Using Telecommunications DDoS protection is not always a good idea

Telcos and Mitigation: The Challenges with Telecom Carrier DDoS Mitigation Solutions

Cyber Security

Telcos and Mitigation: The Challenges with Telecom Carrier DDoS Mitigation Solutions

I’ve had the opportunity to work within cloud-based DDoS Mitigation Providers for over a decade, and over that time I’ve seen numerous strategies to deal with DDoS put forth by different sectors of the IT industry. Ranging from the traditional ‘big box’ hardware solutions, to public cloud ‘elasticity’, to various Hybrid topologies, every year seems to bring a new take on how to deal with DDoS.

Recently there has been an uptick in Carrier and Telco’s providing DDoS protection services, an area where they have generally stayed out of or provided simple blackholing, a cure that is worse than the disease. These telecom carriers however, have started to offer more advanced level of protection services, either by leveraging their routing platform capabilities (eg. Netflow detection with flowspec, ACL’s and Rate Limits mitigation), or partnering with a Hardware vendor.

Why buy DDoS Protection from a Carrier?

On the surface, purchasing DDoS Mitigation from a carrier, especially one you are already using for connectivity, makes some sense to the security minded professional. Why not leverage an existing relationship and purchase a premium DDoS protection service? The seemingly obvious advantages would be:

  1. One throat to choke – simplified billing and support for your transit and protection needs
  2. The Solution would always be on, since you are presumably using the carrier anyways for connectivity
  3. Bargaining power – by adding DDoS protection to the bill of items, you can negotiate transit and protection costs at the same time

It seems like a tidy solution that makes obvious sense to anyone looking for DDoS Protection for their network and applications. However, there are some serious considerations one should take before committing to this strategy.

Many Problems with Telecom Carrier DDoS Solutions

The main problems in using a Telecom Carrier solution are as follows:

  1. Inflexible – if you are running a multihomed network with multiple carriers, a great strategy to ensure maximum uptime, you really can’t predict if a DDoS attack will exclusively come through the one carrier you are buying DDoS traffic from, without doing significant traffic engineering during the event. Is it financially feasible then, to purchase DDoS protection from all your carriers to avoid this ad hoc traffic engineering? What if the products sets are different between the disparate carriers so you have an inconsistent methodology between the carriers on dealing with volumetric, protocol or application attacks? This would be incredibly difficult to troubleshoot and report on.
  2. Not Best of Breed – DDoS Protection to carriers are simply seen as add-on services, to make their core products of IP transit more attractive; it’s also an attempt to productize a solution they have invested in to protect their own backbone. It begs the question: how focused can the carrier be in terms of support and product development? The area of DDoS is constantly evolving with bigger and more sophisticated attack vectors (eg. Carpet Bombing). Will the carrier stay in step with these emerging threats, or simply block simple UDP floods and call it a DDoS service? Can their support teams quickly analyze and identify the type of attack that is occurring and respond in kind, and ensure there are no false positives?
  3. Limited Capability – Carrier solutions will provide volumetric, and to a limited extent, protocol attack protection and call it full DDoS Protection. But what about attacks at the application layer? How do they handle customers who need website protection with advanced WAF capability? Often it’s a convoluted multi-solution setup requiring a CPE device in front of the customer application server, or they partner with a 3rd party cloud provider, which complicates the support of the solution since you will still need to work through the carrier for resolution, which bring us to…
  4. Slow Support and poor SLA’s – Let’s face it, telecoms have a well deserved reputation of being slow with their responses. Similarly, their mean time to resolution (MTTR) are often measured in hourly increments, not seconds. As such, are you risk tolerant enough to withstand an outage for that long?

Conclusion

Telecom DDoS Protection services on the surface offer a simple add-on solution for network and hosting providers. However if your business requires 100% uptime with no disruptions to service, you would be well advised to look deeper into the capabilities and response time of these solutions and compare them to offerings from dedicated DDoS mitigation companies who focus strictly on protection against DDoS.