The size, frequency and complexity of Distributed Denial of Services (DDoS) attacks is increasing. According to figures from Arbor’s ATLAS network, in the Middle East, by the end of 2013, the average attack size was 2.8 Gbps, higher than the global average of 2.3 Gbps. Because of this, security and availability are now among the top requirements of IT departments in businesses across the region. Unfortunately, when it comes to today’s range of sophisticated DDoS attacks, traditional security products, such as firewalls or intrusion prevention systems, are proving to be inadequate.
Enterprises in the Middle East are now more concerned about this than ever before and regional Internet Service Providers (ISPs) can help them combat these threats, while simultaneously creating lucrative new revenue streams. DDoS attacks that impact the availability of services represent a significant opportunity for ISP’s. In the face of the ever-present challenge of retaining existing customers while attracting new ones, offering more high-value services such as managed security could even prove to be a competitive advantage.
The market demand for managed security services is real and growing. Moreover, the managed security and security monitoring services segment will continue to yield the highest percentage of total revenue in the Managed Security Services Provider (MSSP) market. Service providers have some inherent advantages that enable them to capitalize on this demand because they own the ‘pipes’ that transmit data across the Internet. This makes ISPs uniquely positioned to deliver a comprehensive solution that can combat the three primary types of DDoS attacks.
The Three Types of DDoS Attacks
‘Volumetric’ DDoS attacks are usually generated by Internet bots or compromised PCs that are grouped together in large-scale botnets. Because of the high-bandwidth and distributed nature of these attacks, the congestion is likely occur upstream in the provider’s network and therefore cannot be stopped at the enterprise or data-center edge.
In addition, ‘application-layer’ DDoS attacks compromise the business viability of service provider customers. These attacks target specific services and consume lower bandwidth. These newer application-layer DDoS attacks threaten a myriad of services ranging from Web commerce and DNS services to email and online banking. And they are becoming far more frequent than ever before. In Arbor’s Annual Worldwide Infrastructure Security Report, nearly 90% of survey respondents admitted to having experienced application-layer attacks.
The convergence of volumetric and application-layer DDoS attacks poses a significant threat to online services, and customers will be looking for solutions.
An increasing threat these days in the region is the targeting of stateful devices. Since firewall and IPS devices are “stateful” inline solutions, they are also vulnerable to DDoS attacks and often become the targets themselves. Firewall and IPS devices will continue to choke even during moderate DDoS attacks and can be first points of failure during DDoS attacks.
Why ISPs are ideally positioned to respond
The best place to stop volumetric DDoS attacks is in the ISP cloud via network-based DDoS protection because saturation happens upstream and can only be re-mediated in the provider’s cloud. On the other hand, the best place to perform application-layer DDoS detection is in the data center itself because the attack can only be detected and quickly mitigated at the data center edge. Only ISPs can provide both a network-based service component to stop volumetric DDoS attacks and a Customer Premises Equipment (CPE) based service component to stop application-layer DDoS attacks. This approach presents a distinct competitive advantage.
There are cost efficiencies at work, too. Today with ISPs already supplying managed firewalls, Secure Socket Layer virtual private networks (SSL VPNs), intrusion detection systems (IDS), intrusion prevention systems (IPS) and other security measures, adding an incremental managed DDoS protection service can be relatively straightforward and cost-efficient.
Providers hoping to add a comprehensive DDoS mitigation service to their offerings must ensure that the solution they implement support the following:
- Both in-line and, more importantly, out-of-band deployment to avoid being a single point of failure on the network.
- True ‘distributed’ DoS (DDoS) attack detection, which requires broad visibility into the network, not just from a single network perspective, and the ability to analyze traffic from different parts of the network.
- Attack detection using multiple techniques such as statistical anomaly detection; customizable threshold alerts; and fingerprints of known or emerging threats that are based on Internet-wide intelligence.
- Mitigation that can easily scale to handle attacks of all sizes, ranging from low-end (e.g., 1Gbps of mitigation, deployed in the data center) to high-end (e.g., 40Gbps of mitigation, deployed in the ISP network).
The solution must also feature managed security service enablers. These include application programming interfaces (APIs) for integration with existing systems; the ability to launch a customer portal easily; provisioning templates; fault tolerance; and redundancy.
DDoS attacks are continuing to rise and both public and private data centers are prime targets. Today’s data center operators are seeking solutions to this pressing problem. ISPs in the Middle East have a unique opportunity to respond by offering valuable network- and edge-based services that protect their customers’ data centers against DDoS attacks and drive incremental revenue.
Author: Mahmoud Samy, Regional Director, Middle East, Russia, CIS at Arbor Networks