Security Series: Protecting the Edge Against DDoS Attacks with a Simplified Integrated Solution

An unprecedented increase in distributed-denial-of-service (DDoS) attacks in recent years has resulted in lost revenue and productivity, increased ransomware costs, and impacted service-level agreements (SLAs) for network operators.

According to Zayo Group’s annual DDoS Insights Report, attacks are accelerating rapidly, with a 314% increase in overall attacks from the first half of 2022 to the first half of 2023—surging by 1,300% in some industries. The report also notes “there are approximately 23,000 DDoS attacks every day globally” and “DDoS attacks can be costly to any business, but unprotected businesses experience an average cost of $200K per attack.” At the same time, increasing bandwidth requirements and millions of new internet-connected devices has further driven the need to address DDoS attacks more efficiently.

To address the growing problem of DDoS attacks, in 2022 we launched the industry’s first true on-box DDoS solution, Cisco Secure DDoS Edge Protection, with IOS XR 7.7.1 on our Cisco Network Convergence System 540 Series routers (NCS 540 Series). The first phase of the solution addressed threats from mobile endpoints such as IoT devices and mobile phones, helping customers detect and mitigate DDoS attacks on cell-site routers without the need for a centralized DDoS detection agent or a scrubbing center.

We are now extending this DDoS solution beyond mobility to all IP traffic types, starting with IOS XR 7.11.1 on our Cisco Network Convergence System 5500 (NCS 5500) and 5700 (NCS 5700) Series routers. This expanded solution will enable additional use cases for peering edge, broadband, aggregation, and core network deployments.

Challenges with traditional DDoS solutions

A traditional DDoS solution includes a centralized DDoS detection agent (physical or virtual form factor) deployed outside of the router. It also has a DDoS mitigation engine that typically pushes a Border Gateway Protocol (BGP) FlowSpec rule to divert the traffic to a scrubbing center, or to push a Remotely Triggered Black Hole (RTBH) rule.

This type of architecture involves edge routers that face the attack traffic to export the NetFlow data or mirrored flows (after sampling) outside of the routers to a centralized location to detect the attacks. The mitigation involves network operators deploying large-scale scrubbing centers on-premises, or by subscribing to a cloud scrubbing provider. As a result, customers can incur substantial operational costs that grow as the scale and frequency of DDoS attacks increase.

With Cisco Secure DDoS Edge Protection, the external detection agent is no longer needed (see Figure 2). Since IOS XR supports an application hosting infrastructure to run docker containers on the routers, the centralized detection agent is now moved to the router. Because the agent runs as a docker container, the integration eliminates the need to export data outside of the router for attack detection.

Providing the mitigation functionality within the container eliminates the need for dedicated scrubbing centers and reduces the scrubbing capacity needed in a network. The mitigation does not involve pushing a BGP FlowSpec rule; instead, a simple API callback to the edge router efficiently blocks the attack traffic.

The solution further simplifies the network with a single off-box controller to:

1. Orchestrate the containers across thousands of routers.
2. Handle the entire lifecycle management of the containers.
3. Provide a dashboard to operators on traffic stats, active attacks, history of attacks, etc.
4. Push the mitigation rules automatically or manually by the operators (only if manual option is selected) to the routers through the container.

The controller can run on any general-purpose compute platform and the entire solution can also be deployed in air-gapped networks. The solution is now supported on all variants of the NCS 5500 and NCS 5700 platforms, along with extending the support of non-mobile use cases on NCS 540 Series platforms.

Improving protection as security threats grow

As the threat landscape grows and evolves, the advanced capabilities of Cisco Secure DDoS Edge Protection can enable a range of positive outcomes for our customers, including:

• Reduction in TCO—With reduced or no external scrubbing centers required, network operators can save on equipment and operational costs.
• Sustainability goals alignment—The reduced need to power and cool scrubbing centers can in turn help reduce energy consumption for operators.
• Customer satisfaction—With faster attack detection integrated on the routers, the overall latency with combined detection and mitigation is drastically reduced. Improved response time helps network operators meet tighter SLAs with their customers, even under active attack situations.
• Defense in depth—With the edge routers acting as the first line of defense, the overall architecture aligns perfectly with the defense-in-depth philosophy on security architectures. The solution results in additional ROI from the existing routers already deployed in the network.
• Investment protection—The solution can coexist with existing DDoS deployments, which provides investment protection for existing deployments. Customers can gradually phase out the traditional solutions over time.
• Fewer dependencies—With the API-based mitigation to block the attacks, there is no longer a dependency on BGP FlowSpec for mitigation.

 

Find out more about Cisco Secure DDoS Edge Protection