This is anti-DDoS the way it should be

NL-ix is in the midst of rolling out a unique and powerful DDoS protection service—one that integrates Nokia Deepfield technology directly into the fabric of our European network. Unlike traditional approaches that rely on centralized scrubbing centers, this new service brings mitigation directly to the network edge, allowing us to detect and filter malicious traffic inline, at scale, and with minimal impact on latency.

This is a significant step forward, not just for NL-IX, but for our customers—especially those in the enterprise and financial sectors, where performance, security, and trust are critical. With this innovation, we aim to offer not only the best possible connectivity but also the most secure and future-ready foundation for European digital business.

To help our community better understand what this new service is, how it works, and why it's so different from what’s currently on the market, we sat down with Dirk Kalkman, Chief Network Architect at NL-ix. In this in-depth interview, Dirk walks us through the architecture, the customer benefits, and the philosophy behind one of the most advanced DDoS mitigation strategies in the industry today.

Revolutionizing DDoS Protection at NL-ix:

An interview with Dirk Kalkman, Chief Network Architect at NL-ix

Q. Please describe the scope of your operations in Europe.

A. NL-ix is currently deployed in seven countries in Europe and is in the process of further expansion. The scope of our network is the European continent - that's where we're active. For us, everything is business-driven - if the business is there, we'll deploy in any country on the European continent.

Q1. What do you think about DDoS? Why now?

A. We need better DDoS security now because we are transforming into the leading European enterprise-focused Internet exchange. We need secure connectivity and anti-DDoS services. If you're a business exchange, you need better security and protection for your enterprise customers. With the Deepfield solution, we give our customers the ability to have a control board and say, “Well, I trust this traffic, so I'll move it to this route, and this traffic I don't trust, so I'll move to this route.” They can also move traffic to other security zones or apply a different security policy.

The Nokia FP5-based router network combined with Deepfield Defender-based DDoS security allows us to slice the Internet for our customers and implement digital security in-line; we never have to move our customer traffic anywhere. Their traffic will still use the same connectivity paths, but we will filter it inline for them and make it secure. This also helps with data sovereignty because, for some customers, their traffic may never leave their country. With this transformation in mind, we now have many big customers, such as big banks, connected and served. We aim to provide the best, secure enterprise connectivity with minimal latency within Europe.

Q. What are the key benefits to you and your customers?

A. The anti-DDoS solution from Deepfield will protect our backbone as we can apply the filtering at the edge of our network. There is no need for centralized scrubbing; we don't transport your entire DDoS towards the scrubbing center so that it will save me money and bandwidth. From the customer's point of view, they will have a one-stop shop for connectivity and DDoS protection; they do not need to call third parties where a technical partner might provide you with a dual-vendor network strategy with pool mitigation options on both vendors. In a way, we are their network hero that is just one call away, so to speak.

Q. How do you minimize the effects of DDoS on your customers?

A. We are leveraging existing FP5 filtering capabilities and using router-based network telemetry to determine which packet flows are DDoS and block them. So, there's really very little impact on the network. But the beauty of the solution is not just about a minimal effect on our network; it’s all about minimizing the effects of DDOS on our customers. That helps us to minimize “false positives.” Instead of removing a lot of potentially good traffic, we are only filtering out the bad (DDoS) traffic – directly on routers.

If you are an ISP and have a DDoS and block some of the traffic and accidentally block some of the good traffic, you can say, “Okay, it is customer traffic,” so they'll browse the web, you know, in a few minutes or a few hours later. But when you are dealing with enterprise traffic, it's a whole different level of security expectations—especially with FinTech customers. We need to maintain the performance and integrity of their traffic.

Q. You mentioned router-based mitigation. How important is it to you to use mitigation on the routers themselves, as opposed to creating a whole different layer for mitigation and passing that back and forth?

A. It is very important for two reasons. First, you don't introduce additional latency because you don't shuffle and transfer the traffic across. For example, my traffic comes in on Marseille, my protected object is in Paris, and I would first have to transfer to, for example, Frankfurt or Amsterdam for scrubbing. Then, your latency would skyrocket. But that would impact the customer. And would have to transfer all the traffic – not just bad traffic - to Frankfurt or Amsterdam.

A scrubbing center solution would cost me a lot of money because I would need a lot of additional bandwidth to cope with, for example, DDoS traffic in the range of 400-500 Gbps. After all, those are the volumes that we do see in the wild, right? It's no longer the 10 Gbps or the 50 Gbps DDoS - we do see DDoS attacks in the hundreds of gigabits. From my point of view, this solution saves me money doing it on the edge router. I save both on bandwidth and not having to deal with additional layers of complexity. Security is built in. This solution will ensure that the customer's latency is minimal, especially with all the applications deployed in every cloud.

As an enterprise, you may not have anything on-prem anymore. One application is in Amsterdam, another is in Dublin, and the other is in Frankfurt. If you start rerouting all traffic of that customer to a certain point for scrubbing, as soon as you hit 50+ milliseconds of additional latency, customers, and also your colleagues, will start to complain, right? Because – “it doesn't click,” “the web is laggy,” or “video is not loading,” and people will not enjoy it anymore. Our Deepfield + FP5-based solution is all about the router-based mitigation applied at a large scale but also very surgically.

Q. How do you think the world will react to your anti-DDoS service offering?

A. I think the world will see us as “They're cool and do innovative stuff.” Our existing customers already know this 😊

Also, our potential and hopefully future customers might say, " That's different from my current model. Let's talk to the IT team and see what they think about it.” This solution is also about being first. We're the only IXP that is “crazy enough” to do a layer two VLAN across Europe. Nobody's doing that because, everyone says, let’s do layer three. But - we do layer two. For us, this also opens the option for layer three. If you start with a layer three-based approach, getting it back to layer two is much more difficult. And yes, we're the only ones to do it right. In the past, we saw other exchanges thinking, “Well, yeah, that's stupid, we don't do that.” But now, we also see other exchanges looking at the same model we do.

And now, we are the first IXP to add DDoS security to our services. But this story is also about NL-ix following the latest technology as it evolves and passing the benefits to our customers. NL-ix is all about beautiful, elegant networking evolution. First, we based our network on a new generation of routing technology evolution based on the Nokia FP5 chipset. Then, we added the 800G readiness—which is, in a way, all about growth and sustainability—followed by a unique set of business services offered and deployed more ubiquitously across Europe. With a solid networking foundation in place, it was very cost-effective to leverage our Nokia FP5-based network, which is already there, for DDoS security: we deploy Deepfield Defender and Deepfield Secure Genome to do the heavy lifting for DDoS detection and instruct the data plane to mitigate DDoS attacks at scale, quickly, and in an automated manner.

Q. What three words would you use to describe your DDoS solution?

A. Flexibility, security at scale and innovation. This is an anti-DDoS solution that you don't often see on a large scale. Instead of one super big European scrubbing station, we will bring DDoS security to our services across almost 100 locations within Europe. We think this is the biggest deployment of an anti-DDoS solution globally.