Vaccinate Your Network to Prevent the Spread of DDoS Attacks

Vaccinate Your Network to Prevent the Spread of DDoS Attacks

Randy Levensalor
Principal Architect, Future Infrastructure Group, Office of the CTO

Oct 2, 2019

CableLabs has developed a method to mitigate Distributed Denial of Service (DDoS) attacks at the source, before they become a problem. By blocking these devices at the source, service providers can help customers identify and fix compromised devices on their network.

DDoS Is a Growing Threat

DDoS attacks and other cyberattacks cost operators billions of dollars, and the impact of these attacks continues to grow in size and scale, with some exceeding 1 Tbps. The number of Internet of Things (IoT) devices also continues to grow rapidly, many have poor security, and upstream bandwidth is ever increasing; this perfect storm has led to exponential increases in IoT attacks, by over 600 percent between 2016 and 2017 alone. With an estimated increase in the number of IoT devices from 5 billion in 2016 to more than 20 billion in 2020, we can expect the number of attacks to continue this upward trend.

As applications and services are moved to the cloud and the reliance on connected devices grows, the impact of DDoS attacks can continue to worsen.

Vaccinate Your Network to Prevent the Spread of DDoS Attacks

Enabled by the Programmable Data Plane

Don’t despair! New technology brings new solutions. Instead of mitigating a DDoS attack at the target, where it’s at full strength, we can stop the attack at the source. With the use of P4, a programing language designed for managing traffic on the network, the functionality of switches and routers can be updated to provide capabilities that aren’t available in current switches. By coupling P4 programs with ASICs built to run these programs at high speed, we can do this without sacrificing network performance.

As service providers update their networks with customizable switches and edge compute capabilities, they can roll out these new features with a software update.

Comparison Against Traditional DDoS Mitigation Solutions

Feature Transparent Security Typical DDoS solution
Mitigates ingress traffic X X
Mitigates egress traffic X
Deployed at network peering points X X
Deployed at hub/head end X
Deployed at customer premises X
Requires specialized hardware X
Mitigates with white box switches X
Works with customer gateways X
Identifies attacking device X
Time to mitigate attack Seconds Minutes
Packet header sample rate 100% < 0.1%

Transparent Security can mitigate ingress and egress traffic at every point in the network, from the customer premises to the core of the network. To mitigate ingress attacks, typical DDoS mitigation solutions are deployed only at the edge of the network. This means that they don’t protect the network from internal DDoS attacks and can allow their networks to be weaponized.

Transparent Security runs on white box switches and software at the gateway. This provides a wide variety of vendor options and is compatible with open standards, such as P4. Typical solutions frequently rely on the purchase of specialized hardware called scrubbers. It isn’t feasible to deploy these at the customer premises. Finally, Transparent Security can look at the header for every egress packet to quickly identify attacks originating on the service providers network. Typical solutions sample only 1 in 5,000 packets.

Just the Beginning

Transparent Security is just the beginning, and one of many solutions that can be deployed to improve broadband services. Through the programmable data plane, network management will become vastly smarter, and new services will benefit, from Micronets to firewall and managed router as a service.

Join the Project

CableLabs is engaging members and vendors to define the interfaces between the transparent security components. This should create an interoperable solution with a broad vendor ecosystem. The SDNC-Dashboard, AE-SDNC, SDNC-Switch and Switch-AE interfaces in the diagram below have been identified for the initial iteration. Section 6 of the white paper describes these interfaces in detail.

Vaccinate Your Network to Prevent the Spread of DDoS Attacks

The Transparent Security architecture and interface definitions will expand over time to support additional use cases. These interfaces leverage existing industry standards when possible.

You can see see related projects here. You can find out more information on 10G and security here.

Read Our White Paper