WASHINGTON, DC — Internet traffic has changed dramatically, and few people have watched the traffic trends for as long as Craig Labovitz, CTO of Nokia Deepfield, the telecom equipment maker’s real-time analytics and DDoS protection unit.
Labovitz founded DeepField, the security startup, in 2011 and Nokia bought it in 2017. From 2001 to 2011, Labovitz was at Arbor Networks (now part of NetScout), where he also worked on extensive studies of the changing nature of Internet traffic. He presented some trends observed from his most recent deep dive into Internet traffic patterns here at NANOG 76 this week.
DDoS attacks had leveled off for a while, Labovitz told Light Reading this week, but a few things have changed in recent years to “upset the equilibrium.” The first two things are that there are more endpoints in the network, thanks to IoT devices, and the endpoints are more connected and more powerful. “We’ve gone from tens of megs to now Gig-E connected endpoints,” he said. “It’s just a huge explosion in data and it is about to get even more pronounced with 5G.”
The motive of attackers has also changed, Labovitz said. A few years ago, DDoS attacks were mostly gamers attacking other gamers. “Now there are nation-states and we see all kinds of financial motives,” he said.
But while the Internet continues to grow quickly and expand each year, in terms of the volume of traffic, the number of content sources from where the traffic originates is consolidating and shrinking at almost the same rate — around 40% to 50% a year, Labovitz said. Indeed, the Internet is getting bigger and smaller at the same time.
This makes a big difference when network operators are doing network engineering for quality of experience and trying to prevent and protect their networks against DDoS and other attacks, Labovitz told the crowd here at NANOG during his presentation on Monday.
Another trend changing the nature of Internet traffic is the advent of content delivery networks (CDNs). They were a “nice to have” for enterprises about ten years ago, Labovitz said, but now if you look at traffic in the US, somewhere around 90% of it is coming or going from CDNs. That includes Netflix, Amazon and “dedicated vendor CDN,” Labovitz said.
“By the time you get to 2019, CDNs aren’t adjunct to the network, CDN is the network,” Labovitz said. And most of that video traffic from CDNs is adaptive rate, “meaning the traffic will swing and grow and try to use all the capacity of the link,” he said. That makes measuring and predicting capacity shortages more challenging — the old tools and methods no longer work and the nature of the traffic is more real time.
What is working in the service providers’ favor, Labovitz said, is that 90% of Internet traffic has about 500 or so Border Gateway Protocol (BGP) prefixes. “If you’re looking at a map of the Internet… you actually have a much smaller space to protect against when you’re dealing with DDoS or worms or other threats and you’ve got much more [high-performance] hardware to do it at line speed.”
With Internet traffic coming from relatively few places, Labovitz maintains that you can more easily find the devices or services that are the source of DDoS attacks and shut them down more quickly before they get out of hand. Even though Internet traffic is growing, the fact that it is becoming much more centralized helps because “using existing hardware today, you can block most DDoS,” Labovitz said.
Gone are the days where building specialized appliances using custom silicon will give security vendors (or service providers) a sustainable edge. “You don’t want to fight Moore’s Law… you want to ride it,” he said.
Indeed, Labovitz is optimistic that new types of security solutions are well-equipped to handle the rise in DDoS attacks and other threats. “I think there’s a path where we are seeing providers will let much smarter networks with a higher degree of automation,” he told Light Reading. “So I think we’ve got a path forward.”
Also on the horizon, Labovitz said 5G is looking to be a big market, as the nature of Internet traffic could change again. “5G will be amazing in terms of just the proliferation of high-speed endpoints and, in fact, we’re spending lot of time on it; for us, it’s a huge market… We spent a lot of time with folks who are very, very concerned about what a compromised 5G endpoint does.”
— Phil Harvey, US Bureau Chief, Light Reading