Myth #4 - Anapaya’s SCION-based solutions offer no defense against DDoS attacks.

Author. Dominik Roos     Jul 25, 2024
Myth #4 - Anapaya’s SCION-based solutions offer no defense against DDoS attacks.

False! 

DDoS attacks need a large number of devices to attack a specific service. That’s why it’s important to distinguish between SCION services reachable only from within a SCION network in an EDGE-to-EDGE configuration, and SCION services that are also reachable by today’s Internet via Anapaya GATE access.  

SCION services reachable only from within an EDGE-to-EDGE SCION network 

In an EDGE-to-EDGE configuration, SCION allows you to define the users/user groups that a service should be routable from. By limiting access to your target audience, you generally render DDoS attacks more difficult to accomplish, since hackers can only reach a targeted service from within such legitimate networks and/or devices. This is a property offered by IP-in-SCION tunneling feature deployed in an EDGE-to-EDGE setup. 

In the scenario where a SCION service needs to serve millions of users, in effect allowing access to many, large SCION networks (in order to allow access to millions of SCION users), the attack surface risk rises as well. So, while it would become feasible and “attractive” to a hacker to run a DDoS campaign against such a service, it is still unlikely to succeed. Why?

For this kind of large-scale SCION services, the SCION protocol provides the mechanism of hidden paths.   

Legitimate users of a service get hidden path routing information the moment they classify as trusted. This routing information allows legitimate users to send traffic on paths that are not visible to non-legitimate users. High volume SCION services will give hidden paths priority. DDoS traffic from public routes cannot overload any hidden paths. This means that even a well-executed, large scale DDoS attack against a SCION service cannot render a SCION service unreachable for existing trusted users or customers. In short, SCION has built-in DDoS mitigations by design.     

SCION services that are reachable by today’s Internet via Anapaya GATE 

The scenario looks different when SCION services are connected to the public Internet. SCION services can be made accessible to the public Internet through Anapaya GATE. Here, there are two different modes of granting access to users in the public Internet infrastructure:  

Option 1: Routing information is advertised to individual ASes (autonomous systems) in the public Internet via the Anapaya GATE. It is not feasible to run an effective DDoS attack from an individual AS. It is an easy task for an ISP to isolate/disconnect any participants within their own AS’s who behave maliciously. The ability of the potential target to disconnect misbehaving remote ASes instantly makes an effective DDoS through this GATE access (doubly) impossible. 

Option 2: Advertising routing information to the Public Internet is a different story. In such a scenario, all users trying to access the service from the public Internet would suffer a service outage as result of a DDoS campaign run from the public Internet. However, all users accessing the service from within the SCION network and/or through an AS-specific GATE access will not be affected. That makes the DDoS attack ineffective, expensive for the attacker, and essentially not a real threat to the service.   

In short, Anapaya GATE hides your business service from the Internet, meaning it prevents DDoS attacks by reducing attack surface by up to 99% compared to the traditional Internet. Instead of being visible to everyone on the Internet, your business service is exposed only to remote users coming through the GATE infrastructure. 

If you are confident in your existing solutions, read Myth 3: "SCION is unnecessary for our security because we've never had a cyber incident" and discover why that might not be enough.

Anapaya’s SCION-based solutions provide an effective way to prevent DDoS attacks and offer mechanisms to react swiftly and ensure connectivity in the worst-case scenarios. 

 

 

TAGS:

SCION

Schedule a free
consultation and experience the power of SCION

Our specialists are ready to assist you in becoming SCION-enabled. Fill in the form on the right and elevate your network to the next level.