DDoS & 5G: The Bigger the Pipe, the Stronger the Threat

Two of the biggest hypes in telecom today are IoT and 5G. Everyone’s talking about them, planning for them, testing them, and even deploying them. IoT is here and 5G is definitely coming, and they are related, because as more and more IoT devices are deployed, and IoT services are offered—especially video-rich services—more and more mobile bandwidth will be required, and 5G promises to meet that demand.

It’s a rosy picture, but there’s a catch—a proverbial fly in the ointment that nobody is discussing—we all know that DDoS is a present and growing threat. In this post, I will make the case that 5G increases the DDoS threat, and, as a result, it requires defenses stronger than today’s traditional strategies can provide. Furthermore, I will present a new solution architecture that provides both a stronger present defense, and it has the added value of being future-proof, as well.

I think we can all agree that DDoS is here and it’s not going away! It seems that every month we hear about a new, record-breaking DDoS attack—and it’s not surprising that many types of DDoS attacks are referred to as floods—there is even one called a Tsunami—because their impact is overwhelming. They inundate and flood network resources, including elements such as firewalls that are intended to ensure network security.

So, DDoS is a threat to everyone with a network presence, but why is it growing both in size and in frequency? One reason is that the explosive proliferation of IoT devices provides hackers with a growing landscape from which to launch these attacks. IoT devices bring great value to their users—remote automated metering, security cameras, smart utility grids and more. However, most IoT devices are essentially stripped-down, single purpose computers with little or no security. They are easily hacked and converted into soldiers in a botnet army, triggering ever-growing floods of DDoS assaults.

A second reason that DDoS attacks keep growing is easy financial gain. DDoS attacks may include ransom demands, or they may be a way to hurt a competitor, either by crippling their business, or by using the attack as a smokescreen to hide the cybertheft of business secrets. In both cases the attacker realizes a profit. A third reason is that hacktivists increasingly see DDoS as an easy way to punish ideological enemies, be they government or corporate, with amplified publicity in parallel to the amplified DDoS traffic flood. And DDoS attacks can be a form of nation-state cyberwarfare, both to harm operational capabilities and as a smokescreen to hide a subsequent theft of state secrets.

One more reason that these attacks keep growing is that although they are technologically sophisticated, the tools required to launch these attacks are widely available and easy to use. As highlighted in the recent takedown of a large international service, for paid DDoS attacks there is a huge industry of DDoS attack tools for hire.

Communication Service Providers (CSPs) are themselves often targets of DDoS attacks but even when they are not the target, their network is the medium and they suffer from excessive traffic that may hamper their ability to provide services to their many customers who are not being targeted at all—the innocent bystanders. The cost of these attacks is high. Kaspersky Lab estimates that the cost to Small-to-Medium-Sized Businesses (SMBs) is greater than $120 K for each attack and to larger enterprises (including CSPs), it can be $1-2 M, or more. The vast majority of CSPs experience DDoS attacks every year, often many times each month.

Costs are of course both direct and indirect—they can include Service Level Agreement (SLA) penalties to impacted enterprise customers, costs incurred by overloaded call centers, efforts to restore or replace impacted infrastructure, additional purchases of new infrastructure and, of course, costs associated with damage to reputation. Trying to prevent customer churn, running promotional campaigns, and offering discounts to win back customers and restore reputation—or to attract new customers—all contribute to the cost of these attacks.

So, what’s all this got to do with 5G? Well, the coming exponential spread of high-speed bandwidth means that in addition to widespread motivation, easily available attack tools, and proliferating IoT attack sources, dramatically bigger attacks will be possible because the “5G highway” will have many more lanes to enable vastly higher rates of traffic—both good and bad. In the words of Brijesh Datta, the CSIO of Reliance Jio, “5G’s bandwidth will easily flood servers…with 5G, every individual would have a
1 Gbps worth of bandwidth, thereby attacks would become more drastic.”

In this environment, more than a third of CSPs’ customers expect the CSPs to protect them from these attacks. They expect security – not just connectivity and CSPs do try to meet this challenge. Traditionally, they have adopted several techniques to combat DDoS but all are limited when it comes to such high-volume attacks.

High-end Solution: Scrubbing Centers

The way scrubbing centers work is that when an incoming attack is identified—usually through periodic sampling of network traffic thresholds and human intervention—all traffic gets diverted to a specialized data center whose function is to inspect every packet, remove attack content, and then send the clean data packets back to the CSP network.

As Frost & Sullivan point out, this solution is quite problematic for the following reasons:

1. Cost: There is a high cost associated with the extra network resources and the human work involved in rerouting so much traffic.
2. Quality: There is a strong likelihood of reduced quality during the attack due to the time it takes to divert, scrub, and return the cleansed traffic flow.
3. Accuracy: In the case of asymmetric traffic—requests and corresponding acknowledgement packets (which often constitute the amplified attack) don’t always travel by the same routes, making it difficult to determine when traffic is legitimate and when it is illegitimate.
4. Evasion: Attackers have adapted to this solution’s sampling rate loophole by employing short term but very large bursts of traffic to evade the sampling mechanism.

Low-end Solution: Inline Systems (originally designed for Enterprise deployment)

These solutions do not resort to sampling traffic as they operate inline, but:

• They were not designed to operate at the scale of CSP traffic
• They do not handle asymmetry for the same reasons as above
• They do not look at outbound traffic—so they do not mitigate outbound attacks
• They cannot help prioritize legitimate, higher priority traffic during attacks

The high-end solutions are too costly for most CSPs and are ultimately of limited efficacy. The low-end solutions are not really suited for CSPs. What is required is a new, cost-effective approach that both meets today’s challenges and can effortlessly scale to handle tomorrow’s larger and unknown attacks, protecting CSP networks and customers, all the time, and on time. This new approach, deployed by Allot, consists of a highly scalable, inline DDoS mitigation system that stops both inbound and outbound volumetric attacks, uses machine learning to detect previously unknown patterns, and is fully integrated with DPI functionality to ensure the quality of legitimate traffic during attacks.

This solution does not require any investment in infrastructure for re-routing traffic to scrubbing centers and, since it is automatic, it does not require heavy supervision. Because it is inline, it is always operational and responds in seconds instead of minutes or tens of minutes—so there is no latency introduced. Because the solution is integrated with Deep Packet Inspection (DPI), its application and user awareness ensures policy-based prioritization of critical traffic, even during the largest attacks. Finally, because it uses machine learning to centrally analyze ratios of inbound and outbound traffic, it detects unfamiliar patterns, which provides future-proof security. And to increase cost-effectiveness, this solution can be deployed as a virtualized cluster to ensure unlimited, elastic scalability and provide wire-speed protection that cannot be overwhelmed. No matter how much data is passing through the sensors, the volume of ratios reaching the controller can always be handled.

DDoS is a real and growing menace. Technological advances such as 5G will yield unforeseen benefits, but will also lead to enhanced threats. CSPs must be proactive to stay ahead of the game.