DDoS Defense

DDoS Defense is covered in the following topics:

• About DDoS Defense
• DDoS Defense Configuration
• DDoS Defense Page

DDoS attacks use a wide variety of attack vectors across multiple types including volumetric, invalid protocols, UDP, TCP, ICMP, amplification and reflection, and DNS. It takes intricate knowledge of all these possibilities to devise effective detection and alerting for each. With the DDoS Defense workflow (Protect » DDoS Defense) Kentik has created a set of more than 20 readymade alert policies (nine of which are DDoS) that cover this entire spectrum and require only minimal tailoring to protect you from the most common attacks.

The workflow is composed of two main parts:

• DDoS Defense Configuration: A wizard in which you determine:
  - Whether the prerequisites for setting up DDoS Defense (Interface Classification, Traffic History, and BGP Configuration) are completed.
  - Which DDoS policies you’d like to implement for your organization.
• DDoS Defense Page: A view where you can quickly see information about ongoing and historical attacks and mitigations.

The part you'll be taken to when you choose DDoS Defense from the menu in the portal's main navbar depends on the current state of DDoS Defense configuration:

• If configuration isn't yet completed, you'll be taken to the landing page for DDoS Defense configuration (see DDoS Defense Initial State).
• If configuration has been completed, you'll be taken to the DDoS Defense page.

Note: To protect against attack profiles that are not covered by the Kentik preset alert policies in DDoS Defense you can create an alert policy in Protect » Alerting (see Alerting).

DDoS Defense configuration is structured as a wizard with two steps that are covered in the following topics:

• DDoS Defense Initial State
• Check Prerequisites
• Create DDoS Policies

If the DDoS Defense workflow hasn't yet been set up for your organization, when you arrive at the workflow (Protect » DDoS Defense) you'll see the initial landing page, which contains some information about DDoS Defense and the Get Started button. Click the button to begin configuration.

Effective detection of DDoS attacks requires us to fully understand the structure of your network in order to differentiate normal traffic patterns from anomalous behavior. We gain this understanding through the prerequisites listed below. By checking that these prerequisites are completed we are able to ensure the accuracy of our detection, minimizing false positives and negatives.

On the first DDoS Defense Configuration page, our prerequisite check looks at the following factors:

• Interface Classification (recommended): Interface Classification enables us to determine which of your interfaces are external (see Network Boundary Attribute) and thus subject to DDoS attack. If Interface Classification hasn't yet been completed in your organization, we recommend that you click the link to go to the Interface Classification settings page, then return to the DDoS Defense wizard to complete the configuration. You'll have the opportunity to exclude specific interfaces later in the process.
  Note: You'll receive on-screen notification in the following situations:
  - Less than 70% of your interfaces are classified.
  - No interfaces are classified as external, in which case you'll have to check into the classification of your edge interfaces (for help, see Customer Support) before continuing with configuration of DDoS Defense.
• Traffic History (required): To understand what external traffic is "normal" for your network, we need to have ingested flow records for at least 120 hours from at least one of your edge devices (a device with at least one interface whose network boundary is classified as external).
  Note: You'll receive on-screen notification if we don't yet have sufficient traffic data to build the history, in which case you will have to wait to be able to continue with configuration of DDoS Defense.
• BGP Configuration (optional): BGP is not required to configure attack detection, but you will need to configure BGP on all edge routers if you'd like to use either of Kentik's built-in mitigation methods (see RTBH Method Details or Flowspec Method Details).
  Note: You'll receive on-screen notification in the following situations:
  - Your Kentik Licenses don't include BGP.
  - BGP is not enabled on your devices (see Device BGP Settings).

When the prerequisites have been checked, click the Continue button at the bottom of the page.

In the second (and final) step, you select one or more Kentik alert policy templates that are each designed to respond to a specific attack profile. These policies have been designed by Kentik to cover a wide range of the most common attacks. Select each policy that you’d like to duplicate to your own Alert Policies page. Once they are copied over, with a few adjustments to a given policy's settings (see Policy Settings) you will be able to tailor that policy to the specifics of your network's traffic.

The second DDoS Defense Configuration page includes the following UI elements:

• Step status: The top right corner of the screen shows that you are on the second step of two.
• Filter field: Enter text to narrow the list of policies displayed in the DDoS Policy Template List.
• DDoS Policy Template List: Displays the list of possible DDoS policy templates (see DDoS Policy Template List) you can copy to your company’s Policies page (see Alert Policies).
• Continue: Click this button to complete your DDoS Defense Configuration setup.

