Networks have been growing in complexity over the years. A typical data center network or an Internet Service Provider (ISP) network is extremely complex to design and manage with potentially numerous appliances deployed for management and security of such a network.
Network attacks have been simultaneously growing in complexity and size over the years. Among them, Distributed Denial of Service (DDoS) attacks are especially difficult to mitigate. DDoS attacks are primarily blocked using behavioral algorithms. This requires that the appliances that understand the behavior of the protected entity remain close to it.
While the inline appliances must remain close to protected entity, the complexity and size of the storage required for behavior data and management policies increase and may be remote from from central control. When the number of mitigation appliances approaches the hundreds, thousands or even more, the associated complexity may increase linearly in relation to the number of mitigation appliances.
An innovative approach is required to facilitate decoupling and separation of the data plane, i.e., task of behavior collection and attack mitigation using specialized DDoS attack mitigation components from the control plane, i.e., the storage of behavioral data and attack mitigation policy creation. This will allow the behavioral data and policies to be centrally stored and controlled while data collection, attack mitigation and packet forwarding processing remains in close proximity to the protected entity.