March 14, 2024

Maximizing Results with Minimal Complexity: The Advantages of a Simple yet Effective Cloud Diversion Policy

Customers who are responsible for the ownership or management of an Autonomous System (AS) can greatly benefit from leveraging Nexusguard Cloud Diversion to ensure comprehensive protection for their entire IP subnet, as discussed in our informative Cloud Diversion post. 

This leading-edge solution is designed to activate when traffic levels surpass predetermined thresholds. In such cases, Nexusguard Cloud initiates a Border Gateway Protocol (BGP) route announcement, effectively advertising the under attack /24 IP prefix to the Internet via our advanced Cloud Diversion App. This strategic approach diverts the customer's traffic towards our highly secure and efficient scrubbing centers for thorough cleansing. 

Once the scrubbing process is successfully completed, legitimate traffic is seamlessly routed back to the customer network via a pre-established GRE (Generic Routing Encapsulation) tunnel, ensuring a seamless and secure transmission of data.

Choosing the Optimal Timeframe for Cloud Diversion

When it comes to triggering a route diversion, network administrators often associate it with DDoS attacks, and rightfully so. The immediate focus shifts towards setting up a robust detection policy, meticulously analyzing attack signatures, thresholds, and other relevant attack details.

However, for a route diversion to deliver its intended impact, the crux lies in establishing an optimal and precise detection policy. Despite diligent monitoring and analysis of traffic profiles by network administrators, false positives and false negatives are inevitable due to the dynamic nature of Internet traffic and the constant evolution of zero-day attacks and exploitable vulnerabilities. Multiple dependencies come into play, influencing the effectiveness of the diversion policy.

Let's consider false positives as an example. They occur when the detection threshold is not appropriately set, potentially triggering a route diversion and activating mitigation measures when no actual attack is present. While this may result in a false alarm, the real concern lies with false negatives. In these cases, a genuine attack goes undetected, allowing the attack to bypass proper mitigation measures.

In practical terms, achieving a flawless detection policy is an elusive goal. Some may argue that continuous monitoring, analysis, and fine-tuning can lead to an optimal policy, especially when protecting a finite number of network resources. However, it is important to acknowledge that the magnitude of effort required for such optimization should not be underestimated.

When confronted with the daunting challenge of mitigating volumetric DDoS attacks, it may be beneficial to approach the issue from a fresh perspective. Such attacks aim to disrupt network availability by consuming all available bandwidth. However, a significant advancement emerges when three fundamental questions are effectively addressed:

1. What is the total amount of Internet capacity available?

Understanding the overall capacity of the network plays a pivotal role in formulating an effective diversion policy. By quantifying the available resources, network administrators gain valuable insights into the infrastructure's potential to withstand and absorb attacks.

2. During peak and off-peak hours, how much spare capacity is available?

Identifying the surplus capacity during peak and off-peak hours is essential. This knowledge empowers administrators to gauge the network's resilience and determine how much spare capacity can be harnessed to absorb attacks without compromising service quality or degrading network performance.

3. How much spare capacity is capable of absorbing an attack without causing any service impact or network degradation?

The ultimate goal is to establish a diversion policy that can effectively handle attacks, regardless of their status. By accurately assessing the spare capacity that can be utilized without causing service disruptions or network degradation, administrators can strike a balance between providing uninterrupted services and safeguarding against potential threats.

By addressing these three fundamental questions, network administrators can gain a solid foundation for designing a robust diversion policy, enabling effective mitigation of volumetric DDoS attacks. This fresh perspective embraces the proactive management of network resources, ensuring optimal utilization and resilience in the face of evolving cyber threats.

Simplified and Effective Cloud Diversion Policy

The underlying principle is elegantly simple: when faced with uncertain attack scenarios, the Cloud Diversion app hones in on abnormal traffic levels that may jeopardize network availability and quality. Such anomalies could arise from volumetric DDoS attacks or unexpected surges in traffic load, like those encountered during commercial promotions or flash crowd events. In both cases, the optimal strategy revolves around intelligently diverting the traffic load to a trusted cloud provider for meticulous inspection and handling, all while ensuring uninterrupted services for other users. The result? A significant reduction in collateral damage and enhanced network protection.

Figure 1 - Guidance to Nexusguard Cloud Diversion Policy 

Consider a protected network with a total Internet capacity of 1 Gbps. During regular operations, the utilization peaks at 700 Mbps, leaving a significant spare capacity of approximately 300 Mbps. In the case of a network comprising two class C network addresses, the average utilization per class C hovers around 350 Mbps.

Maintaining traffic levels at or below 350 Mbps is considered normal for the network. Even if the traffic level of a single class C increases to 450 Mbps, it remains within a safe range from the broader network perspective, with a buffer of 200 Mbps available to accommodate further growth. However, this scenario warrants closer monitoring to ensure sustained network stability.

In cases where the traffic level swiftly returns to normal, it is likely attributed to temporary bursty traffic, which the network can tolerate. However, if the traffic level continues to surge beyond 500 Mbps within a short timeframe, without showing signs of reverting to the baseline level, diverting the traffic to the Nexusguard cloud becomes the optimal course of action. This holds true irrespective of whether this surge is triggered by a genuine DDoS attack or not.

Benefits of this Approach

  • The idea is refreshingly straightforward, making it accessible and uncomplicated to comprehend and implement. With this approach, you can sidestep the complexities of intricate attack detection and instead focus on a minimal set of parameters. When establishing the diversion policy, you only need to consider one or two key factors: the average utilization and the threshold traffic level at which the network quality begins to suffer or deteriorate.
  • It operates independently of the accuracy of the attack detection policy, and is designed to minimize and manage the risk of large-scale attacks slipping through undetected. With this method, you can maintain a high level of confidence in your network's security, as the potential for significant attacks to bypass your defenses is kept to a minimum.
  • The detection lead time is significantly reduced, eliminating the need to wait for lengthy detection analysis. This means you can take swift action without delay. Rather than relying on time-consuming detection processes, you can proactively address potential threats and mitigate risks promptly. 
  • Collateral damage is effectively minimized, even in non-attack scenarios where bursts of legitimate traffic consume the entire available bandwidth. In such cases, where no malicious intent is involved, the conventional diversion mechanism is not triggered. However, the network can still experience congestion, resulting in degradation of service quality and a subpar experience for other users on the network. To address this issue and ensure optimal network performance, a viable solution is to divert the high-traffic class C network to the Nexusguard Cloud. This strategic move effectively releases the burden on the network, freeing up valuable bandwidth and alleviating congestion.

Nexusguard Cloud Diversion app is available to customers using our Origin Protection service. For further information, please read about Nexusguard’s Origin Protection.

Nexusguard's advanced Cloud Diversion method provides a seamless and simplified approach to swiftly diverting networks experiencing attacks, enabling comprehensive, continuous, and autonomous diagnosis.

Get the latest cybersecurity news and expert insights direct to your inbox

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.