OVH NEWS | THE LATEST ON IT INNOVATIONS AND TRENDS


Discover. Understand. Anticipate.









10/01/2014
Share

Report written by Vivien Lemaire


Why Should Internet Infrastructure Providers Offer Anti-DDoS For All


As the first line of defense against cybercriminals, Internet infrastructure providers are naturally facing enormous cyber threats. To better respond to the dramatic rise in the Distributed Denial of Service attacks and protect their customers and end-users, they must provide by default an innovative and efficient anti-DDoS protection service.



Jérôme Arnaud, VP Operations America at OVH.com


According to security firm Arbor Networks, nearly half (46.5%) of DDoS attacks are now larger than 1 Gbps, an increase of 13.5% from 2012. The technique is simple but particularly devastating: flood a target infrastructure or service with more requests than it can handle until it overloads and crashes the servers.
Despite the increasing threat, more than 70% of companies admitted not having any DDoS protection in place. The gap between these extremely serious risks and the lack of protection is just mind-boggling. The problem is not that decision makers actually refuse to face such threats, but as security is rarely their core competency, they do not necessarily have the right tools to detect such attacks.
For this crucial reason, at OVH.com we think Internet infrastructure providers need to step up and take responsibility for the fight against such attacks by deploying a massive and efficient protection service that is available, by default, in all of their service offerings.



To fight against the increase in DDoS attacks Internet infrastructure providers must reinforce their protection


The cybercrime landscape has considerably changed since 2011. Back then, groups of cyber-offenders were taking control of IRC servers to build botnets - networks of compromised servers – or were taking down websites to reroute visitors, for the benefit of unscrupulous competitors.
Later on, the Anonymous hacktivist network has demonstrated that it was actually easy to take down a website and people started to learn how to create DDoS attacks. These attacks became so common that traditional protection services, which block certain types of network traffic based on the source and/or destination IP address, became insufficient to stop it all.
To keep up with this new threat landscape, a revamp of the entire security perimeter is needed, by putting in place a mitigation system, to identify and clean up the illegitimate network traffic in the case of an attack. Indeed, experience has shown that it’s actually more efficient to protect oneself than to run after the attacker: blocking a ginormous attack is the best guaranty that s/he will eventually give up and never return.



A mitigation solution to protect against DDoS


A typical anti-DDoS protection service, or mitigation, should take place in 3 phases. In the first phase, traffic is analyzed by dedicated security appliances, like Arbor’s PeakFlow, and then compared to DDoS attack signatures. If the number of packets per second is suspect, the attack should be absorbed out of the ISP network, using a VAC (stands for vacuum).
This digital vacuum is actually an infrastructure made of high-end network equipments (Cisco network pre-firewalls and firewalls, Tilera and Arbor solutions), capable to guard against illegitimate traffic. Ideally, VACs should be located in 3 different geographical areas in the world to better absorb cyber attacks, leveraging what should be the ISP’s strength: a worldwide fiber optic network with enough available capacity, and an aggregate Internet backbone interconnection bandwidth of several terabits per second.
In addition, the democratization of anti-DDoS protection will help prevent collateral damages that impact the victim of the attack as well as, inside the same datacenter where its data is stored, the other neighboring servers, sub-networks or a router.
While this will increase the cost of the overall infrastructure and its operations, the fairest solution for the ISPs and the users is to share the additional financial burden of this entirely new DDoS infrastructure among all its customers.
A smart decision that gives anti-DDoS protection to all, which is seamlessly built-into the infrastructure, leveraging the best technologies available on the market today and available, by default, to everyone.

Because this new class of DDoS attacks are so damaging, Internet infrastructure providers must step up and provide a secure and efficient first line of defense to all its customers. Security should never be an option – now more than ever.



Jérôme Arnaud, VP Operations America at OVH.com