There have been two constants in DDoS over the last 10+ years: an ever-changing threat landscape and continuous growth in attack sizes. Akamai’s Prolexic platform has stood the test of time, but we are continuing to invest in ways to make our customers’ experience more valuable and relevant. I’m excited about the things we are doing to stay ahead of the curve, and I want to share a few of the developments that are in motion today as we invest to make it the largest, most advanced and effective DDoS mitigation platform available anywhere. But first, a recap…
Business as Usual – Recapping A Massive 1.3 Tbps Attack
On February 28, Akamai instantly – and successfully – mitigated a record-setting 1.3 Tbps attack. Akamai’s SOC had proactively prepared for attacks that were using the memcached distributed memory caching system as a tool to generate amplified reflection traffic as a targeted DDoS attack. Akamai’s preparation resulted in successful mitigation the instant the customer routed its traffic onto our platform. Although large in scale, this attack was “business as usual” for the Akamai SOC team. It’s our mission to detect and mitigate attacks as quickly as possible – in this case 0 seconds from the time it hit the Prolexic border – and we continually develop and rapidly deploy tools and rules to detect, orchestrate, and mitigate attacks. In addition, we work closely with customers to ensure that the customer and Akamai are fully prepared with defensive postures and runbook processes before they are ever targeted by DDoS attackers.
How big is a 1.3 Tbps attack? For comparison purposes, it’s worth noting that many of the largest enterprise organizations in the world – some with tens or hundreds of thousands of employees – often have a fraction of the attack size bandwidth – if even 10% (130 Gbps) – as contracted capacity. With an attack like this, you would need access to capacity greater than the full 1.3 Tbps to effectively mitigate the attack. This attack illustrates that a robust, proven cloud DDoS mitigation solution is a necessity as part of a DDoS readiness posture, as large attacks have the potential to ramp up more quickly than ever before, and potentially cripple most organizations.
As an aside, we are often asked if Akamai could have stopped the same attack had it targeted our CDN or DNS platforms. The answer is yes – and for the same reason. For example, Akamai has delivered record traffic on our CDN platform of over 61 Tbps, with much lower average daily traffic. While massive for a DDoS attack, 1.3 Tbps is a small fraction of the traffic we deliver every day on our CDN platform.
What is Akamai doing to stay ahead?
The story of the memcached attack is validation of the historical trend of the scale of DDoS attack size consistently growing over time – roughly doubling about every 2 years. As illustrated below, published attack sizes have grown from 321 Gbps in 2014 to 620 Gbps in 2016, and they now exceed 1.3 Tbps in 2018.
Why is this concerning – and how is Akamai addressing with its roadmap?
In hindsight, it always seems like common sense to have thought ahead. When it comes to DDoS, Akamai has always invested across our platforms to ensure that our capacity well exceeds what attackers might throw at our customers. Our philosophy has been to have enough available capacity to absorb 3X-5X the largest known attack – on each of our platforms and of any vector/shape/size – to be well in front of tomorrow’s attacks.
As attack sizes have grown, we have occasionally observed stress points. During the mitigation of the 623 Gbps attack in 2016, we identified that one of our European scrubbing centers was seeing >200 Gbps of inbound attack traffic. While we had more than sufficient capacity, we mapped out our future plan to ensure that we distribute the load across a more decentralized footprint, to minimize the potential to introduce local strain to a specific scrubbing center or city.
As a part of our ongoing expansion, we are announcing the 2.1 version of the Prolexic Routed product, which includes the turn-up of nine (9) additional scrubbing centers in the US and EMEA. These scrubbing centers and the hardware / software / network tooling associated with this buildout represent a significant add. Summarizing:
Dedicated Platform Capacity
These scrubbing centers will provide our SOC and customers with added attack fighting capacity, the ability to attract attack traffic even closer to their points of origin, and increased resilience. We are adding more Tier 1 transit partners, and increasing capacity with existing Tier 1 ISPs and peering partners. This diversification across a broader range of Tier 1 providers and peering partners will also contribute to adding resilience, and will ensure that Akamai’s SOC and Network Operations engineers have even more options as they monitor traffic within regions and across providers and manage routes, providing customers with the best possible routing experience.
For our friends in APJ, we haven’t forgotten about you. We will be announcing two additional scrubbing centers in APJ later in 2018, bringing total Prolexic platform capacity close to 8 Tbps! Check back in with our Fall Launch as we talk more about that.
