Protect Overview
The Protect section of the Kentik V4 portal is covered in the following topics:
About Protect
The Protect section of the Kentik V4 portal includes a collection of modules/workflows that inform you about threats to network availability and security so that you can take action to defend your network.
Protect Workflows
The Protect section of the portal includes the following modules/workflows:
- DDoS Defense: The DDoS Defense workflow enables you to automate the entire DDoS attack lifecycle, including detection, investigation, and mitigation. Machine learning-based traffic profiling enables us to identify attacks faster and more accurately, virtually eliminating false positives/negatives. Visualizations show you attack characteristics and network impact, and built-in triggers let you respond automatically with mitigations including RTBH, Flowspec, and external mitigation hardware or services. For information on configuration and monitoring, see DDoS Defense.
- Alerting: Kentik's powerful alerting system analyzes your network traffic and detects anomalous patterns that potentially indicate adverse conditions that threaten availability or performance. The system is built around alert policies that define a set of conditions that, when met, cause the policy to enter "alarm state" and generate an alert. Current and historical alerts are listed on the Protect » Alerting page, which shows important information such as the time, severity, and current status of alerts, as well as the dimensions and metric values involved in the conditions that triggered each alert. A policy can be configured to generate notifications in response to an alert, as well as to initiate automatic mitigations. For more information about the Alerting module see Alerting.
- Mitigations: A mitigation is a protective action, in response to a set of conditions indicating the presence of undesirable traffic (e.g. a DDoS attack), that prevents interruption of network availability. Mitigations may be triggered automatically or initiated manually. Kentik offers built-in mitigation options (e.g. Flowspec and RTBH) as well as integrations with third-party mitigation providers (e.g. Cloudflare, Radware, or A10). Mitigations currently in progress in your network can be managed from the Mitigations page.
- Threat/Botnet Analysis: Kentik helps you find traffic from infected or compromised hosts by enriching flow records in KDE with IP reputation data from Spamhaus. The result is two dimensions, Bot Net CC and Threat List Host, that can be used to identify threats to your network such as botnet command and control (CC) servers, malware distribution points, phishing websites, spam sources, etc. (see Threat Feed Dimensions). At present we make these threats known to you via the Botnet & Threat-feed Analysis dashboard, whose panels illustrate the extent to which traffic on your network is associated with known risks (see Threats & Botnets).
Note: The Botnet & Threat-feed Analysis dashboard is slated for replacement with a fully developed workflow. - RPKI Analysis: Resource Public Key Infrastructure (RPKI) is used to validate the BGP routes announced by an Autonomous System by verifying that the AS is authorized to originate the prefixes in an announced route (see About RPKI). Kentik's RPKI implementation, based on Cloudflare’s GoRTR, determines the RPKI validation state associated with the router sending a flow, and uses that state to derive RPKI values that we assign to RPKI columns in the KDE flow record. Using those dimensions, we're able to generate visualizations and tables that show the correlation between flows and the RPKI status of the routes they used. In particular we identify sites (see About Sites) with traffic that is invalid and/or will be dropped if strict RPKI validation is enforced on the routers. We present this information in the panels on the RPKI Analysis dashboard (see RPKI Analysis).
Note: The RPKI Analysis dashboard is slated for replacement with a fully developed workflow.