There have been two constants in DDoS over the last 10+ years: an ever-changing threat threatscape and continuous growth in attack sizes. Akamai’s Prolexic platform has stood the test of time, but we are continuing to invest in the platform in ways that make our customers’ experience more valuable and relevant. I’m excited about the things we are doing to stay ahead of the curve, and I want to share a few of the developments that are in motion today as we invest to make it the largest, most advanced and effective DDoS mitigation platform available anywhere. But first, a recap…
Business as Usual – Recapping A Massive 1.3 Tbps Attack
On February 28, Akamai instantly – and successfully – mitigated a record-setting 1.3 Tbps attack. Akamai’s SOC had proactively prepared for attacks employing the memcached UDP reflection attack vector, and this preparation resulteding in it being successfully mitigationed the instant the customer routed its traffic onto our platform. Although large in scale, this attack was “business as usual” for the SOCC. It’s our mission to detect and mitigate attacks as quickly as possible – in this case 0 seconds from the time it hit the Prolexic border – and we continually develop and rapidly deploy tools and rules to detect, orchestrate, and mitigate attacks. In addition, we work closely and individually with customers individually to ensure that the customer and Akamai are fully prepared with defensive postures and runbook processes before they are ever targeted by DDoS attackers.
How big is a 1.3 Tbps attack? For comparison purposes, it’s worth noting that many of the largest enterprise organizations in the world – some with tens or hundreds of thousands of employees – often have a fraction of the attack size bandwidth – if even 1% (130 Gbps). With an attack like this, you would need access to the full 1.3 Tbps in bandwidth to effectively mitigate it. This attack illustrates that a robust, proven cloud DDoS mitigation solution is a necessity as part of a DDoS readiness posture, as large attacks have the potential to ramp up more quickly than ever before, and potentially cripple most organizations.
As an aside, we often askedalso get the question if Akamai could have stopped the same attack had it targeted our CDN or DNS platforms. The answer is yes – and for the same reason. For example, Akamai has delivered record traffic on our CDN platform of over 61 Tbps, with much lower average daily traffic much lower than that. 1.3 Tbps, wWhile massive for a DDoS attack, 1.3 Tbps is a fraction of the traffic we deliver every day on our CDN platform.
What is Akamai doing to stay ahead?
The story of the memcached attack is validation of the historical trend of the scale of DDoS attack size consistently growing over time, and roughly doubling about every 2 years. As illustrated below, – published attack sizes have grown from 321 Gbps in 2014 to 620 Gbps in 2016, and they now exceeding 1.3 Tbps in 2018.
Why is this concerning – and how is Akamai addressing with its roadmap? In hindsight, it always seems like common sense to have thought ahead. And wWhen it comes to DDoS, Akamai has always invested across our platforms to ensure that our capacity well exceeds what attackers might throw at our customers. Our philosophy has been to invest in having enough available capacity to absorb 3X-5X the largest known attack – of any vector/shape/size – and to be well in front of tomorrow’s attacks.
As attack sizes have grown, – we occasionally have occasionally observed stress points. During the mitigation of the 623 Gbps attack in 2016, we identified that one of our European scrubbing centers was seeing >200 Gbps of inbound attack traffic. While we had more than sufficient capacity (and more) at the time, we mapped out our future plan to ensure that we distribute the load across a more decentralized footprint, to minimize the potential to introduce local strain to a specific scrubbing center or city.
As a part of our ongoing expansion, we are announcing the 2.1 version of the Prolexic Routed product, which includes the turn-up of nine (9) additional scrubbing centers in the US and EMEA. These scrubbing centers and the hardware / software / network tooling associated with this buildout represent a significant add. Summarizing:
Dedicated Platform Capacity
These scrubbing centers will provide our SOCC and customers with added attack fighting capacity, the ability to attract attack traffic even closer to their points of origin, and increased resilience. We are adding more Tier 1 transit partners, and increasing capacity with existing Tier 1 ISPs and peering partners. This diversification will also contribute to adding resilience, and will ensure that Akamai’s SOC and Network Operations engineers will have even more options as they monitor traffic within regions and across providers and manage routes, providing customers with the best possible routing experience.
For our friends in APJ, we haven’t forgotten about you. We will be announcing two additional scrubbing centers in APJ later in 2018, bringing total Prolexic platform capacity close to 8 Tbps! Check back in with our Fall Launch as we talk more about that.
