As recently developed and promoted by CableLabs, Transparent Security is a cybersecurity solution aimed at cable operators and internet service providers that identifies distributed denial of service (DDoS) attack traffic -- and the devices (e.g., internet of things [IoT] sensors) that are the source of those attacks -- and mitigates the attack at the customer premises or in the access network. As fully described by a recent blog by CableLabs, “the Transparent Security architecture is enabled through a programmable data plane (e.g., “P4”-based) and uses in-band network telemetry (INT) technology for device identification and in-band mitigation, blocking attack traffic where it originates on the operator’s network.”
CableLabs notes that P4 is an open-source programming language that lets end users dictate how networking gear operates. In a discussion with Broadband Technology Report (CI&M's sister brand at Endeavor Business Media) regarding the technology, Randy Levensalor, Principal Architect, Future Infrastructure Group, Office of the CTO at CableLabs, and co-author of the blog, explained, “Transparent Security, at the heart of it, is a project to create an in-band DDoS detection and mitigation solution for any service provider. We’re targeting cable providers because we’re CableLabs, but nothing in it is limited to just cable operators. It could be a telco, hyperscale provider, or even an enterprise could use this technology. We’re primarily looking at source-based DDoS mitigation -- trying to block the attack close to or at the source. It does also work for traditional inbound attacks; but really, the scale you need to do it on the outbound side is what the primary target of this project is.”
The CableLabs blog points out that typical DDoS mitigation solutions are deployed only at the interconnection points with other networks, meaning that they do not protect the network from internal DDoS attacks, and that “they can allow networks to be weaponized.” Alternatively, CableLabs observes that its Transparent Security solution “can monitor ingress and egress traffic at every point in the network, from the customer premises to the core of the network.” The organization says this capability allows operators to quickly identify the local network from which attack traffic originates, instead of identifying a service area that could include hundreds of devices, which may or may not be impacted by the attack.
CableLabs initially released the Transparent Security architecture and open-source reference implementation in October 2019. Cox Communications and CableLabs conducted a proof-of-concept test of the Transparent Security solution in the Cox lab in late 2020.
CableLabs’ Levensalor noted, ““Basically, we have a couple technologies in play here. To do a lot of this work we used P4, which is a programming language used to program networking devices. With NICs and switches, we can actually customize the behavior of the switch without having to wait for silicon to spin -- that's how we were able to stand it up in our lab, and what we did with the test at Cox. It's open source, so our reference implementation, which really focuses on this in-band telemetry, the detection and mitigation function, is available now as an open source project on GitHub under the CableLabs namespace. So, you can actually go and download it today and run the exact code that we used for that for that trial.”
CableLabs said that its Transparent Security trial with Cox with was primarily focused on several major objectives. Per the organization, these were: to compare and contrast performance of the Transparent Security solution against that of a leading commercially available DDoS mitigation solution; to validate that INT-encapsulated packets can be transported across an IPv4/IPv6/Multiprotocol Label Switching (MPLS) network without any adverse impact to network performance; and to validate that the Transparent Security solution can be readily implemented on commercially available programmable switches.
CableLabs’ Levensalor added, “There's two implementations. One is how we're identifying where the threat came from -- for that we're adding an in-band telemetry header to all the packets, basically as the packet enters the network. Eventually this will be implemented on the gateway on the customer premises, adding things such as the source Mac address and unique identifier for that gateway to the header. That way you can have that visibility, or transparency, if you will -- that's where the name came from -- across the network.”
He continued, “Then, at each hop we add another identifier for that switch. To do that, we worked with the P4 application Working Group, which has an in-band telemetry specification. We worked with them to add a source-only metadata option to add that source of visibility into the switches that are able to do the in-band telemetry insertion; you can also add the Mac address of the device before it entered that controlled network.”
CableLabs reported that its trial with Cox compared the effectiveness of Transparent Security with that of a leading DDoS mitigation solution. CableLabs said that in the trial, “Transparent Security was able to identify and mitigate attacks in one second, as compared with one minute for the leading vendor.” The organization noted that Transparent Security also validated that inserting and removing the INT header had no observable impact on network throughput or latency. The CableLabs blog stated that, when comparing and contrasting the performance of the Transparent Security solution against this commercially available DDoS mitigation solution, “the lab test results were very promising.”
