Cyber attacks have become a common problem nowadays. At the same time, their stoppage has become a trivial process, but not every ISP is successful in implementing an effective detection and mitigation system.
Often, the solution chosen is "blackholing", which essentially means blocking traffic to the attacked IP address in order to protect other client resources. This method raises several issues, but the most important one is given by the scenario in which multiple (often all) client IP addresses are simultaneously attacked. In this case, the only solution would be to restrict traffic to all attacked addresses and implicitly to achieve the attacker's purpose: DoS (Denial of Service).
Another problem is that of detection time. Most systems use statistics-based and variable-to-average changes rather than peaks using NetFlow or sFlow to collect data. This deployment is inefficient in detecting the majority of small-scale attacks and typically requires a large amount of data to make a decision, resulting in very long intervals, sometimes in the order of ten minutes from the start of the attack to block it. The only advantage of such a system is the low implementation cost.
Providing a 99.99% uptime is not just about ensuring connectivity. When a business depends on the internet connection, a congested link is just as detrimental as an interrupted one. Also, a small-scale "application flood" attack can selectively affect certain company resources in an undetectable way. These attacks typically do not have the goal of interrupting the service but of abusive use of resources that can lead to material loss.