Time for CSPs to turn DDoS pain into gain

This article is part of our Opinions section.

Communication Service Providers (CSPs) such as internet providers, hosting providers and data centres compete in a challenging market. Demand for connectivity is constantly growing, particularly for businesses investing in data-hungry technology like AI. It’s tough to stay competitive with other providers, as well as profitable while trying to meet the demand for increased bandwidth and reliable service.

Against this backdrop, DDoS threats often go undetected, either slowing down the network or affecting customers downstream. CSPs are well aware of the threat, but it’s one spinning plate among many, and yet another cost to balance. 

But it doesn’t have to be a cost centre. CSPs can turn this pain into financial gain. If they’re going to do that, they have to start thinking of themselves not just as a connectivity provider, but as a managed security service provider as well, whose service package bundles in DDoS-Protection-As-A-Service by default.

The current DDoS threat to CSPs

To understand why DDoS protection has to be bundled in, we have to understand how detrimental DDoS attacks really are to customers. The assumption often goes that these attacks are harmless because they lack financial incentive, but this doesn’t make them any less damaging to the reputation of CSPs in the minds of customers.

CSPs are tempting targets for DDoS attacks because of their large attack surfaces and the already high level of traffic on their networks. But the threat landscape is constantly changing. Attacks are consistently getting larger, requiring more resources to mitigate or defend against them regardless of the target or the exact attack method.

Increasing attack sizes is an especially big problem with volumetric attacks, which aim to crash the network with traffic spikes. This type of attack is only getting more complicated with the risk of hijacked IoT devices or attackers combining it with other tactics like reflection and amplification. In the former, attackers spoof IP addresses to trick servers into flooding the victim network. With the latter, small queries can quickly snowball into huge amounts of attack traffic.

All this means attackers invest only a fraction of the resources into an attack compared to the significant effort CSPs must expend to deal with and mitigate the impact. It’s an uphill battle, but losing it results in downtime and loss of service, which can be the death knell of CSPs.      

But that’s not all. ‘Carpet bombing’ is another major threat to CSPs and one that’s very different in motive compared to volumetric attacks. This means you can’t mitigate them with the same methods. Instead of targeting a single IP address or section of the CSP network, bits and pieces attacks spread out, sending small amounts of traffic to lots of targets across the network. The aim here is not to cause outages or downtime but to ‘clog’ the network with fake traffic, slowing down performance and weakening the CSP. This approach also makes it far harder to detect and therefore mitigate the attack, as distinguishing the legitimate traffic from the illegitimate is much harder.  

Current mitigation methods not up to scratch

Because attackers often use networks to tunnel junk traffic to downstream customers, CSPs are actually well-positioned to stop and block network attacks. The problem is current mitigation methods often used by these organisations either leave a lot to be desired or are quite expensive for the CSP to run and maintain. Prevention methods you often see are:

Blackholing – This is where a CSP identifies an ongoing DDoS attack to a single IP address or part of the network and stops all traffic going to that address. This obviously kills the attack instantly but also throws the baby out with the bathwater. Because you also sacrifice the legitimate traffic with this method, you’re essentially creating a self-inflicted denial of service – giving the attacker exactly what they want. 

Rate Limiting – This is a less-reactive, more measured version of blackholing, where the CSP self-throttles the IP by limiting the amount of traffic the network can handle at any time. Crucially, this isn’t just during an attack, but all the time. While this often prevents a network from being overwhelmed, it also restricts legitimate traffic, meaning limited performance. This method is a double-edged sword. If a customer sees a spike in legitimate traffic it will limit traffic. It’s also poorly equipped to deal with data-hungry applications like AI.   

Firewalls and IDS – Systems to detect and block network-based attacks like firewalls and IDS (Intrusion Detection System) are better methods of protection, but still fallible. These systems often require a ‘learning mode’ to monitor traffic to establish baselines for normal traffic levels to detect anomalies like DDoS attacks. While these can be effective in some scenarios, the risk of false positives is quite high, harming legitimate traffic and their learning time means they often can’t detect zero-day attacks. They are also quite vulnerable to volumetric attacks (one of the main risks for CSPs) as these tools can quickly become bottlenecks in their own right. 

Anti-DDoS appliances – Out of traditional methods, hardware-based solutions like anti-DDoS appliances are the most effective at filtering out malicious traffic. However, without a way for CSPs to monetise DDoS prevention, they can be how expensive to set up and maintain. The other challenge with these is they aren’t particularly scalable so they might struggle to handle increasing volume on a network or respond to changing DDoS tactics. 

The bottom line? Current mitigation methods just don’t cut it against today’s sophisticated DDoS threats. CSPs need more advanced, scalable solutions to protect their networks and customers.

Going all-in

If CSPs are going to expand into managed security services, they need better and more scalable DDoS mitigation for themselves and, by extension, their end customers. The best way forward here is a hybrid approach with on-premise hardware (the more scalable and out-of-the-box the better) and a cloud component like a DDoS mitigation network. This provides the most robust protection as well as the option to offload traffic to the cloud provider when needed.  

Using a hybrid cloud model offers several advantages. One is simply its raw effectiveness. Cloud services are naturally scalable and thus better suited to handling larger attacks that traditional methods might struggle with. Also, they can expand alongside the CSP much more easily than pure- hardware-based solutions.

It also means CSPs can outsource DDoS prevention to specialist experts compared to self-configured firewalls or rate-limiting. This is why SaaS models exist in the first place, freeing up internal resources to focus on the core business and DDoS is a niche that in-house teams rarely have the expertise for. 

But ultimately, it comes down to profitability. Cybersecurity is ‘easy’ if you have endless money to throw at the problem, but that’s not how businesses operate. It needs to make financial sense and that’s where CSPs investing in scalable DDoS prevention have an ace in the hole. By offering DDoS mitigation as a service to their end customers, CSPs can provide better protection to their end customers and open up a new revenue stream. 

Many CSPs already offer ‘clean pipe’ services to their customers, filtering out malicious traffic. But these services are only as effective as the mitigation methods behind them, which often leave a lot to be desired. By going ‘all in’ and offering end customers comprehensive DDoS mitigation (via cloud services and hardware at the network edge) CSPs can start to position themselves as MSSPs as well. The hardware element is crucial for CSPs to personalise and monetise their managed security services with individual customers. With this model, they better protect their network, and their customers, and can turn a cost centre into a profit centre.

As technology continues to evolve, so must the strategies to protect it. CSPs, currently grappling with DDoS mitigation in a low-margin environment are actually well-positioned to lead the charge in network security. By adding a string to their bow in adopting the role of MSSPs, Communication Service Providers can differentiate themselves in a competitive market, open up a brand new revenue stream and better protect their end customers – it’s a win-win for everyone involved.