DDoS Defense

DDoS Defense is covered in the following topics:

• About DDoS Defense
• DDoS Defense Page
• DDoS Defense Templates

DDoS attacks use a wide variety of attack vectors across multiple types including volumetric, invalid protocols, UDP, TCP, ICMP, amplification and reflection, and DNS. It takes intricate knowledge of all these possibilities to devise effective detection and alerting for each. Kentik's DDoS Defense workflow (Protect » DDoS Defense) is an area of our overall Alerting system (see Protect Overview) that is focused on the policies that we've developed specifically to handle DDoS, which require only minimal tailoring to protect you from the most common attacks.

The use of our DDoS protection features primarily involves two portal locations:

• Policy Templates: A page featuring a list of alert policies that Kentik has created to help you quickly deploy protection (see Policy Templates). Using the Filters pane at the left, you can narrow the listed templates to those that are targeted at DDoS (see DDoS Defense Templates), then clone a template to add it to the policies on your Policies Page. The template remains unchanged, but the resulting template-based policy is fully editable, enabling you to tailor it to the specific needs of your organization.
• DDoS Defense Page: A view where you can quickly see information about ongoing and historical attacks and mitigations.

Notes:
- To access the Policy Templates page from the DDoS Defense page, first click the Manage Alert Policies button, which takes you to the Policies page, then click the Policy Templates button to go to the Policy Templates page. Under Type in the Filters pane, click the checkbox for DDoS.
- For attack profiles that are not covered by the DDoS templates you can create a custom alert policy in Protect » Alerting (see Alerting).

The DDoS Defense page gives you a high-level view of DDoS attack activity that has generated alarms from DDoS-related Alert Policies. The DDoS Defense page is covered in the following topics:

• DDoS Defense Page UI
• DDoS Defense Breakdowns
• Attack Activity Chart
• Top Dest IPs
• Attack Table

The DDoS Defense page includes the following main controls and information:

• Manage Alert Policies: A button that takes you directly to the Alert Policies page, filtered to view only your DDoS alert policies.
• DDoS Defense Breakdowns: A set of cards with bar charts showing the breakdown of alerts in categories including status, severity, and policy (see DDoS Defense Breakdowns). The breakdowns cover the last 24 hours. Hover over any bar in a graph to open a popup with additional information about its alerts.
• Last 24 Hour Attack Activity: A chart showing attack activity in the last 24 hours (see Attack Activity Chart).
• Last 24 Hour Top Dest IPs: A set of cards that each contain a chart showing the top destination IP addresses in the last 24 hours as measured in different metrics (see Top Dest IPs).
• Attacks Within the Last 24 Hours: A table listing attacks within the last 24 hours and providing details on those attacks (see Attack Table).

The DDoS Defense breakdowns are cards across the top of the page that each display a bar chart representing a different breakdown of alerts. The charts are similar to the Alerting Breakdowns and contain the following UI elements:

• Status: The bars in the chart each represent alerts (see Alerting Breakdowns).
• Severity: The bars in the chart each represent the alerts that were triggered by alert policy thresholds of a given severity level (see Alerting Breakdowns).
• Policies: The bars in the chart each represent an individual policy that triggered during the last 24 hours, arranged in descending order from the left based on the number of times each policy triggered. The popup (on hover) gives the name, type, ID, description, and alert count for the policy.

This chart shows attack activity over a timeline that covers the last 24 hours. In each time slice, the blue bar indicates the number of new alarms (triggered by an alert policy entering alarm state) while the red line represents the count of active alarms. Hovering over the chart at any point in the timeline triggers a popup that gives a count of new and active alarms at that date-time.

The Last 24 Hour Top Dest IPs charts show a breakdown of traffic for each the top three Destination IP addresses as evaluated by DDoS Defense alert policies in terms of:

• Bits/s
• Packets/s
• Unique Src IPs

The Attacks Within Last 24 Hours table provides information about alarms in the last day from alert policies whose type is DDoS. Each row of the table gives summary information about one alarm (the table's columns are described in Alerts List). Click on a row to expand it for more details about the alarm (see Attack Details Drawer).

At the top right of the table is the View More Attacks button, which takes you to the Alerting page, where the Alerts List will be filtered to show only DDoS attacks (not limited to the last 24 hours).

When you click on the row for a given attack, a details drawer slides out from the left of the page. The fields and controls in this drawer are the same as those of the Alert Details Drawer.

The DDoS templates on the Policy Templates) page are targeted at various forms of common DDoS attacks. To use a template, first clone it, then edit to work in your specific situation. Kentik currently includes templates for the following types of attacks:

• Amplification Reflection Attack: Amplification attacks exploit connectionless services that reply to requests with large (amplified) responses, using a spoofed source IP to reflect these responses to the target's destination IP. Focusing on high-amplification services, this policy looks for jumps in bits/s of traffic to a single destination IP, and identifies the source port of the service(s) involved.
• Non-reflective DNS Flood: These attacks overwhelm target DNS servers with a high volume of spoofed DNS request packets that prevent timely response to legitimate requests. This policy, which should be filtered to the IPs of your monitored servers, looks for jumps in the number of requests per second to individual DNS servers.
• ICMP Flood Attack: These attacks overwhelm target hosts with a high rate of ICMP echo-request packets (e.g. echo or echo-reply). This policy, which should be filtered to the IPs of your servers and appliances which listen to ICMP, looks for jumps in the number of packets per second to individual hosts.
• TCP SYN Flood: These attacks overwhelm infrastructure components (e.g. load balancers, firewalls, Intrusion Prevention Systems, and servers running TCP services) by bombarding them with a high volume of traffic from spoofed sources, forcing new connections that fill up the session table. This policy looks for changes in bits/second against individual destination IPs.
• TCP ACK and ACK/PSH Floods: These attacks overwhelm servers running TCP services by sending a high volume of ACK/PSH flags from different IP addresses (frequently spoofed), thereby forcing the target to look for matching sessions in its table. This policy looks for changes in packets/second against individual destination IPs.
• Distributed TCP RST & FIN Flood: These attacks overwhelm servers running TCP services by sending a high volume of RST and/or FIN packets, thereby forcing the target to look for matching sessions in its table. If the attackers spoof addresses that already exist in the session table, these sessions will be lost. This policy looks for changes in packets/second against individual destination IPs.
• UDP Fragments Attack: These attacks send fraudulent UDP packets that contain no source or destination port information, thereby diverting server resources toward trying to reassemble the packets. This policy looks primarily for high volume in bytes, but should be set to include unique source IPs as a secondary metric and to use multiple policy thresholds to escalate the response depending on the volume of the attack packets.
• UDP Flood: These attacks overwhelm servers running UDP services by sending a high volume of UDP packets, typically max-MTU to generate a high bitrate. This policy will therefore measure UDP packets by Bits/s.
  Note: Because this policy will overlap with policies such as UDP Fragments and Amplification and Reflection Attack, it would typically be considered a "catchall" policy for UDP, with higher levels for thresholds.
• Total Traffic Volumetric Attack: This policy is a catch-all that is intended to cover attack traffic that might be missed by more specific policies when your hosts are flooded with a wide variety of volumetric traffic from different protocols and ports. The policy looks at all traffic, split by protocol.