The internet has evolved from a best-effort IP network for email and browsing to a network at the center of a digital revolution in the way we live, work and play. Every sector – from industry and commerce to entertainment and energy – now relies on IP networks for connectivity, and everyone expects real-time responsiveness, secure connectivity and 100 percent reliability in exchange for their fees.

Webscale companies often offer interconnection points for traffic and securing these midway points is essential. The economic and political fallout from such man-in-the-middle data breach attacks is escalating.

Enterprises embracing digitalization are concerned about loss of revenue and reputation while governments are concerned about the growing disruption of critical infrastructure and services, seemingly by nefarious state players.

DDoS is becoming the fastest growing category of traffic – faster than even gaming or video. New devices, including billions of internet of things (IoT) devices and high-bandwidth servers, are hijacked and used in conjunction with reflection, amplification and carpet-bombing techniques to launch increasingly sophisticated attacks that reduce service quality and service access. New short-burst DDoS attack vectors cause disruptions that are far more difficult to identify and mitigate than previous attacks.

In the past, peering routers were forced to send all traffic suspected of carrying volumetric or application-level DDoS attacks to centralized scrubbing centers stacked with DDoS mitigation appliances. Security analysts did their best to clean suspicious traffic through manual analysis, but this came at considerable cost in DDoS appliance licenses and backhaul bandwidth. Manual analysis was also prone to false positives and false negatives.

Further exasperating the emerging security threat landscape is that network and service functions are being disaggregated, distributed, and deployed anywhere they need to go to optimize capacity, latency, reliability and service experience. This open, disaggregated and distributed design introduces many new surfaces that attackers can exploit.

The evolution of IP network security

The solution to these challenges lies in harnessing the IP network infrastructure and having it play a larger role in protecting the network, its services and therefore the customers’ service experience. To provide the scalability and functionality required to protect large, mission-critical networks, IP network security must become like packet forwarding: a high-performance, highly scalable function of the network of IP routers. Security must be built into the DNA of each layer of the IP network.

The IP silicon of a router must be designed to sustain bursty or constant bit-rate attacks without service disruptions. It must deliver the filtering speed, precision and scale required to be a highly precise DDoS attack sensor and mitigation device, and it must provide built-in encryption to protect all the data that flows through it. And it must do this all at line rate–without impacting the performance of any service running on the same chipset.

The network operating system (NOS) of the IP router, must be purpose built to be secure, robust and work with the IP silicon to mitigate all attacks that attempt to consume its resources, hijack its processes or sabotage its control plane.

A big-data security analytics component that contains the broad end-to-end situational intelligence and multidimensional analytics, can also be deployed to help automate the network’s response to attacks to minimize the impact on the network.

Built-in silicon-based security

Router-based IP network silicon, designed for security, must have the ability to distinguish and control good and bad traffic with great precision, while minimizing collateral damage. It must be able to see the hijacked server and the IoT devices responsible for the attack and be able to stop or limit traffic from these sources without impacting any other traffic sharing that tunnel.

To accomplish this task requires monitoring and controlling tens of thousands of sources, which in turn requires tens of thousands of filters and queues that can be set up without impacting performance, even when links are fully saturated.

A new breed of silicon-based encryption

Webscale companies can help ensure the confidentiality and integrity of all dataflows traversing their networks through network level encryption. However, there are flaws with existing techniques. The next generation encryption technology optimized for Webscale environments should provide:

• Low latency: To support time sensitive applications and services
• Simple, low cost: To enable mass-scale deployment
• Flexible: To support all network protocols
• Highly secure: Based on stringent 256-bit encryption standards
• Multi-protocol: Extended from Ethernet and VLANs to include native encryption across MPLS, segment routing or other routing protocols.

To provide the latency, performances and universal network capability required, this encryption approach must be implemented in silicon. With this silicon-based approach, best-of-breed network technology is fused with best-of-breed encryption to make secure networking (just like packet forwarding) a high-performance, universal capability of the network itself.

A self defending network operating system

A router’s network operating system (NOS) should play a big role in securing the network. Hardware filters on the line card should be used to identify and discard traffic from untrusted peers or packets identified as part of an ongoing attack. Address Resolution Protocol (ARP) and Internet Control Message Protocol (ICMP) packets commonly used in attacks are monitored. Whenever they cross a dynamic threshold, they are rate limited or marked for discard as appropriate.

By the time packets leave the line card and enter the control processer, much of the attack traffic has already been rate limited or discarded. Once entering the control processor complex, further defences are provided by removing packets that are malformed or have violated their protocol that would interfere with control plane logic.

Traffic is then isolated into thousands of virtual interfaces and queues that are accessed by the CPU in a scheduled fashion. This isolation ensures total protection so that malicious players are never able to block well-behaving ones and the control complex will never be able to be overwhelmed.

Big data analytics

Big data analytics tools can be combined with real-time insight from the network itself to provide an effective response to DDoS attacks as they increase in scale, sophistication, and frequency.

Having a real-time and precise snapshot of what is flowing through the network, by processing both advanced telemetry from the network and deep knowledge of internet traffic, policies can be created to both to identify and mitigate the volumetric attacks that make up almost all DDoS traffic.

This new breed of network-based identification/mitigation is far more cost-effective and scalable for eliminating volumetric DDoS compared to appliance-based scrubbing center models, allowing Webscale networks to provide volumetric DDoS protection for all customers, not just a small number of the most demanding customers.

This new breed of network-based identification/mitigation is far more cost-effective and scalable for eliminating volumetric DDoS compared to appliance-based scrubbing center models, allowing Webscale networks to provide volumetric DDoS protection for all customers, not just a small number of the most demanding customers.

Conclusion

With IP networks playing an increasingly important role in our daily lives, attacks against them will continue to grow in scale, sophistication, and frequency. Both network performance and the confidentiality/integrity of data that flows through them are being targeted.

To earn customer trust, Webscale networks must be able to demonstrate they can proactively avoid these attacks, or at minimum, quickly identify and eradicate them.

Success entails a fundamental shift in how Webscale companies protect their IP networks. It requires moving away from overlay security solutions to security capabilities built into the network infrastructure itself.