The looming threat of DDoS attacks in a 5G world

Telesoft Telesoft

The rollout of fifth-generation (5G) wireless networking was supposed to be an engineering walkover, but so far, it’s been anything but. Originally sold as a simple good news story of massively improved throughput, lower latency, and universal access, the first base stations were barely in the ground before critics noticed that 5G was rather different from previous network upgrades.

Cybersecurity at the heart of 5G concerns

One very public anxiety was that the world’s most economically consequential networking technology in history was going to be built by a small elite of equipment makers, none of which are based in the US. Given the huge US investment, this quickly stirred political tensions regarding the influence of China’s Huawei.

In fact, from its earliest days, more general worries over cybersecurity have been at the heart of the 5G debate. Might the complex capabilities that make 5G attractive become its own vulnerability? Could connecting billions of new and untested devices to the Internet inadvertently fuel bigger and more innovative malware, botnets, and DDoS attacks?

Better but riskier

While these threats already exist on today’s networks, 5G adds new uncertainties. First, 5G is based on the principle of decentralisation in which large numbers of base stations sit at the network’s edge to optimise throughput. This, critics say, will make it much harder to monitor traffic for threats in a centralised way. Second, 5G networks are organised using software-defined networking (SDN), which depends on software layers that history suggests will have all sorts of security vulnerabilities.

IoT could be the biggest problem for 5G

Perhaps the most-discussed issue of all is the power 5G hands to devices that connect to it. This includes billions of IoT devices that have a history of weak design and negligent security. Also, because the latency is so low, any security problem on this type of network will happen a lot faster and at higher bandwidths than on older networks, which implies a level of security control that some critics think is unrealistic.

Although these weaknesses have been widely analysed before 5G networks are mainstream, it doesn’t mean attackers won’t try to exploit them once these networks become more common.

IoT proof of concept

The threat posed by IoT became clear with the Mirai incident of 2016. In this case, up to 300,000 unsecured devices were hijacked to direct a huge DDoS attack on targets that included domain registration company Dyn and a security journalist’s blog site.

Mirai’s innovation wasn’t the size and success of its DDoS traffic, but the basic nature of the devices generating the packets – mainly IP cameras and DVRs, but also routers, printers, smoke alarms, and environmental and medical monitoring devices. Mirai wasn’t sophisticated or particularly large, but it didn’t need to be. Four years on, IoT devices are not only more numerous and complex, they’re still far from easy to track or remediate.

The looming threat of DDoS attacks in a 5G world

And yet this generation of poor IoT is barely a scratch in a 5G world where a huge number of once-dumb devices will be given IPv6 addresses and connected to networks designed to make it easy for them to communicate on their own terms.  Unmistakably, in the 5G network the importance of devices, cloud applications, mobile apps, and APIs, raises the risk of both large DDoS events and lots of smaller ones that creep in under limits that might trip today’s mitigation services. It follows, therefore, that in a 5G world, the model of cybersecurity that made Mirai viable – mitigate DDoS attacks after the event – becomes all too risky.

Communications service providers (CSPs) will find themselves in the middle of all this, under growing commercial and possibly regulatory pressure to control what happens on the 5G and cloud infrastructure they manage.

Rising to 5G security challenges

Networks built using 5G will be the most complex networks ever built, taking in huge numbers of virtual subnetworks serving critical infrastructure such as industrial IIoT automation, healthcare, smart cities, the smart home, and consumer IoT. A DDoS event on any one of these could cause chaos, as disruption ripples back from the edge devices and apps through distributed applications to reach the network’s core gateways.

At a network level, the challenge with DDoS attacks is that the defenders must differentiate rogue traffic from the perfectly legitimate. That’s the advantage the attackers always have – they can use any type of packet, hitting any layer from the applications down to the transport layer, to affect any resource. As for DDoS techniques, such as the simple HTTP flood, that’s basically just a way of turning a web server function such as a form submission against it to create an overload.

Defenders can see the flood but not, importantly, what’s causing it, which in most cases is botnet zombies on multiple external networks. All the bad traffic turns up on a network domain courtesy of a carrier, which could theoretically have stopped it with the visibility to detect the botnet’s command & control (C2). This is the principle behind Telesoft’s cyber platform, starting with the high throughput 400Gbps FlowProbe, which isolates and extracts metadata from traffic flows in detail without affecting latency.

This metadata can then be passed to the CERNE intrusion detection module for traffic management and event correlation, before this is analysed by the separate TDAC digital forensics system to help build threat intelligence. There is no single technique that makes it possible to spot the faint signal of a botnet’s packets inside the volume of legitimate traffic. It is about using multiple techniques in real-time so that those packets can be cut off without the risk of false positives.

At the heart of this is visibility, because what can’t be seen can’t be stopped. By the time a DDoS attack has commenced, it becomes about traffic management and remediation, a relatively expensive and disruptive operation. A better approach is to block the botnets before they do damage. In the 5G world, this type of proactive defence before the fact will become essential for these networks to deliver their promised benefits.

Telesoft designs and manufactures the world’s highest rate network visibility platform, enabling large network operators to accelerate their ability to provide superior network detection and response.

Related products