Establishing Digital Trust: Don't Sacrifice Security for Convenience
Akamai pioneered the content delivery network (CDN) concept when the Internet was in its infancy. It went on to create internet security solutions and expand into Web and mobile performance, cloud security and enterprise protection products. Today Akamai operates a content delivery network that is used by global enterprises and government institutions. It trades on the NASDAQ exchange as AKAM.
Akamai's DDoS mitigation solution can include CDN-based, distributed denial of service (DDoS) scrubbing, and/or DNS components, depending on each customer's requirements. The CDN component operates as a reverse HTTP/S proxy that automatically drops all traffic not on port 80/443, including any layer 3 and 4 DDoS attacks. The DDoS scrubbing component relies on the Akamai security operations center (SOC) to apply a range of targeted mitigations based on the attack vector (such as by IP or attack signature), including mitigations for SYN floods, UDP floods, and other types of layer 3 and 4 DDoS attacks. The DNS component automatically drops non-DNS traffic, including layer 3 and 4 DDoS attacks. Akamai mitigates DNS-based DDoS attacks (e.g., DNS amplification), as well as protecting DNS services from DDoS attacks.
The solution includes:
- Automated rate controls that block traffic based on customer- or Akamai-configured thresholds
- Custom web application firewall (WAF) rules created around specific attack signatures
- Monitoring tools that provide alerts and allow the SOC to view and assess malicious traffic based upon real-time packet samples
- Tools to generate and store customer traffic profiles, enabling the SOC to access rapid comparison data
- Real-time monitoring of HTTP headers for anomalies compared to baselines
- Tools enabling the SOC to view TCP dumps/p-caps in near real-time, generate mitigation rules with precision and assess mitigation
- Processes for working with customers and avoiding over-mitigating, including formalized per-customer runbooks, agreed methods to understand customer environments, and real-time communication throughout any DDoS event
"Now that DDoS is an aaS (as a service) business, it's easier than ever for anyone wanting to launch a DDoS attack to purchase the bots and capacity to do so online," said Ari Weil, senior director, global product and industry marketing, Akamai. "Today's DDoS attacks are often designed as a feint to distract from other data exfiltration, account takeover or credential abuse use cases levied by bots (not botnets) beyond (or at least in addition to) simply bringing the digital property offline."
Markets and Use Cases
Akamai's core customers are the financial services, commerce, broadcasting, publishing, public sector, high-tech, SaaS, manufacturing, healthcare, energy and gaming industries.
Akamai has seven scrubbing centers worldwide, 3.5 Tbps of dedicated network capacity (8 Tbps by Q1 2018). It also has 150 SOC staff, who are not physically co-located in the scrubbing centers, but in five separate SOC locations, as well as 700 security experts who are focused on threat intelligence and improving the automated threat protection employed by protection policies and rules.
ISO 27001, PCI DSS, GDPR, FedRAMP, HIPAA, FISMA, SOC 2
The Akamai Cloud Security Intelligence (CSI) data analysis engine helps the company develop products and tools that protect and defend against DDoS attacks. Akamai publishes threat research on a regular basis as well as releasing a quarterly "State of the Internet: Security report." Further, Akamai employs automation in various parts of its DDoS protection solution:
- The CDN-based and DNS components rely on automated controls that can be tuned/configured.
- For Akamai-managed solutions, Akamai PS (proactively) and SOC staff (reactively) balance between over-mitigating (false positives) and under-mitigating (false negatives) attacks and include a consistency-of-mitigation SLA to that effect.
No agents are used
Akamai DDoS pricing is "all in," that is, it does not charge additional fees based on attack sizes or the number of attacks. Instead, it prices its DDoS protection based on a consultative approach to identifying the customer requirements, including the following:
- Assets being protected (e.g., individual web- or IP-based applications, network subnets, data centers, or DNS, etc.)
- Scale of assets being protected (e.g., clean application traffic, number of applications/subnets/data centers/DNS zones, etc.)
- Deployment model (The DDoS scrubbing component is available as an on-demand or always-on service; all other components are always-on)
- Service model selected (Self-service, assisted or fully managed)
- Additional options selected (DDoS monitoring, MPLS, etc.)