Yes, distributed denial of service (DDoS) monitoring allows organizations to identify DDoS attacks faster. The earlier a DDoS attack is identified as the source of excessive or unwanted traffic, the quicker effective DDoS mitigation can begin. The goal of DDoS monitoring is to minimize the time to detect a DDoS attack and reduce the impact of a DDoS attack on an organization’s customers and employees, brand reputation and stock prices.
DDoS attacks target either the network layer, or the application layer, or they may be hybrid attacks involving multiple attack types. Network layer attacks, also called volumetric attacks, require flow-based DDoS monitoring tools. Application layer DDoS monitoring tools look at the interactions between users (who may be headless browsers) and the application.
Flow-based DDoS monitoring is accomplished by edge routers on the protected network. The routers feed netflow data to an off-site Security Operations Center where it is used by DDoS detection experts to build an understanding of a site’s normal pattern of network traffic. With such an understanding, DDoS monitoring staff can immediately recognize significant deviations from the norm, promptly analyze the anomaly, and alert on the detection of a DDoS attack.
Flow-based DDoS monitoring tools identify volumetric network-layer DDoS attacks, such as SYN floods, UDP floods and ICMP floods. The tools are non-intrusive to minimize any potential effect on service performance.
Application layer DDoS monitoring uses customer premise equipment (CPE). These tools passively monitor interactions with a web application to allow the DDoS monitoring experts to distinguish between legitimate users and malicious attackers. The collected data is mined in many ways. For example, Akamai correlates it across more than 20 dimensions. Off-site Security Operations Center staff use this data to identify and analyze malicious application layer traffic to detect DDoS attacks.
The onsite DDoS monitoring equipment allows the early detection and alerts on layer 7 DDoS attacks, such as POST floods, GET floods and Slowloris attacks. The tools provide non-intrusive monitoring from a network tap or switch SAN to avoid affecting web traffic or application response.
Yes, encrypted HTTPS traffic is used by attackers to absorb more processing resources at the target site, and sophisticated DDoS monitoring equipment can identify DDoS attacks that use this application attack method. For example, FIPS 140-2 capable hardware can be used on-premise at the customer site to decrypt SSL traffic, allowing a DDoS detection service to identify and mitigate the source of the attack.
Although the targets change, often the same IP addresses produce malicious traffic over and over again. These IP addresses – which may be zombie bots, open Internet of Things (IoT) devices or compromised or unprotected servers – get a bad reputation, and deservedly so. Some DDoS monitoring services such as Akamai have access to massive amounts of web traffic which can reveal the common sources of past malicious traffic. Using algorithms and scoring systems, the DDoS monitoring service can identify IP addresses that can be whitelisted or blacklisted based on IP reputation and a particular organization’s traffic patterns. IP reputation provides valuable data for DDoS monitoring experts.
The flow of traffic through a website must be monitored at all hours of the day to detect DDoS attacks, including network traffic and interactions with web applications. Few IT organizations have the DDoS monitoring tools, skillset and around-the-clock staffing for effective DDoS monitoring. Organizations that cannot afford downtime will turn to a trusted cloud security service with a 24/7 Security Operations Center (SOC) such as Akamai to monitor DDoS attacks and alert on suspicious traffic.
Web security experts on a DDoS monitoring service’s security team can manage all phases of DDoS protection. They can also help to ensure that web applications and network systems are always up-to-date and protected against emerging threats.
The State of the Internet site provides resources to help enterprises understand, identify and mitigate DDoS attacks: