Applying NFV to DDoS Protection

By Kirill Kasavchenko

As with any new technology, Network Function Virtualization (NFV) has its own adoption cycle driven by business realities. Once a subject of hype, NFV is a reality for service providers in 2018. NETSCOUT Arbor sees a lot of customers either deploying or evaluating NFV in earnest; quite a few are already using it to deliver revenue-generating services to their customers. The motivation for deploying NFV in service provider environment is clear: to deliver managed services more quickly and more cost-effectively, enabling their consumption by small- to medium-sized enterprise customers (SME) and broadening the market in the process. To achieve these goals, service providers are looking to automate many aspects of service delivery and turning to management and orchestration systems (MANO) for help, sometimes shortened to “orchestrators.”

What does this have to do with DDoS protection, you might ask? Well, service providers do a good job providing cloud-based DDoS protection. However, it should not come as surprise that for an increasing proportion of customers there is a need for hybrid or multi-layered DDoS protection – the concept pioneered by NETSCOUT Arbor back in 2011.  Hybrid DDoS protection consists of a cloud DDoS protection service paired with a network / data-centre perimeter DDoS defense. Hybrid defense is needed to provide more immediate, localized protection from today’s sophisticated multi-layer attacks given the increasing importance of internet connectivity on business continuity.

Historically, to roll out the network / data-centre perimeter component of a layered defense – using a CPE device like NETSCOUT Arbor APS – providers needed to supply an appliance or VM image and then reconfigure their customers’ perimeter protection to add in the new capability – often a manual, costly and time-consuming process. This is exactly where NFV helps.

Using NFV, a service provider can deploy a chain of security functions (service chain) within the provider data centre, where DDoS protection becomes one component along with firewall, IPS, WAF, anti-spam and other defensive technologies. After inspection, traffic is delivered back to the enterprise network. That might sound complex (and it actually is when we are talking about designing for a large-scale deployment), however there are a range of open-source and commercial technologies that automate this process via SDN-based approaches to connect the elements of the service chain and steer traffic.

The elements of the service chain are known as VNFs (Virtual Network Functions), and there a few prerequisites for a network or security function before it can be deployed in this way. First and foremost, the VNF product should run on top of popular commercial or open-source hypervisors, e.g. VMWare or KVM. Next, it should be possible to automate initial configuration of the VNF using a programmable approach like cloud-init. After the product boots up and is initially configured, we might then need to perform specific configuration, e.g. create protection templates for customer services etc., and REST APIs are the de-facto industry standard for this task. And, last but not least, there should be a way to manage the lifecycle of the instance by performing periodic health checks and triggering healing operations in case of problems.

NETSCOUT Arbor vAPS has fulfilled these requirements for a while, and every release over the past couple of years has brought additional functionality enabling better integration into NFV environments. Moreover, we have been testing and certifying vAPS with world leading orchestrators like Cisco NSO, Nokia CloudBand, Amdocs (powered by ONAP) and OpenStack Tacker.

While the technical pieces of NFV support are important, the shift in business model that NFV can trigger for a service provider (such as the number and type of service customers, migration to consumption-based billing mechanisms, etc.) is perhaps the more transformational. At NETSCOUT Arbor we are fully aware of this impact (and opportunity) for service providers and we now offer much more flexible licensing for our APS product line to accommodate these more dynamic commercial environments. This licensing is based on “capacity pools” that allow operators to dynamically enable protection capacity (in the form of vAPS instances) wherever and whenever they want. For example, a provider could license a 10G pool and offer a 1Gbps managed service to ten different customers, 100x 100Mbps or any mix of supported throughputs. And, licenses can be moved from customer to customer, scaled up or down and even re-used as customers join / leave the service. This license capacity can be purchased either as a perpetual license or as a month-to-month subscription, making vAPS a good fit for any NFV business model.

We are happy to share the experience and knowledge we have gained in making NFV real. If you are interested in learning more about the business and technical aspects of deploying NFV, we suggest you start by taking a look at our White Paper on Next Generation DDoS services. Intrigued? Have questions? Please get in touch with us at to discuss how we can work together to help you roll out next-generation DDoS services.

Author’s Note: I’d like to thank my colleagues Darren Anstee, Talbot Hack and Andrew Mortensen for their help in developing this content.