Akamai Diversity

The Akamai Blog

Facilitated Route-On: A Better Approach to Hybrid DDoS

Hybrid DDoS has always been an interesting concept. From a vendor perspective, it's not hard to understand the motivations behind it. The vendors pushing hybrid DDoS are the same ones that have been selling DDoS mitigation appliances for years and were late to join the industry-wide shift to cloud. Hybrid DDoS allows them to continue selling their on-premises appliances, while buying time to build out and learn how to operate (or completely outsource, in some cases) a cloud-based mitigation platform. 

But from a customer perspective, a closer inspection of the hybrid DDoS approach reveals little that's new. Customers have been doing this for years, combining best-of-breed DDoS mitigation appliances with cloud-based DDoS scrubbing services. The most notable new capability that hybrid DDoS vendors have introduced is cloud signaling. The idea is that customers can mitigate smaller DDoS attacks within the data center, but once an attack starts to exceed the capabilities of the appliance, it will signal a cloud platform to automatically redirect network traffic to the cloud.

There are many issues with such an approach. Even a cursory analysis raises the question of how signalling will work when a customer is hit with a major attack consuming all of the network bandwidth into the data center - and often within seconds. For example, the record-setting 1.3 Tbps memcached attack in February 2018 started at over 100 Gbps - well beyond the network bandwidth of most organizations. But automated cloud signalling raises additional questions about the potential for unintended (and unattended) traffic swings, not to mention subsequent mitigation issues. For example, competing in-line mitigation technologies have been known to create packet loss or service issues that can exacerbate the impacts from the actual attack, especially when customer and vendor staff are not aware.

Introducing facilitated route-on

With facilitated route-on, Akamai addresses the concerns about hybrid DDoS by placing routing decisions in the hands of our 24x7 global SOCC team - the same team already trusted to mitigate the DDoS attack. It provides [on-demand Prolexic customers with] the capability to have the Akamai SOC team assess their traffic in real-time and change their BGP advertisements to begin mitigation more quickly, whether there is an actual DDoS attack in progress or the significant potential of one occurring. Facilitated route-on combines:

  1. The proven detection capabilities of Flow-Based Monitoring (FBM)

  2. A SOCC review of critical FBM alerts to reduce the potential of false triggers

  3. A set of secure runbook procedures agreed upon in advance that the SOCC team will follow to affect traffic redirection through Prolexic scrubbing centers.

How does facilitated route-on work?

Customers work with Akamai provisioning teams to provision and test the facilitated route-on configuration. It combines FBM with a unique BGP configuration, either using pre-configured route maps or by having the ability to have Akamai's SOCC advertise longer (more precise) subnet prefixes. Specific customer runbook procedures can be created and incorporated into SOCC workflows to meet the requirements of every individual customer. When a critical FBM alert is received by the Akamai SOCC team, they review the alert, execute runbook procedures, and begin to advertise the customer's traffic when the guidelines to do this are met. Traffic is closely monitored, mitigation may be applied, and the customer is contacted and engaged throughout the process. 

Why is facilitated better than automated?

Akamai has maintained a leadership role in DDoS detection and mitigation services for nearly 20 years by carefully and effectively handling our customers' traffic. Our north star has always been first to "'do no harm" to our customers' traffic. Our customers prefer us to treat their traffic flows as if they were our own and to mitigate with the utmost care - with a scalpel instead of a sledgehammer. 

Our approach is the same with facilitated route-on. We wouldn't want an automated algorithm hijacking our corporate BGP traffic - potentially causing routing issues without immediate visibility. Instead, we require 24x7 staff to be always available and eyes-on throughout the process. We take the utmost care to ensure that every BGP change is carefully handled and managed by expert SOCC technicians. The BGP routing change is effected only after careful review of the situation by our SOCC, in accordance with agreed runbook terms and rehearsed workflows. The BGP change is managed, monitored, and observed - and the customer is engaged as soon as possible. 

Where can I get more information about Facilitated Route-On?

Please feel free to contact us via your account team for specifics, or click on the "Get In Touch" button to the right. Meantime - if you're a current Prolexic Routed customer - your account rep will be in contact with you, and you will be hearing more about facilitated route-on and the other exciting new developments on the Prolexic platform that continue to be developed and launched to address the ever-changing needs of the global DDoS mitigation market.