DDoS, Apps, IOS-XR, XR, NCS 540, Access, Security, Hosting

Introduction

Cisco Secure DDoS Edge Protection provides a highly distributed and scalable DDoS security solution to mitigate volumetric DoS/DDoS attacks in 5G Access and Multi-Access Edge Computing (MEC). This solution binds network infrastructure (IOS-XR routers) and security (Radware) together via software and sophisticated algorithms to deliver an innovative solution which mitigates the need for expensive security hardware with dedicated scrubbing infrastructure.

The result is an always-secure, cost-effective and scalable network ready for 5G challenges.

Solution Brief

• Cisco Secure DDoS Edge Protection runs as docker container on IOS-XR based NCS540 platforms.
• IOS-XR platform samples GTP traffic and send Netflows records to this docker container.
• The containerized agent then detects any DDoS traffic and blocks it using IOS-XR native APIs.

Business problem

Traditionally for DDoS security, Peering and Provider-Edge traffic is backhauled to dedicated scrubbing infrastructure. Not only is this architecture costly but with 5G deployments and an increasing demand for IoT device connectivity over cellular networks, it is not scalable as well. There is an immediate need to look at distributed architectures which protect against network flood attacks and critical service disruptions - by detecting and mitigating attacks closest to the source.

Challenges with centralized DDoS security solutions:

• Sub-optimal utilization of backhaul resources.
• Complexity of deploying tap interfaces.
• Does not address 5G distributed architecture and complete attack surface.
• Potential loss of information due to traffic aggregation.
• Large bandwidth poses challenges with deriving meaningful insights.
• Traffic sampling rate need to rise significantly.
• Sample may not be very effective at an aggregate point.
• Difficult to treat data differently from different access point at a central point - loss of context.

Bringing Security to the Network Edge

With Cisco Secure DDoS Edge Protection, the security perimeter is pushed beyond the UPF (User Plane Function). This allows the cell-site-router to become the first line of defense against DDoS attacks from compromised User Equipment (UE) devices. Deploying Secure DDoS Edge Protection on the Cisco NCS 540 routers helps to defend against IoT and UE distributed attacks by providing not only detection but also granular mitigation capabilities in a lightweight containerized package."

Security at the Network Edge

• Turns your edge router into a security device.
• Available on Cisco NCS 540 platforms.
• Extends Cisco’s commitment to security innovation at the network edge.

Key benefits

Cisco Secure DDoS Edge Protection

• Significantly lowers CAPEX and OPEX.
• Provides better backhaul utilization, better data sampling and contextual data for mitigation.
• Automates provisioning and configuration with mutual authentication.
• Learns traffic patterns and automates baselining.
• Monitors traffic within GTP tunnels.
• Identifies anomalies and manages distributed attack lifecycle.
• Mitigates attack traffic leveraging the cell-site/edge router.
• Reports both peacetime and attack statistics.

Full line-speed DDoS protection

• New quantile algorithms optimized specifically for the high-speed mobility edge.
• Software detection combined with hardware mitigation ensures maximum throughput.

Built for 5G

• No traffic gating at the UPF means no slowing down of user access to applications (QoE).
• No traffic gating at the UPF means operators can maintain high SLA for application access.
• No traffic gating at the UPF means better overall network performance.

DDoS Attack Detection and Mitigation at the 5G Edge

Traditional DDoS security solutions only have visibility into traffic as it exits the encrypted GTP-U tunnel in front of the UPF.
To solve this problem, mobile operators can:

1. Remove cell-site oversubscription and build the UPF to full throughput capability of the network.
2. Gate the traffic at the UPF to slow down access to give the solution time to catch up.

Neither option is practical.
The first is prohibitively expensive and the later will slow application access.

Cisco Secure DDoS Edge Protection is the only solution with full access to the GTP-U tunnel.

• Granular auto-tuning of DDoS policy enables mitigation at the network device level.
• Full line-speed DDoS mitigation at the network edge ensures that low-latency 5G applications are not slowed down - optimal QoE.
• Visibility and reporting of network traffic - both when under attack and during normal operations allows operators to proactively manage the network.

Additional resources

• Cisco NCS 540 Series
• Cisco Secure DDoS Edge Protection at-a-glance
• Cisco Secure DDoS Edge Protection White-Paper
• To know more about Application Hosting on IOS XR - Cisco DevNet IOS XR Application Hosting
• For a step-by-step tutorial on using Cisco Secure DDoS Edge Protection, head over to the Learning Lab
• Get your hands dirty now! Head to the DevNet Sandbox - Cisco Secure DDoS Edge Protection

Support email alias: secure-ddos-edge-protection@external.cisco.com