BROUGHT TO YOU BY DE-CIX

According to a report by Deloitte Global, “Technology, Media and Telecommunications Predictions 2017,” Distributed Denial-of-Service (DDoS) attacks will increase in frequency and scale this year. Deloitte projects there will be one Tbit/s (terabit per second) attack per month, with an attack size of between 1.25 and 1.5 Gbit/s (gigabit per second), on average, and over 10 million attacks in total. Indeed, massive DDoS attacks have been congesting networks and compromising Internet services all over the world in recent months.

Fortunately, progressive network service providers and Internet Exchanges can apply proven countermeasures to fight the scourge of DDoS attacks. First, DDoS attacks can be fought locally when Internet Exchanges utilize blackholing, which allows network operators to drop DDoS traffic destined for an attacked host before it congests the operator’s network. This means that traffic flowing to the target will be dropped so that resources are protected against the increased loads caused by the attack.

However, local blackholing may not always be enough. If a host located in a network connected to an Internet Exchange in New York is attacked, the network can use blackholing in New York to get rid of the DDoS traffic, which is very effective at the Internet Exchange locally. But the nature of a DDoS attack is that attack traffic is sent to the host via several backbones and networks. All too frequently, DDoS traffic crosses thousands of miles to reach the host under attack, congesting existing backbones and Internet infrastructure. This calls for solutions that are more sophisticated, allowing traffic to be dropped as close to the source of the DDoS traffic as possible. 

By using remote blackholing, networks can announce information about their attacked hosts at other global Internet Exchange locations. This information relieves large portions of DDoS traffic already in Europe, for example, before it reaches North or South America via IP transit or peering paths and vice versa. Larger transit ports and increasing network capacity no longer adequately protects networks against massive DDoS attacks. However, eliminating the DDoS traffic prior to having it sent via IP transit or peering paths can drastically reduce the size of an attack, and lessen the operational burden as well as the associated costs.

As companies increasingly rely on cloud service providers for their mission-critical business processes, the networks on the path to these cloud service providers are also vulnerable. To limit the impact of DDoS attacks on cloud traffic, networks can separate cloud traffic from Internet traffic, ensuring that DDoS attacks happening on the Internet do not hit traffic to cloud service providers.

Whichever of the above countermeasures are applied, the ultimate objective is to unburden networks by reducing DDoS attacks to a point where they are much less threatening, thereby ensuring services continue to run smoothly.