Our Use Case PDFs and blog images are only available in German. If you are interested in further information, we are happy to assist you personally. Please don’t hesitate to contact us directly.
Download the PDF here: Traffic analysis and Anti DDoS for service providers with Kentik
1. The Initial Situation
Networks have changed with the use of cloud computing. Hybrid networks, a mix of cloud and on-premises technologies, or multi-cloud networks are in operation at many companies.
The availability of applications and the success of services depend critically on the monitoring of this hybrid network infrastructure. A poor user experience is detrimental to customer satisfaction.
In addition, there are distributed denial of service attacks. The programs used for this have become very sophisticated and the attackers are difficult to identify. There are many opportunities for attacks through bugs and/or vulnerabilities in programs, operating systems or incorrect implementations of protocols. Other attacks simply overload the entire system with too many requests.
What are the Options for Protecting Yourself against DDoS Attacks?
The goal is to immediately defend against all network-level DDoS attacks at the edge with a zero-second SLA. This means that attackers who launch network-level DDoS attacks have little chance.
The keys to this: visibility and closing information gaps!
An intermediary protection against DDoS attacks analyzes the traffic. Anti-DDoS services can help protect the network and avoid downtime and associated costs.
2. The Use Case
This case involves a regional provider of telecommunications services in northern Germany that offers a complete multimedia package with telephony, high-speed Internet and cable television.
The company’s goal was to procure a SaaS solution for the technical analysis of IP traffic through the use of recorded metadata by NetFlow v9 and IPFIX. In addition, the software should have the ability to detect and automatically combat current DDoS attacks by using BGP Blackholing and BGP FlowSpec.
The Solution from NetDescribe – Kentik Network Observability
With Kentik Network Observability, a scalable network analysis solution that is easy to implement and easy to use, you can plan, operate, and repair any network. The proactive monitoring of hybrid and multi-cloud networks shows anomalies in your data traffic in detail. This allows your Net-Ops team to react in time and take countermeasures.
The Key Data of the Use Case
Processing of approx. 7000 FPS (Flows Per Second) at a sampling rate of 1:3000.
Integration of the following devices for traffic analysis: Cisco Router NCS 5500 Series | Cisco Router IOS-XRv 9000-CC | PowerDNS and Bind9 name server
The Requirements Analysis
Requirements for Traffic Analysis
Traffic analysis with the following filter options:
- Source and destination IP address
- Source and destination IP prefix
- IP version
- UDP, TCP and ICMP protocol
- Source and destination port number
- Source and destination ASN
- ASN Path
- BGP Communities for source and destination IP prefix
- IP prefix
- Incoming network device
- Incoming network interface
- Storage of data for 1 calendar year and the possibility to retrieve it
- Assignment of traffic from individual end-customer services (OTT Services) e.g. Amazon Prime Video, Youtube, Playstation, Xbox Live, Netflix, Microsoft Teams, Telegram, WhatsApp etc.)
- Assignment of traffic to CDN operators (OTT Provider) e.g. Amazon, Google, Facebook, Apple
- Categorization of OTT traffic to further general (categories e.g. video, games, web, communication and social)
Requirements for anti DDoS
Detection of the following known DDoS attack patterns:
- Amplification and Reflection
- ICMP Flood
- Invalid Protocol Flood
- UDP Fragment
- UDP Flood
- TCP-Synfloods
- Non-Reflective DNS Floods
- Total Volumetric
Sending of messages of a detected DDoS attack via:
- Syslog
- Webhook (http-get) in JSON format
Automatic defense of the attack with:
- BGP Blackholing (Hostroute) plus BGP Community
- BGP Blackholing as a network route in network size /24 (IPv4) and /48 (IPv6) plus BGP Community
- BGP FlowSpec with filter options on source and destination (IP, protocol, port number) and option to discard traffic as well as configure a traffic rate limit
Requirements for Connection Costs
- Recording of monthly IP transit costs with 95th-percentile and flat rate model
- “Cost per Mbit” – Calculation based on transit and peering costs
- Cost overview (fixed/variable costs) of individual IP transit and peering connections
Requirements for the Graphical Representation (Web Interface/Graphical User Interface)
- Securing access with 2-factor authentication (Yubico or TOTP)
- Readability of the recorded data of the traffic analysis with an HTTPS API in JSON format
- Time displays in local time of the user and UTC+00:00
- Switching the colors to a so-called “Dark” theme mode
- Freely definable colors for the representation of the graphs
Requirements for Monitoring
Monitoring the accessibility of IP services (IP+Port) on Layer-3 level plus storage of the following information:
- Latency in ms
- Jitter in ms
- Packet Loss in percent
- Traceroute information
- Functional test of DNS servers for name resolution from Layer-3 to Layer-8 plus storage of the answers
- Possibilities to start tests within the network of your company, as well as from external locations
- Sending of messages in case of failed tests via:
- Syslog
- Webhook (http-get) in JSON format
What is the Kentik Intelligence Platform?
