What Service Providers (and Enterprises) Need to Know About DDoS Scrubbing Services

There are a number of considerations that service providers must make when implementing DDoS scrubbing services for their subscribers. In general, those considerations fall into three categories: business, technical and economic.

In this article, we’ll cover all three of those categories. You’ll learn about:

Then, we’ll look at a couple of case studies that show how these considerations have helped service providers improve their services, increase adoption and improve subscriber stickiness.

Keep reading to discover what service providers should be thinking about before deploying a DDoS scrubbing service, as well as the considerations that enterprises should make while picking a communication service provider (CSP) as their DDoS mitigation provider.

Business Considerations – DDoS Trends

As DDoS attacks have evolved, they’ve become a triple threat in terms of length, strength and sophistication.

Ironically, one reason organizations become unsuspecting victims of DDoS attacks lies in their efforts to embrace ever-evolving networking trends and transformations without making the necessary accommodations in their security posture.

Here are a few examples of such transformations that, if not properly implemented, can accidentally leave organizations, especially enterprises, more vulnerable:

Keeping in pace with these trends, DDoS service capabilities and implementation strategies need to be updated, as well. If they aren’t, the results could be devastating for service providers and enterprises alike.

Technical Considerations – DDoS Defense Deployment Options

Enterprises typically have four major options for DDoS defense:

  1. Firewalls (FWs), intrusion detection systems (IDS) and intrusion prevention systems (IPS)
  2. Cloud scrubbing
  3. Communication service provider (CSP) scrubbing
  4. Hybrid DDoS protection

While one cannot discount the importance of using FWs, IPS and IDS in a network, their use as dedicated DDoS mitigation solutions should be highly discouraged.

When CPSs provide DDoS scrubbing services to enterprises to remove malicious traffic, both CSPs and their subscribers can benefit.

First, CSP scrubbing is a less expensive option for the enterprise. Moreover, it doesn’t involve redirecting traffic through several extra hops like one would in the case of cloud scrubbing solutions. Thus, from a latency perspective, one avoids incurring the extra expense by executing DDoS scrubbing natively within the CSP network.

On top of that, as we’ll see in the case studies presented later, CSPs that offer scrubbing services stand to gain additional profits, improve subscriber stickiness and increase customer/subscriber satisfaction.

So, why don’t all CSPs offer scrubbing services? It all comes down to common practical limitations:

However, a modern approach to DDoS defense can help CSPs overcome those challenges.
Economic Considerations – Deploying Profitable DDoS Scrubbing Solutions
In order to offset the challenges associated with providing DDoS scrubbing services, CSPs should prioritize two strategies:

Together, these strategies will make it possible to build scrubbing services that are both profitable and scalable.

Effective, Automated DDoS Mitigation Solutions

When building a DDoS scrubbing service, it’s essential to eliminate manual intervention whenever possible. Attackers are taking advantage of the benefits of automation, so it only makes sense for defenders to follow suit.

A scaled-up task force is not an effective economic solution to address the rise in DDoS attacks. Instead, DDoS mitigation solutions should be able to automatically detect, mitigate and report DDoS attacks. As simple as this choice sounds, one should note that not all DDoS mitigation solutions are built alike.

Remember, the main objectives of DDoS defenses are to ensure:

While these two objectives may sound one and the same, there’s a subtle difference here that is important to appreciate.

DDoS mitigation solutions that indiscriminately restrict both legitimate and illegitimate traffic may be able to ensure continuous availability of services and infrastructure, but they don’t always ensure access for valid users.

For that reason, it’s crucial that CSPs looking to implement a DDoS mitigation solution seek out a solution that can distinguish between users that are valid and those that aren’t.