The policies are listed in a table, each row of which includes the following UI elements or columns:

• Selected: If a checkmark is present, the alert policy associated with this attack profile is selected to be copied to your Policies List.
• Name: The name and description of the policy template as specified by Kentik. Once you’ve copied the policy, you can change both the name and the description as needed.
• Metrics: The units (e.g. bits/s, packets/s, flows/s, etc.) by which this alert measures incoming flow data (see Data Funneling). The primary metric is listed first, followed by secondary metrics (if applicable). If there are more than two metrics available, hover over the text “+x more” (where “x” is a number) to see the remaining metrics in the policy.
• Dimensions: The dimensions defined in the alert policy, which combine to make a key definition that will determine how traffic is subdivided for evaluation (see About Keys). Dimensions, which are based on fields in the KDE main table, are described in Dimensions Reference.
• Show Details: Click this button to display a drawer containing the policy template’s settings. See Template Summary Drawer.

Once you have selected all of the policies you would like to copy, click Continue to go to your organization’s Alert Policies page with all of the newly created DDoS policies displayed.

Note: While you can modify any of the available Kentik preset policies once they’ve been copied to your own Alert Policies page, you cannot create a new policy from scratch on this page. However, after you click Continue and arrive at the Alert Policies page, you can create one by clicking Add Policy (see Adding a Policy).

When you click the Show Details button on a policy template's row in the Create DDoS Policies table, a drawer containing settings for that policy will slide out from the right of the page, which allows you to see the policy parameters for that particular template.

• ID number: The system-generated unique ID assigned when the policy was created.
• Name: The user-specified name of the policy.
• Description: Text describing the type of attack that this policy is designed to detect.
• Dataset expandable pane: Summary of information that is currently set on the Dataset tab of the policy. See Policy Dataset Settings.
• Thresholds expandable pane: Summary of information that is currently set on the Thresholds tab of the policy. See Policy Threshold Settings. The number in brackets indicates the number of thresholds in use for the policy.
• Baseline expandable pane: Summary of information that is currently set on the Baseline tab of the policy. See Policy Baseline Settings.

The DDoS Defense page gives you a high-level view of DDoS attack activity that has generated alarms from the alert policies configured on the Create DDoS Policies page. The DDoS Defense page is covered in the following topics:

• DDoS Defense Page UI
• Attack Activity Chart
• Top Dest IPs
• Attack Table

The DDoS Defense page includes the following main controls and information:

• Configure Alert Policies: A button that takes you directly to your Alert Policies page, filtered to view only your DDoS alert policies.
• Overview: A tile containing indicators for the following counts:
  - Active Mitigations: The number of mitigations currently underway, meaning that there is an alert assigned to a policy threshold that triggered on ongoing alarm (see Policy Threshold Settings). Click the link to go to the Mitigations page.
  - Enabled DDoS Policies: A count of the DDoS Alert Policies that are currently enabled in your organization.
  - Ack Required: A count of alerts whose status is Ack Required, meaning that the conditions that resulted in an alarm are no longer present, but an acknowledgement is required from a user in your organization before the alert is “cleared”.
• Last 24 Hour Attack Activity: A chart showing attack activity in the last 24 hours (see Attack Activity Chart).
• Last 24 Hour Top Dest IPs: A set of cards that each contain a chart showing the top destination IP addresses in the last 24 hours as measured in different metrics (see Top Dest IPs).
• Attacks Within the Last 24 Hours: A table listing attacks within the last 24 hours and providing details on those attacks (see Attack Table).

This chart shows attack activity over a timeline that covers the last 24 hours. The blue bar indicates a new alarm (triggered by an alert policy entering an alarm state) while the red line represents the count of active alarms at each point in the timeline. Hovering over the chart at any point in the timeline triggers a popup that gives a count of new and active alarms at that date-time.

The Last 24 Hour Top Dest IPs charts show a breakdown of traffic for each the top three Destination IP addresses as evaluated by DDoS Defense alert policies in terms of:

• Bits/s
• Packets/s
• Unique Src IPs

The Attacks Within Last 24 Hours table provides information about alarms in the last day from the DDoS Defense alert policies that were activated on the Create DDoS Policies page in step two of the configuration wizard. Each row of the table gives summary information about the alarm (see Attack Table Columns). Click on a row to expand it for more details about the alarm (see Attack Details).

At the top right of the table is the View More Attacks button, which takes you to the Alerting page, where the Alerts List will be filtered to show only DDoS attacks (not limited to the last 24 hours).

Attacks within the last 24 hours are listed in the Attacks Within Last 24 Hours table, with each row representing a policy that entered alarm state. For a breakdown of the columns in this table, see Alerts List.

When you click on the row for a given attack a details drawer slides out from the left of the page. The fields and controls in this drawer are the same as those of the Alert Details Drawer.