The Power of ISP Collaboration for DDoS Mitigation

For the first time in history, the annual number of observed distributed denial-of-service (DDoS) attacks in 2020 crossed the 10 million attack threshold, with NETSCOUT’s ATLAS Security Engineering and Response Team (ASERT) seeing 10,089,687 attacks over the course of the year. Unfortunately, that activity has surged into 2021, with threat actors launching approximately 2.9 million DDoS attacks in the first quarter of 2021 alone—a 31 percent increase from the same time in 2020. 

These attacks have changed the way ISPs think about DDoS mitigation. Rather than going it alone, they can use their position close to the source of the attacks to build collaborative networks with other ISPs, both upstream and downstream. By leveraging their ability to see malicious traffic early, ISPs can use such initiatives to assist customers and improve mitigation efforts.

It Takes an Industry

Ideally, such collaboration should extend beyond ISPs to include other stakeholders, but the industry has to climb aboard the collaboration train first—and as previous efforts show, some are reluctant to do so.

Plans such as the Internet Engineering Task Force’s (IETF) DDoS Open Threat Signaling (DOTS) program attempted to develop a collaboration initiative. The aim of DOTS was to develop a standards-based approach for the real-time signaling of DDoS-related telemetry and threat-handling requests and data between elements concerned with DDoS attack detection, classification, traceback, and mitigation.

But programs such as these required companies to install provisioned infrastructure or share attack data to a central database, which was an issue. The perceived risk of sharing system data with other companies or storing it in the cloud caused many organizations to balk at these requirements.

But that reluctance—often at the senior executive level—doesn’t mean these initiatives lack value. Indeed, the industry as a whole can make significant strides in DDoS protection if stakeholders can coordinate DDoS protection across the spectrum.

This collaboration falls into three categories: ISP-to-ISP collaboration, customer-to-ISP collaboration, and threat intelligence sharing.

ISP to ISP

Attack collaboration among ISPs requires a fully integrated inter-network signaling mechanism that allows network operators to share attack attributes and coordinate defenses spanning network boundaries to collectively stop DDoS attacks nearer to their source. For example, one ISP (ISP A) may see DDoS traffic that is attacking its network customers but that originates or passes through an upstream ISP (ISP B). ISP A could then alert ISP B that the identified attack traffic is coming through ISP B’s network, while also providing attack details and potentially attack countermeasures.

Customer to ISP

Customer-to-ISP collaboration works via an on-premises solution that can share attack attributes with upstream ISPs. The upstream providers can use the identified attack attributes to create countermeasures within their systems and further share those countermeasures with their peers and other customers.

Sharing Threat Intelligence

To help support the DDoS defense community as a whole, stakeholders can use a system to curate and send anonymous attack statistics to other players in the community, providing information about observed DDoS attacks and other forms of observed cyber threat activity.

As the global DDoS threat landscape grows and attacks become more frequent and complex, worldwide network operators, their peers, and their customers must adapt to successfully identify and mitigate these new attacks. Collaboration across a wide swathe of internet entities looking for protection is a big step forward.

Learn more about orchestrated mitigation