DDoS

Automated 5G cyberthreat mitigation for service providers and enterprises

The transition to 5G infrastructure will likely increase the risk of a new series of DDoS attacks. These are expected to increase in size, severity, and complexity. Service providers building 5G infrastructure must implement a strategy to help mitigate the impact of attacks on bandwidth and subscribers.

Fortunately, the move to using more virtualized technology can enable service providers to reduce the force and effectiveness of DDoS attacks more quickly and at scale. For example, the F5 BIG-IP VE for SmartNICs solution offers such an opportunity. By combining this solution with virtualized 5G infrastructure using commercial off-the-shelf (COTS) servers, service provider networks can automatically detect and better protect themselves faster than current methods against evolving, volumetric DDoS attacks that can negatively affect subscriber and user access to applications and other services.

In addition to service providers, enterprise organizations undergoing digital transformation will need to respond to these new types of DDoS attacks. The solution described here can offer them the same protection.

In production and available today, many tier 1 server OEMs are qualifying the card in their respective servers.

While DDoS attacks range from targeted acts of retaliation, protest, theft, or extortion to pranksters, they all have one objective: disrupt service availability and reduce the ability of a business to function.

Depending on an attacker’s skills, they may use readily available DDoS tools or launch customized, sophisticated strikes. In general, such attacks may come in a combination of four types:

• Volumetric: Flood-based attacks-often using botnets- at layer 3, 4, or 7

• Asymmetric: Invoking timeouts or session-state changes

• Computational: Consuming CPU and memory

• Vulnerability-based: Exploiting application software vulnerabilities

The most damaging DDoS assaults often blend volumetric attacks, in order to create a diversion, with application-specific attacks, making the actual target or targets difficult to assess.

These types of complex attacks are difficult to defend against and can indicate more-advanced, persistent threats to come.

By rapidly discovering and stopping attacks, service providers can provide better service continuity and maintain subscriber satisfaction. With ‘F5’s BIG-IP VE for SmartNICs solution’, service providers gain comprehensive and highperformance layer 3–7 DDoS software mitigation solution. This high-performance, stateful, full-proxy network security on-premise solution can also be combined with F5’s Silverline cloud DDoS scrubbing service to help alleviate network, application, and volumetric attacks that can enter the network on the most widely deployed protocols.

The on-premise platform can combine F5’s purposebuilt software and cloud scrubbing service—known as F5 Silverline DDoS Protection—which helps provide both reactive and proactive hybrid DDoS defenses. Together they can facilitate always-up services by rerouting attacks away from the data center for cloud-based mitigation.

By moving DDOS specific functions from the CPU on to the FPGAs, the CPU is freed up and allowed to perform as designed. FPGAs can be programmed to quickly execute different tasks. Additional offload functions can be accelerated within the FPGA, making the system flexible for a wide range of high-performance use cases.

The combination of purpose-built software is designed to allow the BIG-IP VE for SmartNICs solution to offer service providers and enterprises the ideal NFV firewall/DDoS protection for virtual or software-based architecture in their data centers. This combination provides equivalent capabilities to dedicated custom hardware helping protect their services and applications.

By applying network threat intelligence and machine learning, packet-based analysis, the solution can more efficiently block network attacks at scale while minimizing compute cycles, providing a CPU-efficient solution lowering TCO by approximately 47% over a 4 year period2. The solution also supports updating black and white lists,  implemented in the SmartNIC, to keep current with evolving threat landscapes.

Service providers using the solution to deploy DDoS protection in new areas and closer to the edge can gain visibility into cyberthreats and attacks that are difficult to see with today’s technology. This visibility, combined with automation, makes it easier to prevent attacks from damaging the network at a low total cost of ownership. DDoS mitigation for the cloud and 5G BIG-IP VE for SmartNICs provides unparalleled DDoS mitigation capabilities in cloud environments as service providers build out their 5G architectures, helping to:

• Increase service availability and reduce latency

• Facilitate a swifter transition from hardware to software without sacrificing performance

• Reduce operating costs through scalability and CPU efficiency while avoiding revenue losses associated with outage.