GCN recently published an article titled Why ISPs don’t throttle DDoS traffic citing the reason DDoS attacks like the one on Dyn are so effective is because ISPs are not able to identify and block malicious traffic before traffic overloads occur.
It’s an interesting dilemma especially when you consider there is no incentive for ISPs to proactively protect their customer from DDoS because they still get paid and in fact get paid more as network traffic increases.
The inherent nature of a DDoS attack creates the need for significant additional bandwidth — that the ISP provides – and then passes along the additional charges the customer for. How is this ok?
In fact, there exists today proven solutions that protect customers from DDoS attacks that ISPs need to recognize and make available to their customers.
Software Defined Perimeters (SDPs) are a little known but emerging solution shown to be 100% effective in thwarting DDoS attacks. The primary effect of the SDP is that it allows good packets and connections while dropping bad packets and preventing bad connections. In the event of a DDoS attack, SDP proactively identifies malicious traffic, automates the ISPs ability to immediately block it, and stops the traffic from reaching the protected services.
ISPs could use SDPs to protect all of their customers. This would also create a positive communal impact protecting other customers using that ISP from the same attack.
Today, the ISPs look bad for not proactively providing DDoS solutions to their customers. The solutions exist but there needs to be a willingness to consider a new way of thinking about network traffic, cyber security and bandwidth in general.
It could be as simple as ISPs being good corporate citizens by educating and making SDP solutions available to their customers to assist with preventing and protecting from DDoS attacks.
Stay tuned as SDPs are emerging as a key component in a new security paradigm for reducing and eliminating risk. They incorporate industry input and lessons learned from successful commercial implementations of SDP by leading enterprises such as Coca-Cola, Mazda, and Google, and large government organizations like the DHS.
SDPs continue to be tested in organized industry “hack-a-thons” (such as RSA) with an estimated 10 billion attempts to date – all unsuccessful.
For more information, check out this white paper on Software Defined Perimeters.
Also feel free to check out the industry’s first open source reference implementation of SDP developed by Waverley Labs. The reference architecture and repository can be accessed and downloaded here.