Distributed Denial of Service (DDoS) attacks are increasing in volume, frequency, and complexity. But the attacks that target 4G networks are far less of a problem compared with the attacks that new 5G networks will experience. The technologies that make 5G such an exciting prospect will also open the door to a marked increase in attacks by cybercriminals against people and infrastructures, says Itay Glick, AVP network and cloud security products at Allot.
The many new access points and devices in a 5G network, for example, increase the attack surface of the network, providing more points of entry to attackers. Even the most obvious benefit of a 5G network, the massive bandwidth, means that the size of attacks, specifically DDoS and botnet attacks, can be a magnitude of scale larger than with 4G networks. But don’t think that the size of the attack is what always matters when it comes to DDoS. Even short ‘pulse’ attacks can steal a significant amount of capacity from 5G networks. But we will get to that.
Even in a 4G network, DDoS attacks are more than just a hassle. Each attack dumps garbage traffic onto the network which can affect customer Quality of Experience (QoE) and even high-value SLA deals. With increased customer expectations for 5G, and the increased fees that they will pay for improved services, the deterioration of service levels are an even bigger issue with 5G networks.
In a 5G network, slices (dedicated logical virtual networks) can support different customer performance requirements, for example, ultra-low latency services or a dedicated slice for a particular application. When a 5G provider offers 5G slices to their business customers, they need to offer end-to-end protection against attacks. Only a network protection solution designed to operate with 5G slices will support this type of offering. Existing 4G DDoS protection solutions simply will not do the job. In a cloud native 5G network, the need for a specialised solution is even more pronounced.
Cloud native 5G networks and cloud native DDoS attack mitigation solutions
In cloud native telecom networks, the network functions are developed as software in a public or private cloud environment. Those cloud environments can be built on one platform or across a mix of several platforms. Cloud native network functions (CNFs) are composed of microservices small, scalable components that can be called up in conjunction with one another from the cloud, to perform their combined function.
Some telecom providers are starting to migrate their legacy networks to cloud native, while others are new to the game of creating a cloud native network from the ground up. Regardless of which scenario is true, cloud native networks deliver advantages that come with security challenges.
The cloud native approach improves network elasticity and scalability. But it adds a level of complexity to DDoS attack detection and mitigation. A cloud native DDoS attack solution is also built of microservices that are activated and deactivated instantly, as required. Another advantage of microservices for DDoS attack protection is that the detection and mitigation services can run on selected slices for selected applications. This adds to the flexibility of the solution by using the underlying network architecture to its advantage.
Consider latency, reaction speed and small attacks
Flow-based detection exacts a price in speed and latency that 5G networks cannot afford. A big factor in flow-based DDoS detection is the speed at which the routers or switches can export their flows. Most devices are configured to export flow records when the flow is 60 seconds old. This represents a full minute of delay before the router starts sending evidence of an ongoing attack.
Given the latest trend of pulse attacks (over 50% of attacks), which are characterised by massive, short spikes, this method completely fails. By the time the data arrives at the DDoS detection component and mitigation can be triggered, the pulse may already be over. In other words, the damage is done before the defense solution even knows there was an attack to mitigate.
While most devices allow setting the flow record to export at 15 or even 10 seconds, such frequent exports have an associated cost. When routers export more data for detecting DDoS attacks, more processing power is required, and the solution becomes much less cost effective.
The time it takes a flow-based solution to collect, send, detect and mitigate large voluminous attacks might not be such a big problem. But smaller and stealthier attacks may go undetected or take more time to detect, while still causing significant damage. Hackers have recently adopted a new attack technique called “bits and pieces,” which distributes the attack volume across millions of pieces (10 million) either by targeting multiple IPs, or via multiple fragments. In this way, they evade DDoS detection systems that rely on massive aggregation of flow statistics.
The alternative to a flow-based DDoS mitigation is an inline solution that inspects all network traffic, as opposed to sampling. A properly deployed inline solution will not add to the network’s latency, which is critical for a 5G network. Also, when all traffic is inspected, even small ‘pulse’ attacks are detected in real-time, something flow-based solutions cannot guarantee.
Regardless of how DDoS attack protection is implemented, high bandwidth access is one factor that is common to all 5G networks which is not only the primary draw of 5G. It also adds complexity to the process of detecting attacks. High bandwidth connections present an unprecedented amount of data flowing from end to end with each connected device on the network. Only an inline solution with a high bandwidth interface in the range of 100Gbps is fast enough to catch attacks among all the legitimate traffic in time to make a difference.
If you build it, build it with DDoS protection inside
New technologies introduce new benefits. They also introduce new challenges and vulnerabilities. In a cloud native 5G network, 5G opens the door to multiple security vulnerabilities with the growth of bandwidth and unprotected IoT devices used to perform attacks, new latency standards, and the architecture itself. It is Important that 5G providers plug the known holes as soon as possible. Rakuten, for example, is in the process of building up an open-RAN cloud-based 5G network. An integral part of the network for Rakuten is security. They are implementing DDoS and botnet attack mitigation as a functioning part of the 5G network so that it goes into operation along with the network.
Only inline DDoS and botnet attack mitigation solutions implemented to protect the 5G user plane can block today’s most complex attacks while providing in-event QoE assurance for mission critical applications. Once attacks are detected and blocked, to prevent future attacks the protection solution needs to collect information on each subscriber from the 5G session management function (SMF) so that infected subscribers can be properly tracked and quarantined.
5G network protection solutions need to mitigate attacks that are initiated both from outside the network, that is, from the Internet, as well as from the network subscribers themselves. They should be compliant with the unique architectural components of the 5G network, and should be fast enough to handle the massive amount of traffic that needs to be checked to enable fast and accurate attack detection and mitigation, without affecting 5G level latency. All this is possible. But the 5G network operator needs to do their homework before considering any network protection solution.
The author is Itay Glick, AVP network and cloud security products at Allot.
Comment on this article below or via Twitter: @VanillaPlus OR @jcvplus
