In a large carrier environment, DDoS attacks have escalated from a nuisance to a sophisticated threat and an expensive problem to solve. Scrubbing DDoS traffic at a centralized location, after attacks have been detected, has become a commonplace approach to reducing the amount of DDoS traffic transiting carrier networks and sent to downstream providers.

DDoS attacks against Corero customers grew by a third in the last quarter, with organizations experiencing an average of 4.5 attacks every day. While most DDoS attacks were once launched by bad actors coding in their bedrooms to carry out protests – now, DDoS-for-hire botnets allow just about anyone to launch a crippling attack for just a few dozen dollars – with no coding skills required. 

According to our research, in the first half of 2015 the vast majority of DDoS attacks experienced by Corero customers were less than 1Gbps in size. More than 95 percent of these attacks lasted 30 minutes or less. As attackers look for new ways to leverage DDoS attacks, they have realized that short duration sub-saturating attacks are more difficult to defeat, because they evade traditional cloud-based scrubbing centers.

Typical carrier DDoS deployments involve localized monitoring points for detection of attack traffic, paired with a centralized scrubbing operation. In the event of DDoS attack traffic detection, both the good and bad traffic for the particular victim subnet will need to be transported back to a centralized scrubbing operation, then on-ramped back on to the network at the appropriate point. As the surge in data load on the network and traffic fluctuations related to ongoing DDoS attacks continue to increase, carriers are tasked with cost effectively scaling their scrubbing center operations up from 10G to 20G and even 40G to keep pace with network modernizations.  

Scrubbing centers are a reasonably reactive means of managing DDoS attacks, and require hands-on analysis by security professionals – expensive in both time and resources. By extension, recent advances in automation and proactive DDoS mitigation have the potential to pose a financial and resource optimization proposition for service providers. Legacy DDoS prevention systems have generally been costly in nature due to the high volumes of traffic being passed through DDoS scrubbing centers and are traditionally intended for large telcos dealing with high-volume traffic flows.

Additionally, legacy DDoS detection mechanisms rely on coarse sampling techniques that can result in less responsiveness to lower threshold levels of DDoS generated traffic, meaning some attacks have the potential to go unnoticed for longer periods of time. As networks become more sophisticated and intelligent, it stands to reason that emerging DDoS mitigation techniques have evolved to provide automated threat detection and mitigation, distributed across the network and capable of identifying and managing potential attacks before they cause disruption to the customer.

Providers can now deploy their DDoS mitigation operations at peering or transit points, using technology that is scalable and responsive. These systems are automated, always on, and capable of responding to attacks in real time – reducing headaches for providers everywhere. What’s more, it’s possible to design policies uniquely for customers and ensure that they get only good traffic flowing through their pipes. Providing such a service not only streamlines the operations of providers, giving them increased visibility and making their services reliable, but it has the additional upside of protecting an organization’s reputation, attracting more customers, and enabling a new revenue opportunity.

Carriers can incorporate DDoS mitigation into their service offerings, enabling them to offer differentiated value-added security services. In our study requesting the opinions of enterprise organizations, a staggering 74 percent of survey respondents indicated that they would like to see their ISP provide additional security services to eliminate DDoS traffic from entering their networks. Fifty-two percent indicated that they would even pay for a premium service offering to eliminate the DDoS challenge to their environment.

Carrier customers are clearly indicating that they would like to have extra protection and services dedicated to keeping their pipes clean and defended from DDoS attacks. Proactive carriers have an opportunity to leverage this sentiment and incorporate premium DDoS defense services into their customer contracts resulting in important new revenue. A provider that can be flexible and responsive to the needs of each unique customer case will be better positioned to cement its position in the market with a view to expansion. Clean pipe services are a revenue-generating opportunity, with the added bonus of improving customer experience and customer relations.

Dave Larson is the COO of Corero Network Security