Such an automated solution will have to use multi-modal detection and mitigation strategies, including:

Adaptive Escalation, Zero-day Pattern Recognition, DDoS Weapons INtelligence

With all three of those capabilities in place, a fully automated defense system will be able to drop illegitimate traffic and serve legitimate users, while protecting services from DDoS attacks. Across the entire protection cycle, intelligent automation will look something like this:

Automated DDoS defenses

Automated DDoS defenses can also significantly cut down on response times. The speed at which such a system can respond to threats far exceeds that of a manual system, a study from NimbusDDoS discovered:

Automated DDoS defenses cut down response time

Given that 37 percent of organizations are looking for a DDoS defense system with speedy response times, CSPs have a much higher chance of increasing their subscriber/tenant base when offering automated DDoS mitigation solutions on their network.

Scaling of Profits and Differentiated Services

In order to build profitable scrubbing services, service providers must also ensure that their DDoS mitigation solution provides:

  1. A high number of detection policies
  2. A high number of simultaneous mitigations
  3. Differentiated services

The ability to support more detection policies and simultaneous mitigations on a single platform means that one is able to onboard that many more tenants on a single platform. This means higher profit margins for service providers.

However, being able to onboard multiple tenants is only possible if every subscriber feels that the CSP is providing a differentiated DDoS mitigation service that is geared towards their needs.

In terms of differentiated services specifically, it’s important to remember that all of the tenants in a service provider’s environment are running different businesses. None of them have the exact same level of risk tolerance, available budget or business model.

That’s why the most successful DDoS scrubbing services will be differentiated into multiple tiers, from budget to premium:

successful DDoS scrubbing services

In this way, a CSP’s tenants will get more flexibility and the CSP will be able to sell DDoS mitigation services to a wider subscriber base.

As an example, let’s take a look at the deployment diagram of DDoS scrubbing services:

diagram of DDoS scrubbing services

Notice these key elements:

Case Studies: How Two CSPs Saw Major Results from Implementing DDoS Scrubbing Services

Finally, let’s examine how CSPs can benefit from providing DDoS scrubbing services by reviewing a couple case studies.

Leaseweb

Leaseweb is a web hosting company with a strong global presence. The company aimed to set up a DDoS scrubbing service and IP protection system in order to thwart attacks and better retain subscribers.

The company successfully built a DDoS defense system for their own infrastructure, as well as offering DDoS scrubbing services to their business tenants.

When selecting their DDoS IP protection system, Leaseweb had to meet a list of criteria:

After running their system with A10 Networks’ Thunder® TPS DDoS mitigation solution for 90 days, during which time it scrubbed more than 25,000 IP addresses, Leaseweb observed the following results:

Click here to view the full case study.

Acorus Networks

Another case study comes from Acorus Networks, an internet service provider (ISP) based in France.

To defend against DDoS attacks, Acorus aimed to get as close to the attack source as possible.

Their criteria included:

After deploying their DDoS scrubbing service, Acorus saw a variety of benefits, including:

Summary

DDoS attacks continue to rise. For CSPs, implementing an automated DDoS mitigation solution in their network is a key step towards securing it.

After all, a CSP’s position in the network puts them in an ideal place to provide DDoS mitigation services to subscribers.

With a comprehensive, intelligent and automated DDoS scrubbing service in place, CSPs can meet both their and their subscribers’ individual needs, while still maintaining reliable performance and boosting profits.

On the other end of things, enterprises with a CSP that provides such DDoS scrubbing can enjoy greater visibility, uninterrupted service and customized security.

If their DDoS scrubbing service is implemented using the considerations mentioned above, all CSPs will find that those benefits will be well worth the investment.

This article is based off of a recent webinar by Don Shin of A10 Networks and Chief Analyst, Jim Hodges of Heavy Reading. Access the full webinar for free here, or click here to discover the capabilities of A10 Networks’ DDoS protection cloud scrubbing service.


|

August 12, 2019

About Tarun Aggrawal

Tarun Aggrawal is Lead Security Solutions Architect for A10 Networks in North America. Tarun has been at A10 Networks for 8 years, where he has worked extensively on global Service Provider solutions for A10’s customers, with particular focus on DDoS mitigation and Carrier-Grade NAT solutions. Tarun has often been engaged in speaking events and webinars for A10 on his topics of expertise. READ MORE