Re-Evaluating CDN DDoS Mitigation Architecture – DDoS Mitigation SuperPoPs


After the two massive DDoS attacks last week, it’s time to re-think the DDoS Mitigation architecture strategy. Brian Krebs got hit with a 620Gbps DDoS attack and OVH with a 799Gbps attack. The interesting part – the 799Gbps attack was launched from IoT devices – cameras, DVRs and CCTV’s. Both attacks are large enough to take down even the smaller CDNs. In order to thwart large scale attacks, Service Providers need to build bigger scrubbing centers – for CDNs, we’ll call scrubbing centers “DDoS Mitigation PoPs”.

From an architecture standpoint, the biggest problem and bottleneck in thwarting large scale attacks are the Telco’s, because the vast majority of them provide connectivity that caps out at 10Gbps (Internet Ports). Thus, in order to mitigate a 1Tbps attack, 100+ connections are needed, and that is a huge problem.


Mitigate 1Tbps DDoS Attack w/ 10Gbps Internet Ports

  • 1,000Gbps Attack / 10Gbps Internet Ports = 100 Circuits
  • More circuits will be required in order to accommodate packet loss because good traffic rides along with bad traffic in an attack

However, there is good news on the way. Companies like Level 3 are now offering 100Gbps Internet Ports on a limited basis. Zayo and Cogent are likely to offer it soon, if they don’t already.

Mitigate 1Tbps DDoS Attack w/ 100Gbps Internet Ports

  • 1,000Gbps Attack / 100Gbps Internet Port = 10 Circuits

Thus, the answer to large scale DDoS attacks is 100Gbps circuits. But, in order to accommodate the larger circuits, architectures will have to change. In the diagram above, we have 1st Generation scrubbing centers, which were introduced from the likes of pure-play DDoS Mitigation Providers – think Neustar. Then came the 2nd Generation solution – the CDN DDoS Mitigation Pop. Thus, CDNs have made the DDoS pure-plays business model extinct. The 3rd Generation scrubbing center/PoP is going to be a combination of the first two; CDNs will have to build “Large Scale DDoS Mitigation PoPs” with Tbps of capacity at each location.

The 3rd Gen PoPs will be fewer in number, since dozens of 100Gbps connections are needed, and they can kick in during a large scale attack. Having 4 – 7 of these large DDoS PoPs each having 30 to 60 100Gbps connections, which equates to 3Tbps of 6Tbps of ingest capacity per center is the way to go. Once the 100Gbps go mainstream, adding them at every CDN caching PoP isn’t ideal, at leas to start. Therefore, fewer, bigger DDoS Mitigation PoPs are needed.

And unfortunately, this architecture will be cost prohibitive for many smaller service providers. Thus, the DDoS Mitigation business is going to be for companies that can spend millions of dollars annually in infrastructure annually – think Akamai, Fastly, CloudFlare, Incapsula, and so on.

Scroll to Top