The DDoS attack landscape has changed significantly since we launched our Infrastructure Protection service two years ago.
Perpetrators now understand that mitigating huge, long-lasting, big-packet floods takes more muscle than brains; as such they’ve switched to relatively low-bandwidth bursts of high-packet throughput. The 60Gbps and 50Mpps attacks we saw on a daily basis in 2013 have morphed into the 465Gbps and 300Mpps assaults we’re witnessing today.
The Incapsula dashboard has always used both real-time and historical data to illustrate traffic flows. This enables us to record assaults and examine attack vectors. But to analyze shorter events and increasing peaks, we knew we had to change how this data is presented.
Data resolution is three seconds in our real-time dashboard; this is more than enough to analyze short attacks. To better understand them, however, we sought to improve both historical data and retrospective analysis.
To achieve this we increased data resolution from 10 minutes to 15 seconds. When zooming in, we were shown the maximum value instead of a data-point average, meaning the short peaks were noticeable.
100M PPS attack
Managing the overhead of increased data resolution
However, increasing resolution comes with a tradeoff. The data we now save is significantly larger and needs to be handled differently.
To illustrate this, let’s calculate the daily space used by both the old and new series:
- 10-minute series: 24 hours × six data points/hour = 144 data points per day
- 15-second series: 24 hours × 60 minutes × four data points/minute = 5,760 data points per day
The 15-second series has 40 times more data points!
Incapsula uses eight bytes to store each data point. This means the new high resolution series takes up 45KB, compared to 1.1KB for the prior low-res version. While 45KB doesn’t sound like much, consider a client that has several IP ranges; suddenly we’re talking about a large chunk of data.
Providing you with 40 times more data means we had to rethink both how we process and store it in our servers – as well as how to display the new dashboard in client browsers.
Solving the issue of browser storage capacity
In the old dashboard, all data was sent and saved in local session storage on client browsers. This provided a fast and responsive user experience. But browsers set limits on the amount of data an application can store, so the increased dashboard resolution meant we couldn’t use local storage in the same way.
Incapsula solved this issue by initially displaying account overview information only. When you select a specific IP range, its data is then downloaded and kept in browser storage (replacing existing information in the process).
Drilling down to the affected IP and identifying different attack vectors used:
Improving browser load time
The aggregation process is done on Incapsula backend servers, after which the results are sent to your browser. Data is stored in a different bucket for each day, meaning we’re able to aggregate in parallel to reduce load time.
We use a thread pool and submit a task per bucket per day. No synchronization is required between calculations, so in theory we get × n speed increase when using n threads – eat your heart out Amdahl!
New filters for specific IP ranges
Traffic by PoP
The new dashboard offers new filters, including traffic distribution by Incapsula PoPs and packet type. We also added a new “IP range” layout. These let you easily pinpoint an attack and adjust relevant security settings in a heartbeat.
One filter lets you select relevant date ranges. In the new 15-second resolution series, a single series size is 45KB per day, while the 90-day total is 3.9MB. Multiplying that figure by six ((pass, blocked, total) × (bandwidth), PPS)) yields a total of 23.7MB.
There is no need for 15-second granularity when examining the 90-day view. So when you zoom out, aggregated data uses only 240 points per time range to reduce storage capacity. Here we have a total of 1.9KB per data series.
Traffic by packet types
An attack simulation – using your dashboard
To simulate an attack analysis, let’s start with the account overview. In the new dashboard you can easily spot points of interest that you’ll want to investigate, such as traffic peaks from a 90-day zoom:
While zooming in on the suspicious peak, you can see real traffic fluctuations and gain a better understanding of the situation. Legitimate traffic is still being sent to the origin server as usual, even though an attack is in progress.
It can even see that the attack peaked from 0 to 143Gb in only 30 seconds!
This differs from the old dashboard, where you could only see an attack that is less than half of the real traffic. Nor could anyone see the real fluctuations.
The new dashboard now lets us share with you what we have been able to see on our internal systems all along.
Do you have any questions? Would you like to share your experiences with the new dashboard? Contact us here or let us know in the comments section below.