Nexusguard’s research findings reveal that communications service providers (CSPs) are increasingly abused by perpetrators as a tunnel to direct DDoS attacks to their downstream networks. This new breed of attacks are carried out in a stealthy way that they can easily bypass detection. Faced with evolving DDoS attack patterns and tactics that are more difficult to detect and mitigate, service providers are presented with a dilemma. Should they just pass on the attack traffic, knowingly or unknowingly, to the victim customer?

Some service providers are inclined to charge how much bandwidth the customer consumes on the ground that they are not obligated to filter inbound traffic. In case traffic swells dramatically and threatens to congest the CSP network, the only thing they could and would do is to blackhole all traffic to the targeted IP to stop any collateral damage to its other customers. To counter a potentially short-lived attack of, say, ten minutes, the “blackhole period” could last 24 hours and sometimes even longer. It is an irony but it is true to say that the service provider sometimes aids the denial-of-service mission by shutting down the victim website with blackhole routing.

Some others acknowledged the potential of cybersecurity market and downstream revenue streams by adding DDoS attack mitigation to their “cleanpipe” services. From the customer’s perspective, can cleanpipe really deliver clean traffic? Odds are that traditional cleanpipe services are not an automated, effective solution. Customers probably still experience a certain amount of downtime and latency issues and have to wait for the upstream service provider to figure out what is going on and troubleshoot the problem.

Why traditional “cleanpipe” provides limited value

That’s largely because the DDoS mitigation technology behind is limited to the pipe level, without the ability to carry out deep packet inspection and mitigate more complex L7 attacks that target specific applications.

From blackholing to rate limiting as well as IDS/firewall, service providers use one or a combination of them to achieve the best possible mitigation results. That said, the efficacy of these legacy methods depends on the network capacity and security expertise of the service provider, among other things. It also comes as a little surprise that the service provider has no or little research capabilities and access to threat intelligence to address zero-day vulnerabilities.

Caught between a rock and a hard place

Even if the network is sizeable, valuable bandwidth and network resources are not meant to be consumed by malicious traffic. Moreover, increased latency and degraded service are going to ruin the user experience. Obviously, enterprises need more DDoS protection.

On the other front, not only are CSPs facing competition from peers in the same marketplace, but they are also facing increasing competition from cloud-powered over the top (OTT) players and global cloud service providers in the broader market. The more competitive landscape results in shrinking fixed-line revenues in their traditional carrier business.

As a result, CSPs also need a scalable, effective DDoS protection solution to protect valuable Internet bandwidth from being abused, maintain service availability, minimize collateral damage risks, ensure maximum uptime, and deliver truly “clean” traffic to their customers without blackholing. There is a pressing need for them to move up the value chain and transform into an integrated CSP in order to stay competitive down the road.

In the absence of effective detection and mitigation technology and expertise to identify and eliminate DDoS attacks, the pain is felt throughout the organization. It is natural for customers to seek help from the upstream CSP whenever there is an outage or latency issue. Your network engineers probably notice something has gone wrong, but they are not trained to handle cyberattacks. The only thing they could do is to blackhole all traffic to the destination IP.

For larger CSPs that can afford an in-house security team, it still takes a considerable amount of time--from minutes to hours--to distinguish DDoS attacks from other problems, so that they could decide what to do next, for example, activate the mitigation device, divert the traffic to a local scrubbing facility, or as a last resort, carry out blackhole routing. This process requires human intervention and easily becomes a window of opportunity for cybercriminals to do more harm before the affected website or network is brought back online.

How Nexusguard turns your DDoS pain into gain

Rather than a reactive approach, the CSP ought to take a more proactive stance against these kinds of security incidents, particularly DDoS attacks. A scalable, automated DDoS mitigation deployment could prevent you from losing customers and revenue, deliver on the uptime pledge, and help protect your business’s reputation.

By providing advanced DDoS protection as an integral part of your cleanpipe or cybersecurity services, you further enhance your revenue potential to security-aware customers. Nexusguard offers a range of solutions for CSPs to address their needs for infrastructure protection:

Deploy InfraProtect t o get the essential protection for the core network. It is a cost-effective solution to start with, whereby the CSP can decide if it would like to divert traffic to Nexusguard scrubbing cloud upon detecting malicious activity. The objective is to minimize collateral damage risks and achieve maximum uptime for customers.

To protect not only the core but also your mission-critical customers, we offer our flagship, BGP-based Origin Protection. It is complete with various compelling features including access to a dedicated portal for full traffic visibility and rule-set control. Mitigation can be configured as fully automated using the default mitigation template.

Talk to our cybersecurity expert to learn more about Nexusguard’s full suite of DDoS mitigation technology-enabled solutions and partnership opportunities.