Successfully Fending Off Distributed Denial of Service Attacks

DDoS

Distributed denial of service (DDoS) attacks have been a huge problem for businesses and government organizations for many years. So much so, that some government officials refer to these as “digital terrorist attacks.”

Akamai’s Q1 2015 “State of the Internet (Security)” report cited a 116.5% increase in DDoS attacks against its customers, compared to Q1 2014. The number of human- and bot-driven attacks is on the rise, as illustrated by Arbor Networks’ recent disclosure of the largest attack ever detected, a 334 Gbps attack targeting a network operator Asia in Q1 2015.

Now, an innovative interconnection solution is mitigating DDoS attacks before they can cause the costly damage they have traditionally wrought on the Internet community.

In the Netherlands, hosting and Internet service providers have seen a three-fold increase in DDoS attacks on their Dutch Internet infrastructure over the last year. To close the “DDoS hole,” the Nationale Beheersoranisatie of Internet Providers (NBIP), a nonprofit, Dutch-shared services center for Internet service providers (ISPs), had a proactive idea. Many medium-to-large Dutch ISPs were experiencing two to four hours of downtime every quarter. Solutions to mitigate these DDoS attacks cost each ISP hundreds of thousands of dollars in anti-DDoS equipment and extra bandwidth, not to mention downtime costs. No single ISP or hosting party could afford to build a DDoS solution big enough to mitigate all DDoS attacks, but a collaborative of providers could.

In 2014, the NBIP came to the Equinix Amsterdam Solution Validation Center (SVC) to test and deploy a DDoS solution for its members, which at the time supported six companies and is now protecting 30 Dutch ISPs and service providers. The NBIP chose Equinix for this proof-of-concept because of its “100% vendor independence,” rich interconnection environment, robust Internet exchange presence, wealth of network providers and trusted, reliable data center infrastructure.

According to Ludo Baauw, a board member of NBIP, they needed a lot of transit bandwidth and Internet exchange connectivity to absorb the DDoS attacks and “Equinix was also the only colocation provider that could set up such a complex and secure test environment within a short timeframe and complete the testing in a couple of weeks.”

The NBIP wanted to develop a carrier-grade solution using multiple DDoS-mitigation hardware vendors. So they did what no one had ever done before – strung together seven different vendors’ solutions, using one anti-DDoS device behind another. Baauw stated that, “We wanted to push the limits and then go over them. There’s no silver bullet – no one big box will fix all of your problems.”

They tested the hybrid system with numerous DDoS attacks and, based on the results, selected three different vendors’ solutions for the final NBIP protection system. The fully automated system successfully scrubs Internet traffic, without bringing Web sites down or requiring “blackholing” to stop the DDoS traffic from reaching its intended destination.

The NBIP “national scrubbing center” has been running for over a year with an impressive success rate. The center automatically detects any DDoS attack in under 30 seconds and mitigates 99% of the DDoS attacks in under two minutes. It has proven to be a secure and reliable solution and is so inexpensive, ISPs can afford to offer it to their customers as a free service. Said Baauw, “NBIP is vital to Dutch digital infrastructure, making the Netherlands a safer place to host your digital business.”

The NBIP solution is a perfect example of how Equinix and its SVC can effectively and efficiently bring together different vendors in a neutral place to design, test and deploy commercially successful security solutions, as well as solve multiple IT infrastructure, application and network issues. It’s a powerful example of how companies and interconnection come together within Equinix to accomplish something they could have never achieved alone.