data analytics and ddos mitigation: lessons learned
DESCRIPTION
During a DoS or DDoS denial of service attack, Prolexic gathers hundreds of millions of data points from DDoS mitigation sensors. In this audio Prolexic shares what it has learned about using DDoS analytics to stop DDoS attacks.TRANSCRIPT
1
DataAnalyticsandDDoSMitigation:LessonsLearned
Inthecybersecurityindustry,ITisdrivingtheuseofdataanalyticstogainreal‐timeinsightintotrends,attackerbehaviorsandspecificcybersecurityevents.Real‐timedataanalysiscanbeapowerfultooltohelpInternet‐facingorganizationsbuildastrongercybersecuritystrategy.
DefendingagainstDDoSattacksisareal‐timechallengeforDDoSmitigationserviceproviders.HundredsofmillionsofdatapointsinmultiplestreamspourintoaDDoSmitigationplatforminrealtimeduringanattack.ADDoSmitigationprovidermustquicklymakesenseofthisdelugeofdataandmakeprecisedecisionsastowhichdata/traffictoallowandwhichtoblock.
TheProlexicapproachtoDDoSdataanalyticsMerelysummarizingnumericaldatawillnotshowifnetworktrafficanomaliesaremaliciousornot.Prolexicusesdataanalyticstodrawinformedconclusionsandanswerquestionssuchas:
IsasiteunderDDoSattackoristhisanotherkindofnetworkanomaly,suchasaflashcrowd?
Ifunderattack,whattypeofDDoSthreatisthisandwhichpartofthecustomer’sinfrastructurecouldbemostaffected?
Wherearetheattackscomingfrom?Haveweencounteredtheseattackersbefore? Whataretheattacksignatures?Haveweseenthembefore?Aretheychanging?
Figure1:ProlexicleveragesawidevarietyofmetricsandmodelstoprovidemeaningfulDDoSinsight.
2
OurdataanalyticssystemProlexicacquiresbillionsofDDoSattackmetricsfromsensorsmonthly.Eachsensorsamplestensofthousandsofmetricseveryminuteandmaycapture30to40metricsforeachnetworkobjectorapplication.Somecustomershaveasmanyas30,000networkmetrics.OursystemdistillsthedataforourDDoSmitigationexpertstoanalyzeandactupon.Bycorrelatingthemetricsandshowingtheirrelationships,Prolexic’smitigationexpertscansearchonthedatainrealtimeandextractintelligencetohelpthemmakethebestandfastestdecisionsonhowtomitigatetheattack.
Whatwe’velearnedThreeofthelessonswehavelearnedare:
UsingdataanalyticsforDDoSmitigationrequiresalargecapitalinvestmentandamulti‐yearefforttobuildasystemthatcantakemyriadsourcesofinformationandpresentitinawaythatsupportsrapiddecisionmaking.
Automaticdecision‐makingalgorithmsarepronetofalsepositives.Soasgoodastoday’sanalyticssystemsare,forDDoSattacks,theycannotreplaceanexperiencedlivemitigationengineer.
Batch‐orientedanalyticssystems,suchasHadoop,havelatencythresholdsthataretooslowtosupportthereal‐timerequirementsofProlexic’scyber‐attackmitigationtimeframe.
GetthewhitepaperDataAnalyticsandDDoSMitigation:LessonsLearnedathttp://www.prolexic.com/ddosanalyticsformoredetailsandconclusions,including:
ThethreeimportantquestionstoaskofyourDDoSdata Theproblemoffalsepositives Thelatencychallengesofbatch‐orientedanalytics ThegapbetweenthecapabilitiesofautomatedsystemsandliveDDoSattackers HowProlexicmanagesthebigdataassociatedwithDDoSattacks Morelessonslearned
AboutProlexic
ProlexicTechnologiesistheworld’slargestandmosttrustedproviderofDDoSprotectionandmitigationservices.Learnmoreatwww.prolexic.com.
AboutPLXsert
ProlexicSecurityandEngineeringResponseTeam(PLXsert)monitorstheglobalmaliciouscyberthreatsandactivelyanalyzesDDoSattacksusingproprietarytechniquesandequipment.