Malicious traffic has long been a problem for internet service providers (ISPs). In recent years, it has become much more difficult for ISPs to deliver “clean pipe,” primarily because malware, botnets, and distributed denial of service (DDoS) attacks have increased in size, sophistication, and frequency. In particular, the DDoS threat is decreasing internet service availability across the globe. Fortunately, some ISPs are taking a proactive role to thwart this threat.
Given their large attack surfaces and high profiles, ISP networks are attractive targets for DDoS attacks. The more capacity that a service provider has, the more bandwidth is available for funneling attacks towards their customers. As providers expand – adding to, or increasing the size of their links – the DDoS threat expands accordingly. DDoS attacks easily impact service availability, and, in some rare instances, can completely take down an ISP.
ISPs are the conduit of internet connectivity for businesses, so it’s not surprising that many believe that ISPs have an obligation to adequately protect them from DDoS attacks. Enterprise customers have begun to realize that “dirty” internet traffic is on the increase and threatens both their security and bottom line. Overwhelmed with security issues, enterprises are increasingly demanding “clean pipe” from their ISPs who are feeling the pressure.
The Tide is Changing
Internet carriers want to provide “clean pipe” but, at the same time, they feel bound by net neutrality laws to direct traffic from one destination to another without passing judgment about the content. This agnostic stance treats all packets the same, moving traffic – good and bad –through to their end customers.
But the tide is changing; many ISPs are distancing themselves from that traditional role, because two things have shifted in recent years. First, DDoS attacks have increased in sophistication, size, and frequency, making it more imperative and urgent for ISPs to provide DDoS protection for their customers. Second, anti-DDoS technology solutions have evolved in recent years, so it is not only possible to automatically detect and block only DDoS traffic, but to do so affordably.
Modern anti-DDoS technology can be deployed at the peering and transit points of an ISP network to effectively and automatically block bad (DDoS) traffic – even application layer and multi-vector attacks – at a granular level, while allowing good/legitimate traffic to pass through. This protects both the ISP’s own network as well as their downstream customers. It’s much easier to deploy DDoS protection at the network edge, so you never even forward the bad traffic, rather than worrying about whether to consult lawyers having inspected and blocked “suspicious” traffic.
Gaining a Competitive Edge
Ensuring a clean, reliable, pipe for ISP customers is a win-win situation. Optimal network performance adds value to an internet service, and is a powerful competitive differentiator. DDoS protection is a major selling point, and a “no-brainer” for prospective customers. Carriers that capitalize on modern DDoS technology can gain a strong competitive advantage and build loyalty among their customers.
Opportunities for Revenue Streams
Studies have shown that customers expect – and are willing to pay for – DDoS protection. Therefore, eliminating the DDoS threat at the edge of the network not only protects the ISP and its customers, it provides an opportunity for ISPs to generate incremental revenue. ISPs have a golden opportunity to create valuable new revenue streams by incorporating advanced DDoS mitigation into their service offerings; by doing so they can recoup the cost of their DDoS solution within months.
The need for DDoS protection is greater than ever; DDoS attacks are more common, and more powerful, making DDoS protection a “must-have” element of enterprise security. It is logical that ISPs, the gatekeepers of internet connectivity, should provide that protection. Thanks to DDoS technology that is more effective and affordable than ever, ISPs can now effectively protect their own network from DDoS attacks, eliminate service outages and bandwidth loss due to attacks, and generate incremental service revenues and annuities from their customers.
Sean Newman is Director of Product Management at Corero Network Security.
