Internet Peering + DDoS Mitigation = Resilient Security

Combatting the threat of internet attacks

Michel Ludolph
Guido Coenders

No one was more surprised by the wild success of the internet than its original founder. The U.S. Defense Department’s Advanced Research Projects Agency (ARPA) started developing the underlying internet protocol (IP) for its private and highly secure Defense ARPANET back in 1969. However, these visionary developers did not foresee that 50 years later, the ARPANET’s public-facing offshoot, the internet, would become so vulnerable to bad actors taking advantage of its open, interconnected architecture.

The Evolution of the Defense ARPANET Before It Became the Public Internet

Source: ARPANET 1969-1977. Wikipedia

As an open network, the internet allows anyone to connect to anyone. Crucial to this infrastructure, as illustrated by the dots in the maps above, are “network peering points,” where networks interconnect. These interconnects, known as “internet exchanges,” enable different network carriers to equally share (peer) network segments in order to transfer data traffic over a “common” IP-based network. Peering brings the benefits of better throughput performance and scalability, and can also lead to savings in network costs because one can aggregate traffic to multiple peers on one physical connection.

Equinix Internet Exchange™ enables networks, content providers and large enterprises to exchange internet traffic through the largest global peering solution across 35+ markets. Since the initial launch of the Equinix International Business Exchange™ (IBX®) data center in Ashburn, VA (DC1), peering and the Internet Exchange platform has been at the center of attracting telecommunications carriers and other network service providers, as well as content providers, to Equinix facilities.With over 1,700 networks peering on the 35+ global Equinix IX platforms, the Internet Exchange continues to provide value to existing customers and attract new peering participants to global IBX data center locations.

Leveraging the Internet Exchange and Equinix Connect, Equinix offers its customers in IBX data centers direct internet access via IP-Transit services. This service aggregates upstream bandwidth from major ISPs and makes it available to downstream customers as a single-source solution, taking advantage of local exchanges to reduce latency. Equinix offers multihome configurations of this service that carry a 99.99% availability service level agreement.

Creating robust and resilient security against DDoS attacks

Nowadays, internet access is business critical. Any service breach can result in a significant loss of money and business, and some governments even say that any failure or disruption “would result in severe social disruption and poses a threat to national security.” This is why distributed denial of service (DDoS) attacks are so worrisome to every IT organization around the world.

The first reported DDoS attack dates back to 1999 and was carried out by 114 computers resulting in a two-day outage of its intended victim’s services – in this case, the University of Minnesota. Since then, DDoS attacks have increased dramatically in size and it’s becoming more difficult to protect against them via conventional methods. As a case in point, in 2018, GitHub sustained the largest DDoS attack to date, involving a 1.35-terabit-per-second (Tbps) attack against the site.[i]

DDoS attacking computers send massive amounts of traffic to the victim’s host all at the same time. The attacking computers can be any Universal Plug and Play (UPnP) device, ranging from closed caption TV cameras, video recorders, IoT-devices and home computers/routers. These devices become part of a so-called “botnet” as a result of being hacked or simply being accessed via a pre-configured default password. The devices are centrally controlled by DDoS perpetrators and can be located anywhere across the globe, making the attack truly distributed by nature and extremely difficult to defend against.

For example, The table below provides an overview of the origins of the Mirai malware botnet, with the top 10 source countries out of a total of 164 countries.[ii]

Geo-Locations of All Mirai-Infected Devices

Source: Imperva

To mitigate these risks, internet service providers (ISPs) have experimented with alternative techniques over the years that take advantage of the distributed nature of DDoS-attacks. For instance, the Trusted Network Initiative in The Netherlands set up trusted network routes between participating domains.[iii] However, this technique did not succeed because it turned out to be too cumbersome and too complex to organize trusted domains amongst the various participants.

In support of providing direct internet access with high availability, Equinix Connect includes DDoS protection via “blackholing,” a technique that denies all unicast traffic from being sent to a certain domain or victim’s address.

More sophisticated mechanisms are available via Equinix’s ecosystem/partner network from vendors such as F5 or Imperva, who offer scrubbing services that separate real traffic from dirty/fake traffic via the Equinix Cloud Exchange Fabric™ (ECX Fabric™).

Equinix also proposes an alternative method, one that does not require a collaborative effort in between the IX-participants. It is simply a matter of temporarily blocking all IP-Transit traffic while accepting direct traffic from selected ISPs/eyeball networks only. Governments can, for example, restrict originating traffic to a certain geographical area and still offer access to country inhabitants. This denies all traffic from abroad, accepting the temporary service loss to those not being in the country itself.

This technique, called “Equinix Mitigation Peering,” combines IP-Transit/Equinix Connect with IX/Peering-services, as depicted below:

Equinix Mitigation Peering

During a DDoS-attack, IP-Transit is disabled, so that only traffic originating from a subset of ISPs is allowed based on certain geographical areas or other predefined characteristic. This will dramatically limit the volume of the attack.

Mitigation peering can prove to be an effective defense mechanism against DDoS-attacks. Ideally, mitigation peering is combined with blackholing and/or scrubbing. The major advantage of mitigation peering is that is scalable and can cope with today’s large and costly DDoS-attacks. In fact, your local Equinix Global Solutions Architect can help you develop a robust mitigation peering strategy that best meets your business requirements.

Learn more by reading the Equinix Internet Exchange data sheet.

You may also want to read:

Weaponizing the IoT for DDoS Attacks

Be Ready: DDoS Attacks Like You’ve Never Seen Are Coming

Equinix & F5: Taking Control of Your Hybrid Cloud Security

1,700+

networks peering on 35+ global Equinix IX platforms

Michel Ludolph
Michel Ludolph Global Solutions Architect (GSA)
Guido Coenders
Guido Coenders Global Principal at Equinix