For Communications Service Providers (CSPs), relying on legacy solutions to provide what is known as ‘cleanpipe’ service to customers is far from enough. As DDoS attacks continue to evolve as a result of growing internet infrastructure and botnets, they must turn to a scalable, effective solution to protect their network infrastructure and deliver clean traffic to customers.  

Most CSPs understand that the threat of DDoS attacks cannot be neglected. However, some of them remain reluctant to offer DDoS protection as a service to their customers. Some do offer DDoS mitigation as part of their “cleanpipe” service, but the technology behind relies on legacy solutions.

As such, traditional ‘cleanpipe’ services often fall short of customer expectations when a larger or more complex attack takes place. Customers probably still experience a certain amount of downtime and latency issues, and have to wait the upstream service provider to figure out what is going on and troubleshoot the problem.

There are multiple methods behind the traditional ‘cleanpipe’. Most CSPs use one or a combination of them to achieve the best possible mitigation results. The efficacy of these legacy methods depends on the network capacity and security expertise of the CSP, among other things.

Blackhole routing

One easy, fairly straightforward solution to virtually all CSPs is to create a blackhole route and funnel traffic into that null route. In its simplest form, when blackhole filtering is implemented without specific restriction criteria, both legitimate and malicious network traffic is routed to a null route or blackhole and dropped from the network.

Despite its low effectiveness and significant impact on legitimate traffic, this has been (frequently) used by ISPs, for instance, to route the victim’s traffic to a blackhole in order to head off a collateral damage to the CSP network.

Rate limiting

Limiting the number of requests to a server for a specific period of time or specific network-layer protocols such as ICMP and UDP is another simple way of dealing with DDoS attacks. While rate limiting is useful in mitigating simple, predictable network attacks, it alone is insufficient to handle a complex DDoS attack effectively.

Anti-DDoS appliance

For CSPs with larger local bandwidth, it is a common to bring mitigation in-house. Despite the growing popularity of cloud cybersecurity and managed security service providers (MSSPs), there are still vendors offering dedicated hardware for DDoS mitigation, featuring threat tracking and powerful behavioural analysis.

While the CSP can retain complete control and ownership, the downside to it is the high costs of purchase, installation and maintenance, not to mention the extra manpower required to keep the equipment up and running 24x7. Considering these capital and operating expenditures, bringing DDoS mitigation in house may not justify the costs.

In a threat landscape that is constantly changing and evolving, hardware has to be replaced in 3-5 years time. The prohibitive costs of in-house DDoS mitigation, coupled with regular upgrades and innovations, make it very difficult–almost impossible–for CSPs to break even.

And very often, these appliances could become the bottleneck themselves when a large-scale, volumetric attack exceeds the threshold they could handle. In addition, implementing in-house DDoS mitigation requires a significant investment of time and expertise. Often, your staff may have a basic understanding of the general issues surrounding DDoS attacks, but are unable to commit themselves wholeheartedly to monitoring, handling and analysing such attacks.

Caught between a rock and a hard place

Even if the CSP network is sizeable, valuable bandwidth and network resources are not supposed to be consumed by malicious DDoS attacks. Moreover, increased latency and degradation of service are going to ruin the user experience. Clearly, enterprise clients need more DDoS protection, and they are willing to pay for it.

On the other front, not only are CSPs facing competition from peers in the same marketplace, they are also facing increasing competition from cloud-powered over-the-top (OTT) players and global cloud service providers in the broader market. The more competitive landscape results in shrinking fixed-line revenues in their traditional carrier business.

As a result, CSPs need a scalable, effective DDoS protection solution to protect valuable bandwidth from being abused, maintain service availability, minimize collateral damage risks, ensure maximum uptime, and deliver truly “clean” traffic to customers without blackholing. There is a pressing need for them to move up the value chain and transform into an integrated CSP in order to stay competitive down the road.

Turn DDoS pain into gain

In the absence of effective detection and mitigation technology and expertise to identify and eliminate DDoS attacks, the pain is felt throughout your organization. It is natural for customers to seek help from the upstream CSP whenever there is an outage or latency issue. Your network engineers probably would notice something has gone wrong, but they are not trained to handle cyberattacks. The only thing they could do is to blackhole all traffic to the destination IP.

For larger CSPs that can afford an in-house security team, it still takes a considerable amount of time—from minutes to hours—to distinguish DDoS attacks from other problems, so that they could decide what to do next, for example, activate the mitigation device, divert the traffic to a local scrubbing facility, or as a last resort, carry out blackhole routing. This process requires human intervention and easily becomes a window of opportunity for cybercriminals to do more harm before the affected website or network is brought back online.

Rather than a reactive approach, the CSP ought to take a more proactive stance against these kinds of security incidents, particularly DDoS attacks. A scalable, automated DDoS mitigation deployment could prevent the CSP from losing customers and revenue, deliver on the uptime promise, and help protect its reputation. By providing advanced DDoS protection as an integral part cleanpipe or cybersecurity services, you further enhance your revenue potential to security-aware customers.

Transform into an integrated CSP

As a leading managed DDoS mitigation service provider, Nexusguard has built and now owns its detection and mitigation stack from the ground up apart from core network appliances such as routers and switches. This means that each of our scrubbing centers are infinitely scalable both horizontally and vertically. These scrubbing centers are strategically placed around the world in nine countries.  

Nexusguard offers a range of DDoS mitigation solutions for CSPs to address their needs for infrastructure protection and help them move up the value chain in a more competitive marketplace.

Deploying InfraProtect to get the essential protection for the core network is the most cost-effective solution to start with, whereby the CSP can decide if it would like to divert traffic to our scrubbing cloud upon detecting malicious network activity. The objective of InfraProtect is to minimize collateral damage risks and achieve maximum uptime for customers.

For carriers looking to protect not only the core but also their mission-critical customers, we offer our flagship, BGP-based Origin Protection. It is complete with various compelling features including access to a dedicated portal for full traffic visibility and rule-set control. Mitigation can be configured as fully automated using the default mitigation template.

For carriers looking to overhaul the approach they adopt towards security and monetize DDoS mitigation services, our Transformational Alliance Partner (TAP) program provides them with a refreshing approach that combines traditional on-premise with cloud into a highly customizable, scalable and automated service.