In addition to the network and capacity buildout, we have made monumental development efforts to ensure that our SOC workflows and tooling, as well as customer portal experience, provide for an informative real-time experience, with intuitive user experience and visibility into ongoing events as well as historic events and attack reports. You can see Craig Sparling go into the latest portal changes here.
Proactive Mitigation Controls – Shattering the 10 minute Time to Mitigate SLA
Akamai has always offered a meaningful Time to Mitigate SLA – tied to the time it takes to effectively mitigate DDoS attacks. Our commitment is to effectively mitigate various attack types within 5 minutes for most attack vectors, with the average customer experience being a fraction of that. We also monitor our effectiveness, and work towards always improving our time to mitigate. As we review historical data, we are excited to present findings about a trend that we have been tracking. This trend is illustrated below, and demonstrates that we are mitigating the majority of the DDoS attacks within our environment in 0 seconds!
This trend towards reduced average mitigation time as we mitigate more attacks instantly has increased exponentially over the last few years. We attribute this trend of reduced time to mitigate to proactive engagement with customers, the ability to profile customer and overall platform traffic, and to implement and manage proactive mitigation controls either globally or specific to each customer’s baselined network traffic – as a part of creating a proactive defensive posture.
One way to think about this is that it is really the same to what we’ve done on our CDN from the beginning, automatically dropping any traffic not on ports 80 or 443 in 0 seconds. However, that exercise is easy in comparison, as you know that web traffic is the only expected traffic on that platform. The Prolexic platform has always supported all ports and protocols, requiring much more sophistication in our SOC, as well as greater partnership with each individual customer to achieve the same results.
You can read more about proactive mitigations on the Prolexic platform in this new white paper here.
Higher Capacity GRE Support
Historically, Prolexic Routed has restricted Routed GRE customers to a maximum 1.0 Gbps clean traffic CIR per customer data center. This has led to many customers asking – why? Our short answer (and 1.0 Gbps policy) has been based on our many years of global DDoS mitigation experience and on best practice as it relates to DDoS mitigation. Our scrubbing center routers terminate thousands of GRE tunnels, and encapsulate GRE at very high rates, and we understand that the nameplate rating for router capacity and general GRE guidelines are higher than 1.0 Gbps. However – we have – on occasion – had customers who experienced packet integrity issues during initial DDoS attack ramp-up due to either customer router(s) not keeping up with required decapsulation rates or due to rate limiting that occurred downstream of the Prolexic platform. As the people from the insurance company say – “we know a thing or two because we’ve seen a thing or two,” and our conservative, experience-based approach has helped us ensure that we consistently meet or exceed our customers’ expectations, and provide the best possible experience during a DDoS attack.
The good news is that Routed GRE customers are now able to contract for higher rates – up to 2.0 Gbps per customer data center in most locations. We have seen customer border routers significantly improve in GRE decapsulation capabilities in recent years, and we have seen the likelihood of packet loss between Prolexic and the customer decrease as GigE ports move towards extinction and 10 Gbps and 100 Gbps ports become the norm for ISPs.
We do plan to increase this offering to support >2.0 Gbps per customer data center in the future. We suggest that you engage with your in-region ESA and Security Sales Specialist to discuss the best option for you for Prolexic Routed service. This service is available via GRE, or via Prolexic Routed with Connect Option, which has always been our gold standard for higher capacity CIR needs, and for customers with concerns about GRE tunnels and/or MSS adjustment. The Connect option provides for transit and hand-off of the traffic from Prolexic to the customer border router via secure Layer 2 MPLS global backbone, and direct circuit.
IPv6 Support for FBM
FBM – or Flow-based Monitoring – is an optional service offering for Prolexic’s customers. FBM monitors inbound flows to customer border router(s) and alerts on volumetric and protocol-based events that represent possible DDoS attacks. Customers can now monitor and configure Monitored Objects for IPv6 IP subnets/IPs in the same manner as IPv4, and all standard FBM features including Top Talkers and event alerts will provide parallel functionality for IPv6 traffic as for IPv4.
What you need to do
For most customers – nothing! Customers that have Prolexic Routed today will automatically benefit from the platform expansion and our ability to protect against even larger DDoS attacks. Customers that can benefit from larger GRE tunnels should engage with their account management team to scope and receive recommendations and/or proposal for higher CIR and/or GRE tunnels.
This is a Security Bloggers Network syndicated blog post authored by Greg Burns. Read the original post at: The Akamai Blog