Enhanced Infrastructure DDoS Protection Analytics: Targeted Visibility for Greater Accuracy

We’ve rolled out enhanced infrastructure protection analytics which shows top traffic patterns for traffic flowing through our Incapsula Infrastructure DDoS Protection service.

Imperva clients can now view network statistics categorized by source or destination IPs and ports, or by packet size for protected network ranges. This new addition to our data analytics helps our clients get in-depth visibility into their network usage during peacetime and when under a DDoS attack. Ultimately it will simplify forensics and help us provide a more accurate DDoS attack mitigation service. Check out the demo video to see how it works.

The Previous Dashboard

The prior infrastructure protection dashboard provided general attack traffic information, displaying rates of bits/packets in a time series chart as well as graphs showing passed/blocked traffic. The data on blocked traffic was based on pre-defined attack vectors.

From engaging with our clients, we learned that they wanted to be able to dive even deeper and to understand the mechanics of each and every attack.

Enhanced Metrics

The new infrastructure protection analytics take a big leap forward in terms of visibility, adding additional capabilities to our already stellar real-time dashboard and 15-second bucket historical view increments.

You can view statistics for your monitored IP ranges, examine emerging attacks in near real-time, or analyze historical attack data from the previous 90 days. This way you can look at behavior over time and better understand traffic patterns affecting the network – broken down by traffic type and showing peaks over a period of time. You can also get insight into bandwidth volume, packet rates, and PoP utilization.

Infrastructure protection clients can access the new infrastructure protection analytics through the infrastructure dashboard.

Example Use Case in Action

Until now, statistics were provided at the range level. When mitigation for the range took place, there wasn’t the depth of visibility to determine the exact resource that was under attack.

For a given range, we were able to display the size of the attack and the different attack vectors:

But other than the fact that we mitigated a lot of UDP traffic, it was impossible to dig deeper into the attack.

Now, with enhanced analytics, top Destination IPs can provide details of the servers that were targeted. We can clearly see that the attack was targeting specific servers rather than spread out on the full /24 range:

The top Source IPs show that the attack is distributed and that the top 10 source IPs make up a small portion of the full bandwidth (shown on the dotted line); hence, many more hosts were involved in the attack:

The top Destination Ports show that the attack was targeting a specific service (UDP Port 80):

And the top Source Ports reveal the true face of the attack – this is the infamous memcached attack, which earlier this year took down GitHub in the biggest DDoS attack to date:

We know that memcached has a very large amplification ratio, which means lots of very large packets, as can be seen in the packet size histogram:

Therefore, from a simplistic vector view, you can see how it’s possible to complete a full profiling of an attack, and how if your ranges are hosting multiple services, you can pinpoint the exact targeted service.

But that’s not all.

All this wealth of data is available for your clean traffic as well, since all data passing through the Incapsula service receives the same treatment. Profiling your network has never been easier.

The Importance of More Visibility

Visibility is crucial for network admins and security teams. With enhanced visibility, our clients can easily identify false positives, e.g. if traffic is blocked because of DDoS – or, say perhaps a new digital service has been introduced and suddenly many of your end users start using it.

Specific characteristics of an attack unveil actionable details. As an additional example, in the case of highly distributed traffic, that will usually mean a spoofed attack. And if a specific host is responsible for an attack, our clients can choose to modify the Access Control List (ACL) for that specific host.

Consider the benefits for the following users:

Network Admin

If you’re a network admin, you can now view clean analytics for your traffic without setting up alternative Netflow-based tools which consume router resources.

SOC Manager

Say you’re in charge of a very large network with hundreds of prefixes. Enhanced analytics provide you with better attack visibility when any one of your networks is attacked. If you receive an alert, you can determine which asset is being attacked and which IPS and ports are involved.

Head of IT Security

You can get a historical view of targeted services by destination IP and port.

How it Works

Dedicated hardware is deployed in each of our PoPs to perform the stream processing required in order to collect statistics at network speed. Probabilistic data structures are used in conjunction with deterministic counting in order to provide reliable top statistics. Analytics data is based on a 1:40 sampling resolution for DDoS traffic and a 1:1 sampling ratio for clean traffic, and data is collected in 15-second buckets.

Data is then sent for aggregation in a new, near real-time data store we call Watermill, which supports an end-to-end latency of less than 2 minutes.

If technical implementation details are your thing, we will be publishing a more technical blog post to go into even more detail, so stay tuned!

Customization

The views are customizable into table or graph format. You can customize the layout and choose to view the highest peak or average values for the selected time period. See the documentation for more information.

View Customization:

  • Dense View: All panes are packed together.
  • Aligned View: Bandwidth and packets-per-second graphs are aligned in two columns.

Data Customization:

  • Table View: See the distribution of blocked traffic for the highest values during the selected time period. Values over 10% are displayed in bold, which puts an emphasis on what’s important. For example, there may be a long tail of IPs/ports which may not be significant.
    • Peak View: Provides an indication for momentary spikes, i.e. an IP spiked at a single data point but went silent for the rest of the time range.
    • Average View: May eliminate peaks but provides a better metric for behavior over time.
  • Graph View: Drills down into the network behavior over time; supports up to 15-second granularity.

Going Forward

Infrastructure DDoS Analytics is available at no additional cost for all existing Infrastructure Protection clients. This expanded capability is just another way we’re continuing to focus on our goal of providing more in-depth visibility to our clients, so they have an easier job securing their enterprises.

Check out the new dashboard and let us know what you think!

*** This is a Security Bloggers Network syndicated blog from Blog | Imperva authored by Kim Lambert. Read the original post at: https://www.imperva.com/blog/2018/08/enhanced-infrastructure-ddos-protection-analytics-targeted-visibility-for-greater-accuracy/