Contact Us

Webinar: Big Data DDoS Protection

Alex Henthorn-Iwane, VP Marketing, November 18, 2016

If you haven’t been following cyber-security news recently, the DDoS arms race has just escalated in a fairly significant fashion. If your business depends on internet traffic, you should be concerned about how to properly defend yourself. Join Alex Henthorn-Iwane, VP of Marketing at Kentik, as he presents how you can improve your DDoS detection by 30% over traditional appliance-based solutions.

Video transcript

DDoS Threats are Rising:

If you haven’t been following cyber-security news recently, the DDoS arms race has just escalated in a fairly significant fashion.  Long warned about, IoT botnets have demonstrated a scale of attacks that set a new bar for DDoS volume and severity, with multiple attacks ranging from several hundred gigabits to over 1 terabit per second occurring in October of 2016 alone. 

Experts warn that more such attacks are to come, because millions of poorly secured IoT devices are being shipped ready to be compromised by botnet malware like Mirai and bashlite.  There is a large and continuously innovating market of DDoS attacks, with small-scale, relatively short-duration attacks of the five gigabits per second and under category for sale by many competing darknet providers for a fraction of a bit coin.

If your business depends on internet traffic for revenue as part of an e-commerce or other digital line of business, or if you’ve moved a significant portion of your applications and IT assets to the cloud, you should be concerned about how to properly defend yourself.

Traditional DDoS Protection Architecture

DDoS protection has many forms, but fundamentally, the primary architecture for DDoS defense works like this. 

A detection appliance receives flow data along with complementary BGP and SNMP data, based on incoming traffic flows to the network infrastructure. 

That detection appliance detects attacks and signals the network to steer traffic to a scrubbing or mitigation solution comprised of deep packet inspection appliances, which could be on-premises or in the cloud somewhere, or even a hybrid cloud combination. 

The hybrid cloud approach essentially allows for on-demand bursting to a cloud scrubbing center when there is too much traffic for the on-premises devices to handle, which optimizes response time, cost and ability to scale.

There are some other approaches.  For example, you can use Remote Triggered Black Holes or RTBH to reactively drop traffic going to specific IP addresses.  However, this is only really useful for retail ISPs who have to deal with a lot of individual subscribers who come under DDoS attack due to inter-personal conflicts revolving around online gaming.  In those cases, it’s an acceptable scenario to simply shut off that user’s traffic for a while so as to preserve other subscribers from collateral damage.  However, RTBH isn’t really an acceptable measure for protecting application servers or enterprise networks, since RTBH essentially finishes the job of the DDoS attacker.  That’s why this scrubbing type of mitigation is so widely used.

Of course, it’s also possible to simply run all traffic through mitigation or scrubbing devices, either on-premises or in the cloud.  Unfortunately, that’s quite expensive and not affordable for most organizations, which brings us back to this picture. 

Utilizing flow data on an out of band basis to detect attacks, and only triggering mitigation when an attack is detected provides the best balance of cost and protective effectiveness, particularly when hybrid cloud mitigation is utilized.

Sounds pretty good, right?  Well there’s a problem.

Problem:  Limited DDoS Detection Appliances

The problem isn’t with the overall architecture, which is sensible.  It’s also not with scrubbing devices—after all something’s got to do that work. 

The real problem is that DDoS detection appliances are outdated and inaccurate.  Detection appliances are essentially single, rackmounted servers or virtual equivalents.  They are designed in a scale-up fashion, which means that they must operate within a highly constrained amount of computing, memory and storage. 

Just taking large volumes of flow data packets off the wire and unpacking the information from them takes much of the computational resources, which means that they have to take a lot of shortcuts when trying to actually detect attacks.  As a result they can’t perform reliable baselining. 

In the best case, detection appliances can only perform baselining against individual flow exporters—such as individual routers or switches.  In other words, baselining isnt’ looking at network-wide data, which reduces accuracy.  Without effective baselining, most ddos detection appliances must rely on simple thresholds that miss a lot of attacks.  Finally, those simple threshold-based detection schemes rely on a lot of manual configuration. 

As organic changes to traffic patterns occur over time, operations personnel generally fall far behind the curve, further degrading the accuracy of detection.  When detection devices miss attacks, network security and operations personnel have to constantly swing into action to limit the damage.

All in all, DDoS detection appliances are simply insufficient.  And no wonder, they’re based on fifteen year old computing architectures.

Kentik’s Big-Data Powered DDoS Protection Solution

Kentik offers an answer to this outdated approach with Kentik Detect, the industry’s only big-data, cloud-scale network analysis solution that offers far more accurate DDoS detection, and automates the triggering of hybrid mitigation techniques, including out of the box integrations with Radware and A10, plus support for remote triggered black holes.   

Kentik Detect is offered as a no hassle SaaS and can also be deployed as an on-premises cluster.

Kentik Detect:  30% More Accurate DDoS Detection

Because Kentik Detect is built on a scale-out, big data engine platform, it doesn’t suffer from any of the constraints that legacy detection appliances do.  It can monitor and analyze millions of individual IPs, scanning billions of flow records that represent network-wide traffic, and it can do this in a few seconds. 

