Akamai Diversity

The Akamai Blog

Akamai's Prolexic Platform Completes Fifth Generation Upgrade

Akamai introduces new enhancements today to its Prolexic Routed purpose-built DDoS scrubbing service that reflect the changing nature of the threat landscape and capitalize on cloud functionality to enable maximum customer flexibility using newer deployment models.

For anyone worried about DDoS attacks, Akamai's technical and operational core value proposition has always been to provide a carrier-agnostic, fully managed service leveraging purpose-built cloud architectures that are designed to mitigate any DDoS attack, targeting any protocol, no matter what method the attacker uses, and without any performance impact. Today's enhancements extend Prolexic Routed capabilities to continue meeting DDoS challenges for critical infrastructures, the world's financial services industry, the many gaming platforms, and many other types of industries that rely heavily on business operations running on 100% uptime on the Internet.

From the Data Center to the Cloud

prolexicone.png

Among the standout new features in Prolexic Routed is the new ability to protect cloud deployments. Prolexic started when the cloud was still in its infancy. While Prolexic Routed was the first carrier-agnostic, purpose-built DDoS scrubbing service in the cloud, the customer applications and infrastructure Prolexic was protecting still remained in the data center. A large part of this was due to the technical requirements of a BGP-based DDoS scrubbing service, with public cloud providers not supporting /24 IP address ranges or offering their customers control over their BGP routes.

This all changed in 2018, with public cloud providers such as AWS starting to introduce new "bring your own IP" capabilities and allowing customers to retain control over their BGP routes. In addition, Akamai customers are increasingly interested in migrating portions or the entire data centers to colocation partners such as Equinix and asking how they will continue protecting themselves from DDoS attacks. With today's enhancements, Prolexic Routed is enabling customers to continue their data migration journeys -- whether it takes them to the public cloud or colocation facilities -- with new origin support for both AWS and Equinix. As we look toward 2021, there are active plans to partner with more diverse providers that should allow our customers to build interconnections from multiple sources.

Virtual Delivery Paths

Whether it was expanding from four locations in 2010 to seven locations in 2016 or 19 locations globally in 2019, or upgrading network capacity and segmentation from 1 Tbps to 8 Tbps to handle the world's largest, most complex, and longest-lasting attacks targeting the highest-risk or frequently attacked industries around the globe, timing was everything. We've spent significant effort to patent new methods for delivering high-speed GRE, adding more diverse partners in our Layer 2 VPN services, and other features that help expedite integration, serviceability, reporting, and most importantly, reliability. Prolexic was the first BGP-based carrier-agnostic DDoS cloud platform to implement asymmetric GRE at scale, and there were certainly lessons learned along the way. Motivated attackers will find ways to break VPN/GRE implementations, especially when they require IP routing to perform BGP updates.

This is why Prolexic built a L2VPN (Routed Connect) solution that takes route forwarding of clean traffic off the Internet and over private VLANs. Redirecting production, disaster recovery, or QA traffic to origin always-on with a zero-second and 100% quality-of-mitigation experience is the preferred method. Although there are attack surface reduction techniques, hackers are always watching BGP Looking Glass services for OSINT recon. Providing customers the ability to interconnect into the Prolexic platform via other means, not just virtual GRE tunnels, removes the requirement or risk for TCP adjustments (CPU intensive and some apps have hardcoded MTUs), IP routing of attacks directly toward GRE endpoints, and the performance side effects of Internet routing failures (aka "Internet congestion").

For customers that prefer the simplicity of GRE, Akamai introduced a new proprietary GRE-based technology in January 2020, designed to mitigate the last challenge with delivering that protocol at scale. Instead of being limited to a static one-to-one assignment per endpoint and implementing two or three GRE tunnels to the closest scrubbing centers (like every other DDoS scrubbing service), customers can now connect their data centers to every scrubbing center through a BGP session with 19 virtual delivery paths. With up to eight BGP sessions supported per router, customers can have up to 152 (304 with two diverse routers per DC) forwarding clean traffic. This dramatically increases network resilience by mitigating -- or in many cases, eliminating -- the perceived perception in the stability of the cloud platform (an unavoidable network condition outside the control of any provider).

prolexictwo.png

World-Class Security Operations

There have been many other areas -- beyond platform and capabilities -- where Akamai has invested. When it comes to DDoS, the human element is every bit as important as the technology. Investing in our global security operations command centers (SOCC), as well as post-sale support to help meet the increasing demand of DDoS attacks targeting the world, have always been (and always will be) a huge priority. The goal: to go from being attacked, to incident response, and to effective mitigation in the least amount of time possible without affecting the quality of mitigation (aka blocking legitimate traffic, aka false positive). Incidentally, the last point has been one of common confusion in the industry, where many vendors measure their service on the time to respond or time to have resources engaged. Akamai has always measured our services on time to effectively mitigate -- meaning stop the attack -- reflected in our industry-leading service level agreements (SLAs). This is also combined with our SLA for "quality of mitigation." Without one, you can't have the other!

Reducing any human delay in both incident response and mitigation continues to be top of mind. Last October, Akamai introduced a new facilitated route-on capability, a feature that leverages remote network monitoring tools to alert Akamai SOCC staff of a DDoS attack, who can then initiate the BGP route advertisement change to route traffic through Akamai scrubbing centers -- all without any customer intervention, if desired. This provides a better "hybrid" DDoS protection model where:

  1. Customers can continue to augment any on-premises gear with Akamai's industry-leading cloud-based DDoS scrubbing service, Prolexic.
  2. The routing decision is made by our SOCC staff and not an automated algorithm, which can lead (and has led) to unintended side effects, such as:
    1. High false positive rates
    2. Disruption of critical services without validation and reasoning, but worst of all ...
    3. Reporting back to the executives that a third-party vendor hijacked traffic without authorization or within policy