DDoS attacks against Customers are the top security threat facing service providers today. These attacks, however derogatory, also present an opportunity: There are substantial profits available to those service providers able to provide effective mitigation against them.This mitigation is not easy though, and implementing a profitable DDoS protection service is rife with technical and economic pitfalls.
The Problem with Volumetric DDoS Attacks
DDoS attacks are on the rise. One recent report finds that more than half of all service providers face a staggering 51 attacks each month. And these attacks are getting bigger – the latest attacks have generated sustained traffic in excess of 1 Terabit per second.
Service providers are stuck between a rock and a hard place when it comes to mitigating these attacks. On one hand, traditional service provider safeguards simply do not scale to the size and scale of these modern attacks. On the other hand, third-party scrubbing services, while providing greater (yet centralized) scale, are prohibitively expensive.
It is a tough nut to crack. Service providers are compelled to do something because these attacks can easily bring down all but the largest service providers – and in turn significantly impact their customers.
How to Build Better DDoS Mitigation (While Turning a Profit)
How can a service provider build a DDoS mitigation solution with scalability their existing defenses lack, without the huge price-tag that comes with scrubbing centers? To answer that let’s examine the problem a little more …
First of all, there are on-premises solutions available that can scale reasonably well, however, they have a major problem: Cost – Scaling these solutions comes at significant expense. Since effective coverage requires deployment at every ingress point, the economics simply don’t work … But there is a way to avoid this.
Akamai reports that 95 percent of cyber-attacks are volumetric in nature, meaning they target lower levels of the OSI stack (L3/4). These attacks do not require sophisticated “climb up the stack” DDoS detection, what they really require is a brute force mitigation tool that can successfully handle massive volumetric DDoS attacks while letting good traffic through unabated.
And that is the key to solving the service provider DDoS protection puzzle. The costs incurred to design and build full-stack mitigation solutions (combining volumetric and application level countermeasures) are extreme, so don’t do it. Rather, decouple the expensive detection technology from the brute-force mitigation hardware by placing a single, powerful detection appliance at the core of your network and installing much less expensive mitigation enforcement appliances at each ingress point. Pound for pound, dollar for dollar, this is the heavy hitting combination.
BGP Flowspec is the Key
BGP Flowspec enables precisely the kind of solution service providers need. The core detection appliance sits and watches for DDoS attacks. When it detects a volumetric attack, it sends the necessary rules to the perimeter mitigation devices. Be aware though, the number of rules required may easily be several hundred thousand or more; routers or firewalls won’t work here – they simply cannot handle that many rules without bringing them to their knees. Mitigating an attack that large will substantially degrade the ability to handle their core functions.
A dedicated volumetric DDoS mitigation enforcement device, such as Corsa’s Red Armor, is the perfect solution for perimeter-based volumetric DDoS attack mitigation. Purpose built to handle hundreds of thousands of mitigation rules at true 100G line-rate speeds with no throughput degradation (149Mpps/64byte-frames).
Similar to using a CDN, the latency reduction enabled by disaggregation provides real world revenue benefits for your Customers, as is widely reported, 100 milliseconds of latency reduces Amazon’s revenue by at least 1% … Using a traditional scrubbing service, with its redirection and GRE tunnels, can easily induce 100 milliseconds or more into traffic flows. Obviously, this is also an issue for latency sensitive applications as well.
This elegant approach to DDoS mitigation – disaggregating the actual mitigation from intelligent (and expensive) detection – leads to vastly better economics when compared to traditional scrubbing centers.
A Corsa Red Armor solution leveraging a smaller in-line application layer mitigation appliance can actually have a lower cap-ex than the annual op-ex of a traditional scrubbing center!
It gets better. Providing this scrubbing center as a service at normal market rates means just three Customers can pay for the equipment investment in one year!
Face the Threat, Take Advantage of the Opportunity
Don’t let the Tier 1 providers take all the profits. Share in the business by benefiting from a simplified, profitable approach to Scrubbing Center architectures. Build your own profitable DDoS protection solution today.