The Case for Big Data DDoS Protection
DDoS Has Crossed the Chasm. Where Does That Leave You?
At Kentik, we recently debuted our updated DDoS protection solution, which pairs the most accurate available detection with support for hybrid mitigation, including both RTBH and integration with mitigation systems from industry-leading vendors. So we've all been thinking a good deal lately about DDoS protection. One of the things that has struck me is that the DDoS threat is so often conceived of as coming from the sort of mysterious outsider that you see personified in images as a hoodie-wearing amateur: malevolent but not incorporated into a larger organized structure.
While the lone sociopath with an axe to grind may make good graphics and TV plots, it's actually more apt to think of many cyber-security threats, including DDoS, in terms of a professional marketplace of exploits. Sure, the so-called “script kiddies” in hacker forums do exist. But according to security experts, many if not most of those kiddies are like entrepreneurs or startups: they're working to impress commercial buyers of their capabilities and services.
The reality is that we're looking at a fairly well-developed marketplace with vendors at multiple levels. At the “enterprise” level we have nation states; it's well established that they regularly launch DDoS attacks either as distractions or to punish geopolitical foes. At the mid-market we find criminal syndicates that use DDoS to extract ransoms. Hacktivists can be considered the non-profit sector. Meanwhile a host of retail-level DDoS attackers constitute a B2C sector — the main portion of the DDoS market — in which, for a fraction of a bitcoin, an unscrupulous gamer can launch a DDoS attack against an online foe.
The existence of a broad marketplace drives innovation and the rapid adoption of new vectors, malware, and botnets. In just a few years we've witnessed the rise of IoT botnet herders, like Mirai, that have unleashed unprecedented attack power. This is power at cloud scale, except that using botnets makes massive scale-out bandwidth essentially free.
So DDoS has, as author and marketing consultant Geoffrey Moore would say, “crossed the chasm.” It's not just, or even primarily, the realm of hoodied hobbyists, hackers, and hangers-on. It's serious business. Bottom line: if you have a business that depends heavily on the free flow of Internet traffic to reach your customers, your critical IT assets, or your digital solution suppliers, you are a target. And you're up against an agile, innovative, and robust marketplace of players that are going for your network traffic jugular — and more.
If DDoS has crossed the chasm with cloud-scale, innovative and agile approaches, why has DDoS protection lagged so far behind? DDoS detection has been based on single-server appliances since the late 1990s. This is like bringing a (rubber) knife to a (laser) gunfight.
It's revealing to look at the detection layer of your DDoS defenses because legacy appliances lack two major requirements for success: accuracy and intelligence. In terms of accuracy, appliances tend to miss a lot of attacks because they are so strapped for compute, memory, and storage resources. That results in severe computational shortcuts in monitoring and baselining. One indicator is the amount of manual administration that it takes to keep monitoring schemes up to date with organic changes in the network. It's an approach that's not very modern and not very accurate.
As for intelligence, traditional DDoS detection appliances summarize the raw traffic data and then discard the details, so they are literally incapable of providing deep analytics. And analytics are precisely what you need to understand the full implications of changing conditions, vectors, and traffic trends. Sometimes there's no substitute for slicing and dicing the details of network traffic to figure out what's going on. But you can't do that if you don't have the data.
The application of big data to network operations and anomaly detection is a major advance for DDoS protection. Using cloud-scale compute and storage gives you the headroom to finally look at traffic data holistically, even at very high volume. Big data systems can also utilize learning algorithms that simply aren't possible on traditional appliances. The result is far higher accuracy of attack detection. In field deployment, Kentik Detect customers have seen a 30-percent improvement in detection accuracy — check it out in our PenTeleData case study.
Because big data systems are typically built to be highly API-aware they generally lend themselves to integration. In the case of Kentik Detect, we not only integrate with major mitigation solution providers, but can also signal RTBH for any BGP-peered customer.
Kentik Detect's deep storage of raw traffic data, combined with the ability to perform ad-hoc analytics, means that operations engineers can also get fast answers to critical diagnostic questions. For an example of the kind of rapid pivoting enabled by Kentik Detect, check out our post on source geography analysis of a DDoS attack.
DDoS attackers have long-since crossed the chasm from enthusiasts to pragmatists, and their arsenal is now brimming with state-of-the-art technology that can easily overwhelm legacy appliance-based detection. Built on big data, Kentik Detect gives you the firepower to fend off this new breed of determined commercial attackers.
If you're ready to experience Kentik Detect for yourself, sign up now to start a free trial, or contact us to arrange a guided demo. If you'd prefer to first learn more, check out our Kentik Detect for DDoS Protection solution brief and our white paper on The Case for Big Data DDoS Protection. Either way, given the true nature of the hoods inside those DDoS hoodies, sticking with the status quo isn't a viable option.