For the lab trial setup with Cox, CableLabs noted that the test environment was designed to simulate traffic originating from the access network, carried over the service provider’s core backbone network, and targeting another endpoint on the service provider’s access network in a different market (e.g., an “east-to-west” or “west-to-east" attack). The Transparent Security solution was implemented on commercially available programmable switches provided by Arista. “These switches are being deployed in networks today, and no changes to the Networking Operations System (NOS) were required to implement Transparent Security,” added CableLabs. The diagram below provides a high-level overview of the lab test environment.
According to CableLabs, “In the lab trial, various types of DDoS traffic (UDP/TCP over IPv4/IPV6) were generated by the traffic generator and sent to the West Market Arista switch, which used a custom P4 profile to insert an INT header and metadata before sending the traffic to the West Market PE router. The traffic then traversed an MPLS label-switched path (LSP) to the East Market PE router, before being sent to the East Market Arista, which used a custom P4 profile to generate INT telemetry reports and to strip the INT headers before sending the original IPv4/IPv6 packet back to the traffic generator.”
"Detection of outbound attacks was rapid, taking approximately one second, and Transparent Security deployed the mitigation in five seconds," noted the CableLabs' blog, which added, "The commercial solution took 80 seconds to detect and mitigate the attack. These tests were run with randomized UDP floods; UDP reflection and TCP state exhaustion attacks were identified and mitigated by both solutions. In this trial, only packets related to the attack were dropped. Packets not related to the attack were not dropped.”
CableLabs concluded that the tests validated that INT-encapsulated packets can be transported across an IPv4/IPv6/MPLS network without any adverse impact. According to the CableLabs blog, "There was no observable impact to throughput when adding INT headers, generating telemetry reports or mitigating the DDoS attacks. We validated that the traffic ran at line speed, with the INT headers increasing the packet size by an average 2.4 percent. Application response time showed no variance with or without enabling Transparent Security. This suggests that there will be no measurable impact to customer traffic when the solution is deployed in a production network."
As to why Cox was interested in deploying the solution, CableLabs points out that “although currently available DDoS mitigation solutions can monitor for outbound attacks, they’re primarily focused on mitigating DDoS attacks directed at endpoints on the operator’s network. These solutions use techniques such as BGP diversion and Flowspec to drop traffic as it comes into the network. However, mitigating outbound attacks using these techniques aren’t effective because the malicious traffic will have already traversed the access network, where it has the greatest negative impact before the traffic can be diverted to a scrubber or dropped by a Flowspec rule."
Alternatively, CableLabs notes that “Transparent Security offers the promise of near-instantaneous detection of outbound attacks, as well as the ability to mitigate that attack at the source, on the customer premises equipment (CPE), thereby preventing that traffic from using upstream access network resources.” CableLabs adds that, in addition to Transparent Security’s DDoS mitigation capabilities, there are additional benefits to network performance/visibility in general.
“Implementation of Transparent Security on the CPE means that network operators can derive the specific device type associated with a given flow,” explained the CableLabs blog. “This allows the operator to determine the type of IoT devices being leveraged in the attack. This also opens myriad other possibilities—for example, reducing truck rolls by enabling customer service personnel to determine that a customer’s issue is with one specific device versus all the devices on the internal network. Another example would be the capability to track the path a given packet followed through the network by examining the INT metadata.”
CableLabs contends that consumers will see a direct benefit from Transparent Security. The company says that, with the solution, once compromised devices are identified, the consumer can be notified to resolve the issue; or, alternatively, rules can be pushed to the CPE to isolate that device from the internet while allowing the consumer’s other devices continued access. Such isolation mitigates the additional harm coming from compromised devices, states the organization.
The CableLabs’ blog notes that “this additional harm can take the form of degraded performance, exfiltration of private data, breaks in presumed confidentiality in communications, as well as the traffic consumed through DDoS. Less malicious traffic on the network provides for a better overall customer experience,” adds the organization.
Why is the Transparent Security platform vital, and why is it being offered now? As explained by CableLabs, “As increasing numbers of devices connect to the network, there are more vulnerable points of attack for malicious actors. DDoS attacks cost the industry billions of dollars each year in malicious traffic delivery costs, traffic scrubbing and service downtime. The ability to quickly identify impacted devices and packets reduces malicious traffic delivery expenses for operators, service interruptions for consumers and costly mitigation efforts further in the packet lifecycle.”
CableLabs’ Levensalor concluded, “I think you know how bad DDoS attacks are, and we’re predicting they're going to get worse with people buying more and more IoT devices, and a lot of them are not following the security standards and similar things that we're working on at CableLabs and in other industry forums. We’re expecting that more IoT devices will probably be compromised, and other forms of DDoS attacks will arise. That trend has continued for a while, and we're hoping to hopefully curb that.”