Data Analytics and DDoS Mitigation: Lessons Learned In the cyber security industry, IT is driving the use of data analytics to gain real‐time insight into trends, attacker behaviors and specific cyber security events. Real‐time data analysis can be a powerful tool to help Internet‐facing organizations build a stronger cyber security strategy. Defending against DDoS attacks is a real‐time challenge for DDoS mitigation service providers. Hundreds of millions of data points in multiple streams pour into a DDoS mitigation platform in real time during an attack. A DDoS mitigation provider must quickly make sense of this deluge of data and make precise decisions as to which data/traffic to allow and which to block. The Prolexic approach to DDoS data analytics Merely summarizing numerical data will not show if network traffic anomalies are malicious or not. Prolexic uses data analytics to draw informed conclusions and answer questions such as: Is a site under DDoS attack or is this another kind of network anomaly, such as a flash crowd? If under attack, what type of DDoS threat is this and which part of the customer’s infrastructure could be most affected? Where are the attacks coming from? Have we encountered these attackers before? What are the attack signatures? Have we seen them before? Are they changing?
Figure 1: Prolexic leverages a wide variety of metrics and models to provide meaningful DDoS insight.
Our data analytics system Prolexic acquires billions of DDoS attack metrics from sensors monthly. Each sensor samples tens of thousands of metrics every minute and may capture 30 to 40 metrics for each network object or application. Some customers have as many as 30,000 network metrics. Our system distills the data for our DDoS mitigation experts to analyze and act upon. By correlating the metrics and showing their relationships, Prolexic’s mitigation experts can search on the data in real time and extract intelligence to help them make the best and fastest decisions on how to mitigate the attack. What we’ve learned Three of the lessons we have learned are: Using data analytics for DDoS mitigation requires a large capital investment and a multi‐ year effort to build a system that can take myriad sources of information and present it in a way that supports rapid decision making. Automatic decision‐making algorithms are prone to false positives. So as good as today’s analytics systems are, for DDoS attacks, they cannot replace an experienced live mitigation engineer. Batch‐oriented analytics systems, such as Hadoop, have latency thresholds that are too slow to support the real‐time requirements of Prolexic’s cyber‐attack mitigation timeframe. Get the white paper Data Analytics and DDoS Mitigation: Lessons Learned at http://www.prolexic.com/ddosanalytics for more details and conclusions, including: The three important questions to ask of your DDoS data The problem of false positives The latency challenges of batch‐oriented analytics The gap between the capabilities of automated systems and live DDoS attackers How Prolexic manages the big data associated with DDoS attacks More lessons learned About Prolexic Prolexic Technologies is the world’s largest and most trusted provider of DDoS protection and mitigation services. Learn more at www.prolexic.com. About PLXsert Prolexic Security and Engineering Response Team (PLXsert) monitors the global malicious cyber threats and actively analyzes DDoS attacks using proprietary techniques and equipment.