Understanding Big Data DDoS Defense: A Tutorial
Overview of Big Data Defense
Big Data DDoS defense is the use of big data technology in the process of detecting and mitigating Distributed Denial of Service (DDoS) attacks. By taking advantage of cloud-scale techniques and storage mechanisms, big data DDoS can be used to collect and analyze high volumes of network flow data. This scale and granularity results in much greater accuracy in stopping DDoS attacks than is possible with legacy, data-limited DDoS defense appliances.
The main goal of a DDoS attack is to either limit access to a network service or application, denying legitimate users access to the services. There are hundreds of DDoS attack strategies used today and they are becoming much more sophisticated. Their primary goal is to consume targeted network resources with traffic or requests for service from many different sources – potentially hundreds of thousands or more. This makes it impossible to stop the attack simply by identifying and blocking a single IP address. The diversity of sources attacking makes it very hard to distinguish normal user traffic from attack traffic when spread across so many points of origin.
DDoS defense deploys manual or automated detection, plus one or more remediation techniques including traffic flow filtering, rate-limiting, and blocking/dropping, so attacks can’t consume resources needed to service legitimate traffic. In order to detect an attack, one has to gather a sufficient amount of data by monitoring network-wide traffic flows, then rapidly and accurately analyze that data.
The Omnipresent DDoS Threat
The most common type of DDoS attack is the volumetric attack, with the intent to congest the target network’s bandwidth related to a service or network segment. Roughly 90% of all DDoS attacks are volumetric, with application-layer attacks making up the remaining 10%. According to Akamai’s Q3 2016 State of the Internet Report, the majority of volumetric attacks are IP flood attacks involving a high volume of spoofed packets such as TCP SYN, DNS, UDP, or UDP fragments. A growing percentage of attacks are reflection and amplification attacks using small, spoofed SNMP, DNS, or NTP requests to many distributed servers to bombard a target with the much more bandwidth-heavy responses to those requests.
The sheer volume and diversity of these threats makes it necessary to collect as much network telemetry as possible while retaining enough data to uncover network anomalies that pose a threat. This is where the application of Big Data is essential in scaling storage to the level needed for accurate analytics that identify DDoS threats.
DDoS Mitigation Options
The remediation portion of DDoS mitigation can be accomplished via multiple mechanisms, including dedicated in-line appliances, routing techniques, cloud-based services, or some hybrid of these mechanisms.
In-Line Appliance Mitigation
When performing in-line DDoS mitigation, all traffic is sent through one or more DDoS protection appliances that support deep packet inspection. The appliances examine the incoming traffic, and if particular traffic flows or packets are determined to be attacks, they are discarded, while legitimate traffic is allowed to pass through.
Routing Techniques: Remote Triggered Black Hole (RTBH)
Cloud-based Black holing is a form of DDoS mitigation achieved by dropping traffic via changing routing parameters. By utilizing BGP to redistribute attack traffic to the null interface on edge routers, multiple types of black holing are possible. The most common form of black holing is destination-based Remote Triggered Black Hole (RTBH). When a service or website is under attack, a network operator configures a /32 host “black hole” route. The route is then redistributed via BGP — along with a ‘no-export’ community and a next-hop address — to the routers where the attack traffic is entering the network. These routers then route the traffic to a destination that doesn’t exist (the black hole), for example a null interface. Black holing can be very powerful and effective but with the caveat that legitimate traffic will also get dropped.
Traditionally, the detection of attacks for RTBH was performed by basic alerts, and the triggering of the remote black hole was performed by a manual routing parameter configuration. However, it is possible to use SaaS-based DDoS detection to automatically trigger BGP-based black holes.
Cloud-Based DDOS Defense Services
Cloud-based DDoS defense services detect and mitigate attacks without requiring the network under attack to deploy on-premises resources. This is accomplished by redirecting all traffic through the DDoS protection cloud provider’s network, where the traffic is most commonly run through in-line DDoS mitigation devices in a scrubbing center. Attack traffic is detected and removed, and legitimate traffic is routed backed to the customer’s network. Such services are offered on an “always-on” or “on-demand” basis. While cloud-based traffic scrubbing services are very convenient, they can also be quite expensive.
Hybrid DDoS defense is performed by a combination of on-premises mitigation devices and cloud-based mitigation services. This approach is utilized to enable the fastest response (from the on-premises appliance) with the cost-effectiveness of bursting to the cloud on-demand when mitigation requirements rise above the capacity of the on-premises device.
Evolving DDoS Detection to Big Data
The key to solving DDoS detection accuracy issue is utilizing big data. By using a scale-out system with far more compute and memory resources, a cloud approach to DDoS detection can continuously scan network-wide data on a multi-dimensional basis without constraints.
Cloud-scale big data systems make it possible to implement a far more intelligent approach to the problem, since they are able to:
- Track and baseline millions of IP addresses across network-wide traffic, rather than being restricted to device level traffic baselining.
- Monitor for anomalous traffic using multiple data dimensions such as the source geography of the traffic, destination IPs, and common attack ports. This allows for greater flexibility and precision in setting detection policies.
- Apply learning algorithms to automate the upkeep of detection policies to include all relevant destination IPs.
These advances are making a new hybrid model possible, where DDoS detection is performed by a best-of-breed, cloud service that automates the triggering of RTBH, on-premises and cloud-based mitigation appliances. Big data detection systems also provide the added benefit of deep, forensic analytics, plus the ability to incorporate network performance, planning and other capabilities.
On Kentik & More Reading
Kentik Detect offers the industry’s only big data network visibility and DDoS defense solution built from the ground up on Big Bata and delivered as a cost-effective SaaS. Kentik Detect offers the industry’s most accurate DDoS detection, and can automatically trigger mitigation via RTBH, Radware DefensePro or A10 Thunder TPS mitigation.
For more information on how big data delivers 30% greater DDoS detection speed and accuracy, check out the blog post on Big Data for DDoS Protection, read the PenTeleData case study, or download The Case for Big Data-Powered DDoS Protection white paper. Know you want to get big data-powered DDoS protection today? Start a free trial.