solution is necessary. As network security teams learn from the threats and attacks they face, it is important that they be able to build their mitigation solution. Appliances typically send a message that “we do good stuff,” but don’t really enumerate what they can and cannot protect against, thereby leaving teams afraid to remove the appliance, but never quite sure how protected they are.
These areas work side by side, and each one is as relevant as the other. There is no point focusing on low price when all the functionality is bundled into an all-in-one device, impossible to scale, troubleshoot and distribute inline. If you don’t shift focus evenly, your entire mitigation solution will lag and will be unable to cope with today’s volume of DDoS
Watch out for Lagging Solutions
Traditional mitigation techniques such as Remotely Triggered Black Hole (RTBH) and Access Control List (ACL) solutions are by themselves useful techniques. The drawbacks surface when they are expected to work on current networking/routing gear efficiently.
Combined with traditional routing gear, existing techniques are inflexible and unable to adapt to the fast-moving landscape of powerful attacks. They become ineffective and are unable to evolve. Many existing mitigation techniques are technically sound but, once combined with traditional gear, they lag as a concept.
The solution you buy today must have the planned road mapped features to deal with future attacks, especially when the link bandwidth increases. The challenges we have is that 100G links are the norm these days, and it’s easy to max out a 100G link with volumetric style attack. It’s hard to find a solution to the activity scrubs that mitigates 100G links with reasonable Mpps rates. Traditional appliances do not represent a cost-effective solution and business concludes that it’s usually too expensive to protect DDoS at this scale.
Many existing solutions have insufficient performance against the escalating intensity of attacks. The sheer grid of attack sources combined with the maze of multiple attack types is turning the heat on security professionals.
Why do existing solutions have so many drawbacks? For a start, they usually base their platforms on some of the following features:
1. Rigid ASIC.
2. Packet Parsing limitations.
3. Flaky uPRF.
4. Unscalable NPUs.
5. Too much state.
6. Multi-vendor Multi-vintage.
7. Combine security and mission mode.
8. Architectural limits.
We will dig into these 8 deficiencies in the next post and highlight areas you should be wary of when re-architecting your network security for 100 Gbps DDoS protection. Think you have something to add to this list? It wouldn’t be a surprise as we struggle to put 100 Gbps DDoS protection in place.