Peering Improves Security

Question

Constructing a niche secured ISP - does Peering play a role in the security story?


Marty Bishop

Answer

Marty -


There are at least 3 reasons why Internet Peering is inherently more secure than Internet Transit.


1) Peered traffic is segregated from commodity Internet traffic so is less impacted by commodity Internet DDOS attacks. The commodity Internet traffic is inherently more vulnerable to degradation from attack traffic than traffic that is directly peered. It is this intermingling of your traffic with everyone else’s traffic that is the problem.


During times of network congestion, whether from spot events, denial of service attacks, or any other reason, the commodity Internet traffic is vulnerable to packet loss and latency along impacted paths as shown in the figure below.




But traffic that is peered directly between content and eyeballs is effectively segregated from commodity Internet Transit traffic, and therefore is unaffected by the congestion side effects of the commodity Internet networks.


As Andreas Sturm (DE-CIX) put it:

“Important Traffic is Peered.”


2) Peered traffic travels across fewer networks and therefore has fewer attack points.


Transit traffic traverses potentially many transit networks before reaching its destination, and each additional network in the path involves another set of network infrastructure vulnerable to packet capture, attack, degradation, manipulation, etc.


Somewhat related, some companies (and governments) mandate that their network traffic not traverse country borders. For them, Internet Peering provides the customer with the controls and visibility for that subset of traffic that is peered.


3) A direct peering relationship provides direct access to technical resources. If there is a problem or concern, either peer can contact and directly discuss matters with the peer’s network team, an escalation avenue that is not available if one simply sends traffic through an upstream provider.


For example, there was an attack on one customer using a DNS server as part of a DDOS attack. This DNS operator was peering in Europe and was able to work with his peer contact to work through the problem. He claimed that the transit providers may not give this critical problem the attention it deserved, and intermediary ISPs’ NOCs would not even answer the phone calls from non-customers. This experience proved to this network operator that peering was the right strategic approach.

Summary