Automate Remotely Triggered Black Hole DDoS Protection in Under an Hour

DDoS Detection and Mitigation at the Speed of SaaS

In the wake of the recent takedown of DNS provider Dyn, it’s common knowledge that Distributed Denial of Service (DDoS) attacks pose a serious and growing threat to the Internet and its component networks. What’s less obvious is what to do about that threat, especially if you don’t have a large capital budget to invest in traditional DDoS protection tools. A common fallback is to rely on manually defending your network with Remote Triggered Black Hole (RTBH). Stressful, time-consuming, and error-prone, that’s a far-from-ideal way to protect network availability and performance. Instead, Kentik can help you automate RTBH triggering based on the industry’s most accurate DDoS detection. And you can set it all up in under an hour without having to install any hardware or software.

How RTBH works

The “black hole” part of RTBH refers to the fact that edge routers are typically provisioned with a static route (commonly 192.0.2.1) pointing to the null0 interface — the black hole. Any traffic routed to that virtual interface is simply dropped, never to be heard from again. Using iBGP, traffic can be redistributed to this static route on your own network’s edge routers. Alternatively, you can announce routes for that traffic with a specific BGP community (commonly :666) that signals to your ISPs that they should blackhole it.

During an attack, a remote iBGP speaker injects a “trigger” route with next-hop IP or BGP community attributes. This trigger initiates activation of blackholing policies, either at the local edge and/or within the upstream ISP networks. The trigger source can inject the route either via full-mesh iBGP peering with all of the edge routers or via any/all route reflectors that are required to propagate the trigger route to the edge routers.

DDoS protection via typing at 2 a.m.

As noted above, if your network operations budget doesn’t allow you to invest in traditional DDoS protection or NetFlow analysis tools, you are pretty much stuck with manual triggering of black-holing, which is a stressful, time-consuming, and error-prone process. This is especially true when you’re a network tech who’s been woken up in the middle of the night by a hysterical pager. Bleary-eyed, you log into your systems to try to figure out what’s gone wrong (without automated analysis, you may be hunting around a bit to figure things out). Once you see that a DDoS attack is underway, you need to ssh to the remote trigger router and type in a network statement or other config, keeping your fingers crossed that you’re not fat-fingering something at 2 AM.

Big data detection with automated RTBH

The 2 AM scenario is clearly less than foolproof, but luckily it’s no longer the only affordable option, because automated RTBH is now available in a SaaS DDoS protection solution. With recent DDoS defense enhancements to Kentik Detect, network operators can access state-of-the-art DDoS detection and automated RTBH mitigation without a bank-breaking capital investment. The major enhancements to Kentik Detect’s DDoS protection capabilities include:

• The industry’s most accurate DDoS detection. We’ve added true anomaly detection to our already-powerful, network-wide traffic monitoring and alerting. Kentik Detect includes the typical statically-configured thresholds, but it also intelligently tracks which IPs are the top-N traffic receivers. These IPs are baselined individually and evaluated for anomalies. We then trigger alerting and auto-mitigation policies based on configured thresholds or deviations from baseline. Because Kentik Detect always looks at network-wide data — even when that means billions of records per policy — and automatically adjusts baselining, it’s far more accurate than any other DDoS detection system. Period.
• Automated mitigation. Kentik Detect can now be configured as a remote triggering system. Configure Kentik as an iBGP peer of your edge routers or route reflectors, create some mitigation policies with mitigation enabled, and you’re ready to go. If you are using or considering Radware DefensePro or A10 Thunder TPS mitigation systems, those are also supported as auto-mitigation options that you can configure via the Kentik portal UI.

Automated RTBH (and other mitigation techniques) means no more manual blackholing at 2 AM. Sleep easier. Use your time for more productive things. Move the business forward instead of rowing in place like a crazy person.

On top of handling your DDoS-related needs, Kentik Detect also gives you state-of-the-art big data network traffic visibility. We correlate flow records (NetFlow, sFlow, and IPFIX) with BGP attribute data from live BGP peers, as well as SNMP interface and GeoIP data. We unify the data into a distributed HA time-series database. And we retain that data for a minimum of 90 days. With Kentik Detect you can group and graph billion-row sets of raw traffic details by up to eight dimensions (out of dozens) and get answers to ad hoc queries in a few seconds. This is Big Data power.

SaaS is SooO easy

The great thing about getting all this automation and analytics via Kentik Detect is that it’s so easy. There are no boxes, no software to install, no capital expenses, no operational overhead and maintenance. It’s an annual subscription. Simple.

You can register for a free trial, start sending flow data, and get up-and-running in the portal in about 15 minutes. If you’re already doing RTBH, you can configure Kentik Detect as your automated remote trigger in under an hour. We’ve seen customers for whom automated mitigations started happening nearly immediately after signing up and configuring RTBH. And automated mitigation makes for happy network engineers.

Ready to learn more about RTBH and how Kentik Detect delivers the industry’s most accurate DDoS protection? Check out the following links:

• RTBH overview
• Kentik Detect for DDoS Protection
• PenTeleData DDoS Protection Case Study