July 16, 2018

Can “clean pipe” really clean dirty traffic?

For some years, ISPs have relied heavily on router-based defence or/and anti-DDoS appliances to offer the “clean pipe” solution for a fee to deliver clean traffic to their customers. To handle smaller, simple attacks, that method might be effective. But as modern-day attacks become larger and more complex than ever, using legacy in-house or on-premise solutions to defend against such threats are far from being adequate.


This is akin to attaching a filter to the end of a faucet in the hope that what comes out would be of the purest quality and free from any form of contaminants.


Faucet water filter vs water treatment plant

The truth is that defending against DDoS attacks is far more complicated than filtering contaminants from running tap water. The general public expects water to be delivered to their homes free of germs and contaminants. So do the customers of an ISP. To deliver traffic that is clean inside out, it requires a full-fledged DDoS mitigation platform. Let’s compare it to a water treatment plant—deployed on the edge of their network.


It doesn’t matter if mitigation is carried out by configuring edging routers or other on-premise hardware;human intervention is still involved. Delays caused by humans in “time to mitigate” creates a window of opportunity that allows cybercriminals to steal from, or spy on, the victim.


When the size of an attack swells and threatens the stability and availability of an ISP network, odds are that traffic to the target customer will be dropped (blackholed is the technical term) by the service provider to avoid collateral damage affecting other non-victim customers. In other words, access to the victim network is sacrificed for the availability of the rest of the network.


ISPs expected to protect customers from DDoS attacks

Blackholing certainly does seem to be a tempting option. However, one unhappy customer can now ruin reputations as bad word of mouth does spread quickly. There is also a growing consensus that ISPs should protect end customers from DDoS attacks and ensure maximum network availability. Customers, therefore, look for more reliable ISPs who can respect their need for uptime. Thankfully, service providers are increasingly turning to industrial grade DDoS protection service providers such as Nexusguard to do the job for them.


Like the proximity of water treatment plants to lakes and reservoirs, our DDoS mitigation platform, when working on the edge of anISP network can actually “scrub” raw traffic and let in only clean traffic. The combination of detection intelligence, multiple mitigation layers, and a SOC can also be compared to the layers of processing elements like a water purification plant. . This effectively protects both the ISP’s own network while ensuring the safety of the downstream customers.


DDoS mitigation is a powerful differentiator

Offering DDoS mitigation as a service helps differentiate a service provider. It immediately takes the brand to the next level and presents a prime opportunity to explore new revenue streams, retain existing customers while attracting new ones. It also helps improve customer loyalty and bundles DDoS mitigation service into ISP’s cybersecurity product offerings. Partnering with Nexusguard is a win-win strategy for both the service provider and the end-customers.


The legacy clean pipe service is just like your home’s faucet filter, come to think of it. You can think of Nexusguard as a total water treatment and management solution provider. Our mitigation platform combines a globally distributed scrubbing network and proprietary technology that is backed up by aa 24x7 SOC.


This ensures that traffic is purified and treated at all points of the supply cycle, making sure every drop of water, or in this case, data, from the tap is perfectly safe and potable.


Traditional Clean Pipe

Cloud-based DDoS Mitigation

Mitigation effectiveness relies on hardware throughput. Latency issues common due to limited ISP local network capacity.

Fully redundant cloud mitigates and absorbs massive and complex attacks. Latency is minimized. User experience is better overall.

Blackholing the victim's traffic is often a common resort to avoid collateral damage.


Global cloud scrubbing, intelligence-based detection and proprietary mitigation technologies are put to good use. Blackholing is thus not needed.

Cleanpipe is offered as a side business and not the main point of focus. Zero day attacks not anticipated.

Dedicated DDoS mitigation service providers like Nexusguard have a team of experienced security experts and researchers. This helps address emerging security challenges.


For more information, please read about Nexusguard’s Managed DDoS Mitigation Platform.

Get the latest cybersecurity news and expert insights direct to your inbox

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.