This is a follow up post to my recent article entitled "Let's watch the game first and attack later." We received a lot of interest in learning how Akamai's Professional Services could help support a major global online event like the World Cup, and details around the attack trends that we observed during the World Cup.
In general, a successful readiness and support approach can be divided into three stages:
● Event Preparation
● Event Execution
● Post Event Wrap-up
Preparation - Positioning KONA Rule Set (KRS)
Akamai's Professional Services team provides recommendations and operational best practices to help prepare and support the customers' event.
This year for the World Cup, 90% of the broadcasters, advertisers, partners and sponsors on Kona Site Defender were leveraging the Akamai Kona Rule Set (KRS). The benefit of using KRS for our customers is a reduction in reported false positives and false negatives, helping our Professional Services team to better identify and block attacks while allowing legitimate traffic to pass through.
Having a low number of false positives and false negatives allows us to have better visibility into the malicious activities we monitor during the event.
Readiness - 50% of the malicious activities happened in the first week
Event preparedness includes the following actions that the Professional Services team offers, making sure our customers are ready on Day 1 of the event. Including:
· Proactive risk mitigation
o Recommended configuration
o Operational best practices
This year's World Cup, 50% of all of the malicious activity we saw occurred during the first week. Akamai was able to successfully mitigate all of them by following our preparation and event preparedness methodology that focuses on proactive risk mitigation.
During the Kona implementations ahead of the tournament, Akamai's Professional Services team fine-tune Web Application Firewall policies and reduce the number of false positives and false negatives, allowing customers to deny malicious requests without any risk of blocking legitimate users and requests.
Execution - 60% DDoS Attacks and 40% Application Layer Attacks
During the event execution phase, Akamai's Professional Services team focuses on proactive monitoring and alerting functions, including:
· Mitigation of risk
· Timely response
· Expedite resolution and escalation if required
For large events like these, web applications have different exposure:
● Customers usually release those applications right before the event, making it difficult for attackers to profile the application ahead of time
● Customers tend to enhance the applications during the event itself as they discover potential issues
● Time constraint - attackers only have few weeks to perform their attacks if they want them to be noticed
By performing proactive monitoring, we observed an inversely proportional split of attacks between the World Cup, an event-based application and a non-event based customer application. DDoS attacks are the simpler type of attacks to perform in a short time window to affect customers' sites and investments.
The percentage based of DDoS attacks was significantly higher (60%) compared to regular WAF activity on the Akamai platform (usually 35%).
Live event support - Limited human mitigation
During the World Cup, the Akamai Security Operations Center monitored and alerted our customers in real-time on their traffic activities, Web Application Firewall activities and IP activities. To reduce security response times, preparation and preparedness is key. If we define a good defense strategy and we implement it properly, the human intervention during a security event should be limited to monitoring and minor adjustments.
The use of Akamai Rate Controls is the most effective way to help protect against network and application layer DDoS attacks. The Akamai platform monitors and controls the rate of requests against the Akamai servers and the customers' application, allowing us to dynamically block clients exhibiting excessive request rate behaviors. Akamai's Professional Services can help set optimal rate controls and have the platform mitigate DDoS attacks without human intervention.
Akamai Rate Controls can be applied at different request stages:
● Client to Akamai Edge
● Forward requests from Akamai to customers' application
● Response requests from customers' application to Akamai
In order to provide effective dynamic mitigation, we need to be able to look behind IP addresses to find behavioral anomalies in requests. Akamai Rate Controls can take into account a combination of user-agents, cookies, and session IDs within the rate control so we can isolate unique users behind proxies.
Akamai helped deny requests from users behind 221,381 unique IP's during the World Cup that were targeted towards the global broadcasters, advertisers, partners and sponsors' applications.
Interesting enough, if we correlate those denied IP's across all those customers, we see that only 0.02% of those IP's attacked multiple customers.
In the top 30 IP's targeting multiple customers, two IP's generated the most of the requests denied
● A TOR exit node in Miami
● A Massachusetts based University
How can Akamai help?
Akamai's Professional Services has been actively helping our customers to secure their web applications in order to maximize their World Cup investments.
Our event readiness and support approach has successfully supported all major global online events over the years. This approach is divided into the following stages:
● Event Preparation
○ Capability assessment and contingency planning
○ Implementation and tuning
○ Escalation procedures
● Event Execution
○ Pro-active alert/monitoring
○ Live event support
● Post Event Wrap-up
Contact Akamai Professional Services today to arrange a technical call to discuss how Akamai can help protect you for any future event including holiday readiness campaigns.
This is a post from Patrice Boffa, senior director of global service delivery, and Sabrina Burney, solutions architect at Akamai.