It utilizes adaptive, learning algorithms to perform baselining.  It figures out which IPs are interesting and automatically baselines them so you don’t have to maintain statically configured lists, keeping the accuracy of systemic monitoring extremely high.

The monitoring granularity by comparison to the very shallow tracking that detection appliances perform, is on another plane.  You can create monitoring, alerting and mitigation schemes with up to eight parameters chosen from dozens of data fields, operating against a variety of metrics.  That’s big data power.

You also have highly sophisticated controls over alerting and mitigation policies. 

Of course, Kentik provides many DDoS detection policy templates to make it fast and easy to get started. Ultimately, the big data power of Kentik Detect leads to 30% greater accuracy in detecting and mitigating DDoS attacks.

How Kentik DDoS Protection Works

To illustrate how all the pieces of the Kentik DDoS protection solution work, let’s look at this diagram.  On the left, traffic flows into the network infrastructure, and as it does, routers and other devices create and export flow data packets—but rather than sending them to an appliance, they’re sent to Kentik Detect’s cloud-based big data platform. 

That flow data can be sent to our SaaS cloud using an encrypted tunnel for greater privacy.  From there, Kentik Detect’s big data-power finds DDoS attacks and triggers various actions,

including displaying and sending alerts, or triggering one of multiple mitigation techniques based on the type of attack.

Beyond Detection:  Kentik Delivers Deep Analytics

If 30% greater DDoS protection accuracy was all that Kentik Detect offered, it would clearly be enough to justify upgrading from outmoded detection appliances.  But the solution goes deeper than that.  Detection and mitigation are important, but so is visibility. 

If you can’t understand your environment and the nature of attacks, you can’t adjust. 

What if a DDoS attack is a volumetric distraction from a different attack vector? 

What about other anomalies? 

How do you ensure that you can tell friend from foe?

Fortunately, Kentik Detect goes far beyond detection. 

Kentik Detect retains raw flow, BGP, network performance metrics, and other data for 90 days and gives you the ability to do fast, ad-hoc drill down analyses on a multi-dimensional basis.  It’s a big data analytics portal for network data. You can create dashboards for at a glance views. 

And it’s useful for all sorts of network visibility beyond DDoS, including network operations, capacity planning, peering and transit analytics, and network performance monitoring.

Virtuous Cycle: Big Data Detection and Deep Visibility

When you have both highly accurate detection plus deep visibility, you can create a virtuous cycle to protect the network experience aspect of your applications and services, not just from DDoS but from any other source of disruption.  You have all the analytical power to assess unclear and unexpected scenarios, and update policies or optimize the network accordingly. 

This feedback loop extends beyond networking teams because Kentik Detect offers highly scalable, open REST and SQL APIs.  You can tie rich network data and alerts into a SIEM, integrate data with other tools and dashboards.  For example, if you use Grafana, you can download the Kentik Connect plug-in to display key stats in your Grafana dashboards. 

PenTeleData Case Study

Let’s look at how a communications service provider solved its DDoS protection accuracy and visibility issues with Kentik Detect. 

PenTeleData is a leading provider of voice, video, data, and Internet services with more than sixty points of presence in Pennsylvania and New Jersey, and it operates nearly 10,000 miles of fiber optic cabling in its network. 

Before Kentik, PenTeleData utilized a legacy DDoS detection appliance product, which suffered from gross inaccuracies, causing a steady stream of missed attacks to hit the network and degrade service to subscribers.    That meant that their network control center was continuously dealing with the fallout from those attacks. 

The solution they utilized was to deploy Kentik Detect, paired with a Radware Defense Pro hybrid mitigation solution. 

The results, were dramatic.  Kentik Detect improved detection by 30%, attacks were stopped, and the NCC suddenly got far quieter, allowing engineers to focus on their real jobs instead of constantly fighting fires.   PenTeleData also heavily utilizes the deep analytics that Kentik Detect provides. PenTeleData’s CTO Brian Mengel  commented that

“As a network-based business, the ability to use a single tool to find, remediate, dig into, and truly understand not just DDoS but all other manner of operational and planning issues makes it much easier to do our job, which at the end of the day is to deliver excellent service. Kentik Detect as become a trusted source of visibility for our teams”

Learn More About Kentik DDoS Protection

If you’re ready to learn more about Kentik’s DDoS protection solution, we have a ton of great resources including our solution brief, white paper, PenTeleData case study, a variety of blog posts that you can find by searching on the keyword “DDoS” and links to many thought leadership articles written by Kentik executives.  If you know you’re ready to start exploring Kentik Detect actively you can start a fully functional free trial, or request a demo.  You can contact us at or via our web chat window.  You can also follow us on LinkedIn or Twitter to get regular updates. 

Thanks very much for your time watching this webcast on big data-powered DDoS protection.

Thank you

Contact us now for a demo.

Contact Us

Ready to learn more?