Big data aims to offer an answer to the outdated nature of detection appliances by offering the ability to baseline based on network-wide data, which increases accuracy of detection. A machine learning approach allows for greater granularity of analysis and the opportunity to create alerts based on a customized set of parameters defined by the client who knows what is likely good traffic versus bad.
DDoS protection that is built on a scale-out, big data engine platform, as in the case of Kentik or Neustar, has the capability of monitoring and analysing millions of individual IPs and scanning billions of flow records that depict network-wide traffic.
In order to baseline, big data platforms use adaptive, learning algorithms. They automatically baseline IPs they deem anomalous, meaning statically configured lists can be discarded. Compared to detection appliances, there is a far greater granularity of analysis possible.
Monitoring schemes can be customized by a wide range of different parameters, alerting you to potential threats and triggering mitigation when needed. Alerts and mitigation techniques can also be highly customized.
Kentik, for instance, promises that its DDoS protection scheme, Kentik Detect, “leads to 30% greater accuracy in detecting and mitigating DDoS attacks”.
Big data engines also offer the potential for greater storage of information. Raw flow, BGP, network performance metrics, and other such data is typically stored for a certain period of time, such as 90 days, allowing you to perform analysis on recent network data on a multi-dimensional basis. Dashboards can be created for an overview or summary of recent incoming and outgoing traffic.
Many big data engine fuelled DDoS protection schemes offer the opportunity to tie in network data with other tools and alerts. Big Data can also help businesses learn about the style of the attacks they are experiencing, so that new patterns of suspicious behaviour can be looped back into business processes, a dynamic approach to DDoS attacks. Big data anomaly detection also leads to the development of predictive solutions, which can mitigate against risk early on. Furthermore, big data can seek out the “fingerprints” left by cybercriminals and identify them, blocking them from re-attacking in the future.
Big data powered DDoS protection is likely to become more important in the era of IoT powered DDoS. With so many vulnerable devices on the market, and only likely to grow in number, the necessity for scanning all of them becomes ever more imperative.
Initially, the focus in this space has been on network performance; but increasingly, it is growing to include a deeper penetration to include the layer server stack as attackers find ingenious ways to go deeper into the network stack.