In addition to the network and capacity buildout, we have made monumental development efforts to ensure that our SOC workflows and tooling, as well as customer portal experience, provide for an informative real-time experience, with intuitive user experience and visibility into ongoing events as well as historic events and attack reports. You can see Craig Sparling describe the latest portal changes here.
Proactive Mitigation Controls – Shattering the 5-minute Time to Mitigate SLA
Akamai has always offered a meaningful Time to Mitigate SLA – tied to the time it takes to effectively mitigate DDoS attacks. Our commitment is to effectively mitigate various attack types within 5 minutes for most attack vectors, and we’ve always demonstrated a much shorter average customer time to mitigate. We also monitor our effectiveness and work towards always improving our time to mitigate. As we review historical data, we are excited to present findings about a trend that we have been tracking. This trend is illustrated below, and demonstrates that we are mitigating the majority of the DDoS attacks within our environment in 0 seconds!
As illustrated, this trend toward reduced average mitigation time as we mitigate more attacks instantly has consistently increased over the years. We attribute this trend of reduced time to mitigate to proactive engagement with customers, the ability to profile customer and overall platform traffic, and to implement and manage proactive mitigation controls either globally or specific to each customer’s baselined network traffic – as a part of creating a proactive defensive posture.
This approach resembles what we’ve done on our CDN from the beginning, automatically dropping any traffic not on ports 80 or 443 in 0 seconds. However, that exercise is easy in comparison, as you know that web traffic is the only expected traffic on that platform. The Prolexic platform has always supported all ports and protocols, requiring much more sophistication in our SOC, as well as greater partnership with each individual customer to achieve the same results.
You can read more about proactive mitigations on the Prolexic platform in this new white paper here.
Higher Capacity GRE Support
Historically, Prolexic Routed has restricted Routed GRE customers to a maximum 1.0 Gbps clean traffic CIR per customer data center. This has led to many customers asking – why? Our short answer (and 1.0 Gbps policy) has been based on our many years of global DDoS mitigation experience and on best practice as it relates to DDoS mitigation. Our scrubbing center routers terminate thousands of GRE tunnels, and encapsulate GRE at very high rates, and we understand that the nameplate rating for router capacity and general GRE guidelines are higher than 1.0 Gbps. However, we have – on occasion – had customers who experienced packet integrity issues during initial DDoS attack ramp-up due to either (i) customer router(s) not keeping up with required decapsulation rates or (ii) rate limiting that occurred downstream of the Prolexic platform. As the people from the insurance company say, “we know a thing or two because we’ve seen a thing or two,” and our conservative, experience-based approach has helped us not only consistently meet or exceed our customers’ expectations, but also provide the best possible experience during a DDoS attack.
The good news is that Routed GRE customers are now able to contract for higher rates – up to 2.0 Gbps per customer data center in most locations. We have generally observed customer border routers significantly improve in GRE decapsulation capabilities in recent years, and we have seen the likelihood of packet loss between Prolexic and the customer decrease as GigE ports move towards extinction and 10 Gbps and 100 Gbps ports become the norm for ISPs.
We plan to increase this offering to support >2.0 Gbps per customer data center in the future. We suggest that you engage with your in-region ESA and Security Sales Specialist to discuss the best option for you for Prolexic Routed service. This service is available via GRE, or via Prolexic Routed with Connect Option, which has always been our gold standard for higher capacity CIR needs and customers with concerns about GRE tunnels and/or MSS adjustment. The Connect option provides for transit and hand-off of the traffic from Prolexic to the customer border router via secure Layer 2 MPLS global backbone, and direct circuit.
IPv6 Support for FBM
FBM – or Flow-based Monitoring – is an optional service offering for Prolexic’s customers. FBM monitors inbound flows to customer border router(s) and alerts on volumetric and protocol-based events that represent possible DDoS attacks. Customers can now monitor and configure Monitored Objects for IPv6 IP subnets/IPs in the same manner as IPv4, and all standard FBM features including Top Talkers and event alerts will provide parallel functionality for IPv6 traffic as for IPv4.
What you need to do
For most customers – nothing! Customers that have Prolexic Routed today will automatically benefit from the platform expansion and our ability to protect against even larger DDoS attacks. Customers that can benefit from larger GRE tunnels should engage with their account management team to scope and receive recommendations and/or proposal for higher CIR and/or GRE tunnels.
*** This is a Security Bloggers Network syndicated blog from The Akamai Blog authored by Greg Burns. Read the original post at: http://feedproxy.google.com/~r/TheAkamaiBlog/~3/VhZ2uqq9z9o/whats-new-with-prolexic.html