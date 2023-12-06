BY Darren Anstee4 minute read

At its heart, this article is about the convergence of behavior across network technologies. A few years ago, we wouldn’t have watched a high-definition (HD) video on a mobile phone; today, we do this without even thinking about it. Subscriber-generated threat activity has gone the same way—the problems that have plagued wireline networks for decades have now arrived on mobile.

The level of threat from subscribers is escalating for ISPs, whether they operate wireline or mobile services. Increasing subscriber edge connectivity speeds, especially in the upstream direction, are driving higher levels of outbound and cross-bound malicious traffic. Gamer-on-gamer distributed denial-of-service (DDoS) attacks, IoT botnets, and their associated ‘bad’ behaviors continue to grow. For wireline ISPs, this represents an escalation of the threats they have previously managed. For mobile ISPs, delivering high-speed fixed wireless access (FWA) services, this is a new and significant challenge. THE EVOLVING INTERNET

In the recent past, we have seen hybrid working become the new normality, enabled by collaboration tools and SaaS application platforms. Gaming and video content delivery platforms are everywhere—with huge levels of adoption—and these changes, taken together, have driven rapid growth in the traffic volumes on fixed and mobile subscriber networks all around the world. Subscriber networks implement a variety of technologies for edge connectivity, from older, lower-speed wired copper such as asymmetric digital subscriber line (ADSL), to new high-speed fiber and FWA mobile services. Increasing speeds, especially in the upstream direction, helps us to send emails faster, makes the quality of our video calls better, and reduces the latency when we are playing games—but it also allows much higher volumes or rates of malicious traffic to be generated out of, and between, subscribers. POOR SUBSCRIBER BEHAVIOR

Gamer-to-gamer DDoS is an ever-increasing problem, as is attack activity from (growing) populations of compromised IoT devices. There have been very public outages in ISPs globally due to DDoS attack traffic coming from IoT botnets. The devices connected within subscriber environments have long been capable of generating more traffic than could be sent over their internet connections. Now, as the chokepoint in upstream capacity is removed, that capability is unleashed. Fiber to the premises (FTTP) and high-speed cable, such as data over cable service interface specifications (DOCSIS 4.0) networks, are already experiencing frequent problems and have shifted gears in terms of visibility, detection, and mitigation capabilities across their subscriber aggregation edge. These operators have seen these problems grow over time and know the solutions and operational processes that are required. However, there are some operators for whom these challenges are less familiar. MOBILE NETWORK OPERATORS (MNOs)

Mobile network operators (MNOs) have been providing subscriber internet services for over 15 years and have seen growing threat activity within their networks from mobile malware and SMS phishing. But there has been a step change in risk as higher speed 4G and 5G FWA services are rolled out. FWA is growing fast: It’s transitioning small office/home office (SOHO) and consumer infrastructure onto mobile services. Unfortunately, this transition brings with it the badly behaved subscriber infrastructure that has plagued wireline networks, leading to new challenges for MNOs. THE CHALLENGES

Firstly, mobile networks have more bandwidth and state bottlenecks, given their complexity. Consequently, gamer-on-gamer, IoT DDoS traffic, and aggressive scanning can have significant impacts on service performance and availability. Secondly, many mobile services use carrier-grade NAT (CGNAT) between their subscribers and the internet—for internet protocol version 4 (IPv4) services. I have seen some unfortunate operators end up in a situation where bad outbound traffic from subscribers has led to NAT pool address ranges getting blocked due to poor reputation—directly impacting services. And, lastly—perhaps, most importantly—there is the financial side of things. Poor subscriber service performance and reputation can increase subscriber churn, decreasing revenue. This is one angle, but the reputation can extend to the higher value IoT and enterprise mobile services, where security is key—and many MNOs are relying on them for their return on investment (ROI) for 5G.

CONVERGENCE AND MITIGATION Many ISPs operate both wireline and mobile subscriber environments. What’s becoming apparent from multiple conversations with ISPs all around the world is that this is enabling convergence in terms of tools and operational processes across teams that have, in the past, been very separate. In some ISPs, the wireline and mobile security operations teams are being merged into a single entity. This is a big change. The wireline team understands the nature of the threats, but needs guidance on the underlying mobile network complexity. The mobile team understands the mobile network, but has limited experience in managing the scale and frequency of the threats they now face. In other ISPs, the teams remain separate, but there is a desire to share operational experience and processes in the mobile domain.

In either case, the technological challenge is to get threat visibility into mobile network traffic, modify detection capabilities to better identify threats to mobile network bottlenecks, and shift to using new mitigation strategies. The good news, though, is that mobile networks have highly evolved policy control, and this policy control can be used to mitigate bad subscriber behavior (i.e., what’s needed is ‘built-in’). THE END GAME High-speed internet access, whether wireline or 5G, is becoming ubiquitous. These technologies allow users to access services more quickly and efficiently, but they also remove the throttle in terms of the generation of malicious DDoS and other traffic from the subscriber domain. For mobile operators, this is a new challenge; for wireline operators, this is an escalation. ISPs are looking to extend the operational experience and toolsets they know (and trust) from the wireline domain, into the mobile world—converging security capabilities to manage converging threats.