Beyond Peering

Introduction

In September, we proudly announced our partnership with Nokia to bring advanced anti-DDoS services to our customers, leveraging their cutting-edge Deepfield Defender  for our anti-DDoS. Since then, we’ve been hard at work preparing these services for launch. In this article, we’ll share why we’re so excited to expand our service portfolio in this direction and why offering anti-DDoS services is a natural evolution for an Internet Exchange like NL-ix.

Customer demand

In recent years, we’ve seen a significant increase in customer inquiries about protecting their networks against DDoS attacks. One key driver behind this uptick is the sharp rise in the frequency and scale of DDoS attacks, which continue to grow rapidly year-over-year, as indicated by ENISA's Threat Landscape report citing various sources. This surge can largely be attributed to how easy and cheap it has become to launch an attack—no technical expertise is required, as attacks can now be ordered online with minimal effort.

The consequences of this trend are severe: more networks are falling victim to attacks, resulting in service disruptions, revenue loss, and reputational damage. This ease of launching attacks has created a stark imbalance between attackers and defenders. Defending a network against DDoS attacks is far more complex and costly than initiating one. Moreover, meeting diverse business requirements, such as ensuring low latency guarantees outlined in SLAs, adds another layer of complexity to implementing an effective anti-DDoS strategy. Choosing the right solution requires more than a one-size-fits-all approach.

For many organizations, DDoS protection has evolved from a luxury to a necessary insurance policy—an essential safeguard to mitigate the risk of potentially catastrophic disruptions to their business. Given the growing scale of threats and the complexity of defending against them, this proactive approach to risk management has become imperative for organizations seeking continuity and reliability in their network operations.

Another factor driving demand is our expansion into the Enterprise market with our Elastic Interconnect offering. Compared to traditional Peering or IP Transit customers, Enterprises often face stricter compliance and regulatory requirements. A lot of Enterprises also tend to prefer comprehensive, all-in-one solutions from their providers, rather than assembling services piecemeal.

As an Internet Exchange, we have historically stayed out of the DDoS mitigation space. However, after listening to our customer needs and recognizing our unique position at the heart of the Internet, we’ve identified an opportunity to better support our customers by addressing these challenges.

Efficient integration

As you may know, our network relies on Nokia 7750 SR routers to forward packets. These routers offer extensive capabilities, of which we’ve only been utilizing a subset so far. Beyond their renowned networking hardware and technology foundations such as the Nokia FP5 network processor, Nokia also develops Deepfield, a portfolio of network analytics and security applications. One of the flagship elements of this portfolio is Deepfield Defender, a powerful DDoS protection solution.

The key advantage of choosing Nokia Deepfield Defender for the NL-ix implementation of DDoS detection and mitigation needs lies in Defender's seamless integration with our core network. Thanks to the strong synergy between Deepfield Defender software and Nokia SR OS (router software), we can efficiently mitigate DDoS attacks directly within our core network infrastructure. This approach allows us to safeguard not only our IP Transit platform but also our Internet Exchange fabric.

For you, this means there’s no need to reroute traffic through external platforms like cloud-based DDoS scrubbing centers. Instead, mitigation happens directly on the same device that already handles your Peering and IP Transit services. This enables you to continue peering without disruption or additional steps.

In network design, simplifying systems is key to improving stability. By combining packet forwarding and DDoS filtering into the same platform, we significantly reduce the number of moving parts that could fail or cause service interruptions. This streamlined integration allows you to enjoy greater reliability and efficiency.

Power consumption

Reducing power consumption is a critical goal in modern networking. One key metric to evaluate power efficiency is power utilization per Mbps of traffic. By performing DDoS mitigation directly on the platform already responsible for forwarding traffic, we can significantly reduce the number of devices and ports involved in the mitigation process, thereby driving down overall power consumption.

In traditional DDoS mitigation setups, traffic is often rerouted through multiple devices, such as external scrubbing centers. This legacy approach increases the power demands of the forwarding and mitigation chain.

By streamlining this process with our integrated solution, we minimize the number of components involved, directly reducing power usage. When comparing a traditional setup to our approach, we estimate that power utilization per Mbps of traffic could be reduced significantly—potentially down to a quarter of the original power consumption—by eliminating unnecessary devices from the chain.

Lowering the total power required for DDoS mitigation not only reduces operational costs but also helps organizations achieve their environmental and sustainability objectives.

Peering and mitigation

As an Internet Exchange, our primary requirement for offering anti-DDoS services is the ability to perform detection and mitigation directly on our Internet Exchange Fabric. Peering is deeply ingrained in our DNA, and any solution we choose must integrate seamlessly with our fabric. For over 20 years, we’ve been advocating the benefits of Peering, and today, our Internet Exchange Fabric connects over 600 networks, providing direct traffic exchange opportunities. We take great pride in the low-latency network we've built, helping our customers meet even the most stringent latency requirements.

We are excited to share that Deepfield Defender is uniquely capable of delivering its full range of detection and mitigation functions directly on our Internet Exchange Fabric. This capability allows us to uphold our commitment to low-latency performance, ensuring that you can continue exchanging traffic directly, even during a DDoS attack. The need to reroute traffic through external platforms is a thing of the past.

Conclusion

At the core of our mission is the goal of making the Internet accessible to all networks and organizations. By removing one of the major hurdles—protecting your network from DDoS attacks—we empower organizations of all types to confidently operate online.

With the addition of anti-DDoS services to our portfolio, we will able to offer a fully managed Internet service that provides robust protection against these growing threats. For those who prefer not to have a fully managed service, we also offer DDoS protection tailored to our existing services, like Peering and IP Transit, ensuring that organizations can meet even the most stringent security and performance requirements.

Ultimately, our goal is to provide you with peace of mind, allowing you to focus on what matters most: your daily business and network operations. Whether you’re a small enterprise or a large ISP, our solutions are designed to scale with your needs and provide reliable, seamless protection.

We invite you to reach out to us today to learn more about how our anti-DDoS services can enhance your security posture and support your mission on the Internet.