Complex multi-cloud and data center networks become visible at a glance. This enables proactive monitoring of performance to ensure optimal performance of applications or services. Misdirected data traffic or suboptimal network configurations can be found and corrected. Cost factors of the network can be kept in mind.
With Kentik, DDoS attacks can also be precisely detected and automatically rendered harmless. Continuous DDoS protection means damage limitation for your company. Hosts that have been compromised by botnets are tracked down. Attacks, security breaches and threats are analyzed in real time and based on historical data. Incident response tools are integrated to send alerts and initiate workflows.
The Kentik Features at a Glance
CORE – Analysis of the entire network traffic. Capacity planning. Visualization of telemetry data. Spontaneous insights. Setting up workflows
EDGE – Full visibility of the network. Management of transits and interconnections. Discovering peers. Organization of traffic and cost optimization.
SYNTHETICS – Management of network and application experience. Automatic configuration based on traffic, tests and real-time analysis.
CLOUD – Insights into all clouds and hybrid infrastructures. Migration planning. Security checks. Performance improvement and cloud cost optimization.
PROTECT – Early detection and minimization of DDoS attacks. Detection of botnets. Threat analysis. Prevention of route leaks and BGP hijacking.
SERVICE PROVIDER ANALYTICS – Analysis of subscriber trends. Tracking the digital supply chain. Discovering new sales opportunities and cost management.
What does the Kentik Intelligence Platform offer?
Kentik enables detailed insights into the activities of the applications/services in the entire network beyond pure data observation in order to understand the reasons for the network and application performance.
Here are some of the possibilities:
*Source of all screenshots shown here: www.kentik.com
What Does Kentik Observability Offer for Service Providers
Options:
Real-time network monitoring with detailed insights into traffic at various levels, including protocol, application, device, and user. >>> Quickly identify and resolve network issues, optimize performance, and ensure quality of service
Network analysis: Data can be collected, analyzed, and visualized over a period of time to gain insights into traffic, bandwidth usage, the causes of latency, and other performance metrics. >>> Identify bottlenecks, diagnose network problems, and improve capacity planning
Security monitoring by identifying suspicious traffic, detecting attacks, and reacting proactively and in a targeted manner. >>> Resource conservation and cost savings
Capacity planning: Analysis of network traffic and bandwidth usage. Identifying trends, forecasting demand, and thus scalability of network resources. >>> Optimal performance and customer satisfaction
Customer reporting through report creation with visualization of important network performance data. >>> Transparent communication and adjustments or optimizations if required
What Does Kentik Observability Offer for Service Providers in DDoS
Functions and approaches:
Real-time detection of DDoS attacks. Continuous monitoring of network traffic to detect anomalies and suspicious patterns. >>> Early detection and response
Attack detection and analysis: Identification of various types of DDoS attacks, such as volumetric attacks (e.g. UDP Floods, ICMP Floods), application-level attacks (e.g. HTTP Floods) and protocol anomalies. >>> Initiation of appropriate countermeasures
Traffic Engineering and Blackholing: Rerouting of network traffic and blocking of specific traffic flows (e.g. from a suspicious source). >>> Maintaining availability for legitimate traffic
Automated measures for DDoS mitigation and containment. This may include rerouting traffic, activating firewalls, or other measures. DDoS solutions from various manufacturers can be automatically connected. A10, Radware and Cloudflare Magic Transit are already implemented in Kentik. >>> Blocking malicious traffic to protect network resources
Real-time reporting and alerting about DDoS attacks, the affected resources and the impact on the network. >>> Rapid response and mitigation of DDoS attacks
Download the PDF here: Traffic analysis and Anti DDoS for service providers with Kentik
