An unprecedented increase in distributed-denial-of-service attacks in recent years has resulted in lost revenue and productivity, increased ransomware costs, and impacted service-level agreements for network operators.
According to Zayo Group's annual DDoS Insights Report, attacks are accelerating rapidly, with a 314% increase in overall attacks from the first half of 2022 to the first half of 2023-surging by 1,300% in some industries.
To address the growing problem of DDoS attacks, in 2022 we launched the industry's first true on-box DDoS solution, Cisco Secure DDoS Edge Protection, with IOS XR 7.7.1 on our Cisco Network Convergence System 540 Series routers.
The first phase of the solution addressed threats from mobile endpoints such as IoT devices and mobile phones, helping customers detect and mitigate DDoS attacks on cell-site routers without the need for a centralized DDoS detection agent or a scrubbing center.
We are now extending this DDoS solution beyond mobility to all IP traffic types, starting with IOS XR 7.11.1 on our Cisco Network Convergence System 5500 and 5700 Series routers.
A traditional DDoS solution includes a centralized DDoS detection agent deployed outside of the router.
It also has a DDoS mitigation engine that typically pushes a Border Gateway Protocol FlowSpec rule to divert the traffic to a scrubbing center, or to push a Remotely Triggered Black Hole rule.
This type of architecture involves edge routers that face the attack traffic to export the NetFlow data or mirrored flows outside of the routers to a centralized location to detect the attacks.
As a result, customers can incur substantial operational costs that grow as the scale and frequency of DDoS attacks increase.
With Cisco Secure DDoS Edge Protection, the external detection agent is no longer needed.
Since IOS XR supports an application hosting infrastructure to run docker containers on the routers, the centralized detection agent is now moved to the router.
Because the agent runs as a docker container, the integration eliminates the need to export data outside of the router for attack detection.
The mitigation does not involve pushing a BGP FlowSpec rule; instead, a simple API callback to the edge router efficiently blocks the attack traffic.
Provide a dashboard to operators on traffic stats, active attacks, history of attacks, etc.
Customer satisfaction-With faster attack detection integrated on the routers, the overall latency with combined detection and mitigation is drastically reduced.
Improved response time helps network operators meet tighter SLAs with their customers, even under active attack situations.
Defense in depth-With the edge routers acting as the first line of defense, the overall architecture aligns perfectly with the defense-in-depth philosophy on security architectures.
The solution results in additional ROI from the existing routers already deployed in the network.
Investment protection-The solution can coexist with existing DDoS deployments, which provides investment protection for existing deployments.
Fewer dependencies-With the API-based mitigation to block the attacks, there is no longer a dependency on BGP FlowSpec for mitigation.
This Cyber News was published on feedpress.me. Publication date: Mon, 11 Dec 2023 16:43:04 +0000