Mining attack data for anti-DDoS intelligence improves DDoS protection.
Stopping distributed denial of service attacks requires extensive anti-DDoS intelligence and the ability to put it to work quickly. It is essential to have visibility into an extremely large volume of DDoS traffic to quickly identify emerging threats and new DDoS attacks. Further, once the anti-DDoS intelligence is known, there must be a reliable and timely process to put it to work. Attackers can innovate and change an attack in progress, which requires implementing new anti-DDoS intelligence on the fly.
Identifying sources of attack traffic allows them to be blocked. Anti-DDoS intelligence can be combined from multiple sources to build a reputational database of IP addresses to identify participants in active DDoS botnets and fraud-linked IP addresses. IP blacklists can be used to filter traffic to the site, automatically blocking requests from specific IP addresses, or to slow the rate of traffic from IP addresses that attempt to commandeer more resources than other users. Some sites may choose a positive security model where only whitelisted traffic is passed through to the site.
The numbers used in IP addresses are specific to different areas of the world. Geo blocking is a type of DDoS mitigation that blocks traffic originating from specific geographic regions to mitigate some DDoS attacks.
Adaptive rate controls employ anti-DDoS intelligence to monitor the behavior of clients and automatically block or throttle those demonstrating suspicious behavior, such as issuing an excessive number of requests or a pattern of requests identical to other clients, which may be zombies in the same botnet. In addition, rate controls can also include the capability to sanitize requests before they are delivered to an application. Filtering out the bad traffic can provide anti-DDoS protection from attacks that rely on malformed or incomplete requests, such as Slowloris, Slow POST and RUDY.
Extensive anti-DDoS intelligence can be gathered from post-attack forensics, and this data should then be fed into DDoS mitigation tools. Akamai’s PLXsert team monitors malicious cyber threats globally and analyzes these attacks to build a global view of security threats, vulnerabilities and DDoS trends, which is used to improve DDoS mitigation tools and shared with customers and the security community. Identifying the sources and associated attributes of individual attacks improves DDoS protection.
Understanding potential DDoS attack size is an essential element of anti-DDoS intelligence and security planning. Enterprises must know what to expect and be confident that their DDoS protection solution can handle all the possible malicious traffic and then some, since DDoS attacks keep getting bigger .
Detecting and blocking DDoS attacks requires significant processing power, as every incoming request must be compared to known attack profiles. Thus it is necessary to evaluate the total capacity of a DDoS mitigation platform’s infrastructure – how much traffic it handles on a daily basis as well as how much extra capacity it has to mitigate potential attacks and handle future growth. A DDoS protection vendor must be able to defend multiple clients under attack at once.
More granular anti-DDoS intelligence results in more accurate protection. Your enterprises wouldn’t want a DDoS protection vendor to block legitimate traffic (false positives), nor pass through malicious traffic (false negatives). The figure below is an example of how the number of false positives and false negatives can vary significantly by vendor.
Once your DDoS protection solution is in place, look for (or build) a testing solution to assess the accuracy of your deploy¬ment. The tool should let you add test cases of valid traffic and attack traffic, so you can test for false positives and false negatives. Be sure to gather accurate statistics. Reporting capabilities will enable greater use of the results.
Depending on the attack mitigation vendor, an API may be available to integrate multiple security solutions. An API allows enterprises use attack data to change configurations or create new security rules and to share data with a security information and event management (SIEM) solution.
An insurance company shared data from a hardware-based intrusion protection system (IPS) solution, such that when an IPS detected a suspicious IP address attempting to gain access to an application, it would push the IP address to the IP blacklist on Kona Site Defender, thereby blocking the intruder from accessing the application. An API can also allow online security management without a separate security infrastructure.
Extensive visibility into global web traffic provides opportunities for the mining of big data for anti-DDoS botnet intelligence. Attackers often gain control of computers for use in a botnet by taking advantage of web application vulnerabilities. Akamai researchers have identified a botnet profiling technique for mining Internet traffic from botnet-development activity. The results aggregate data from the Akamai Intelligent Platform™ to recognize attackers, map botnet activity, and identify the targeted web applications – from attacks that at initially appeared unrelated. The analysis requires extremely large amounts of web traffic data but can be conducted without being part of the botnet or taking over the botnet’s command-and-control (C&C, C2) server.
Akamai’s PLXsert shares anti-DDoS and other cybersecurity intelligence with the public in threat advisories available on the State of the Internet site. Advisories detail an emerging threat, identify best practices for system hardening, and mitigation details such as attack signatures, payload code, and ACL and snort rules.
Attacks are constantly evolving. Most companies only see a small fraction of global DDoS traffic, but some cloud service providers see significant amounts of traffic and can therefore detect new types of DDoS attacks as they appear, create new rules to detect these attacks, and make the rules available to all their customers globally.
The global scale of the Akamai Intelligent Platform™ allows the company to gather extensive anti-DDoS intelligence. As large as it is, the Akamai Intelligent Platform is constantly growing, providing customers with the scale and performance necessary to defend against the largest network- and application-layer attacks. Similarly, Akamai’s ProlexicRouted DDoS protection service has the largest DDoS attack mitigation platform in the world, capable handling attack traffic of 2.3 Tbps (terabits per second).