A primer on how and why ‘dynamic baselining’ fosters accurate DDoS protection
By Ahmed Abdelhalim
Businesses today need protection from increasingly frequent and sophisticated DDoS attacks. Service providers, data center operators, and enterprises delivering critical infrastructure all face risks from attacks.
Related: The care and feeding of DDoS defenses
However, to protect their networks, they must enable accurate attack detection while keeping operations manageable and efficient.
Traditional static baselining methods fall short on both of these counts. To begin with, they rely on resource-intensive manual processes to define an organization’s “normal” traffic patterns, imposing a burden on both the protected organization and their own security personnel. The uncertainty and approximation inherent in this approach lead to tradeoffs on exactly where to establish the baseline. Set it too high, and you’ll miss smaller attacks. Set it too low, and you’ll deal with constant false positives.
Dynamic baselining makes it possible to offer more accurate and efficient DDoS protection and protection-as-a-service. By allowing the system to learn baseline traffic patterns, set its own thresholds, and adapt automatically as traffic changes, service providers and large enterprises can simplify operations while ensuring more accurate attack detection.
Limits of static baselining
Under ordinary circumstances, an increase in network traffic can seem like good news. A DDoS attack, on the other hand, is distinctly bad news. An attacker can slow performance or even knock its services offline entirely by flooding a victim's network with bogus traffic.
Organizations can help mitigate the threat of a DDoS attack, but first, they need to be able to recognize the difference between normal or "peacetime" activity and abnormal, malicious traffic. This can be tricky if thresholds are simply set to detect large-scale DDoS attacks while missing smaller ones, presenting this as an acceptable risk.
A security team seeking a more accurate level of detection may query the protected organization or application owners about their normal traffic levels to establish tailored baselines. This seems reasonable, except that many companies don't have this kind of detail readily available. It also imposes an additional operational burden.
Another approach employed by security teams is to assume the burden of monitoring the traffic for weeks and develop a proposed baseline. This approach is likely more accurate, but it’s far from scalable as a service model for DDoS protection-as-a-service.
Recommended by LinkedIn
Choose Your Poison
When organizations can’t tailor a DDoS detection threshold to specific needs or specific end subscribers, they have two options. One is to set a level that’s much higher than what normal traffic would realistically reach. You’ll catch large-scale attacks, but you may be exposed to any number of smaller attacks, degrading performance for their business and the end users.
Or you can choose to set the threshold lower to catch more attacks. Unfortunately, you’ll also get more false positives. In that event, traffic will be diverted to a mitigation device, subjecting end users to an unnecessary increase in latency and degradation of the user experience. This is particularly noticeable by users and application owners when the mitigation device or facility is in a geographic location different from that of the servers.
Accurate, efficient protection
Static baselining imposes too much of an operational burden on organizations — and even then, the resulting attack detection is too inaccurate.
Dynamic baselining alleviates that operational workload while enabling a better understanding of normal and suspicious network activity. The system automatically learns the peacetime baseline for customers, sets thresholds that reflect the observed patterns, and then adapts those thresholds over time as traffic changes. Able to differentiate between the types of increases associated with the dynamic business environment or end-user behavior on the one hand and malicious surges originating from botnets on the other hand, the system can alert accurately on genuine attacks of all sizes while avoiding the disruptions of false positives or false negatives.
The efficiency of automated, dynamic baselining allows organizations to provide better DDoS protection to protect critical infrastructure, whether a service provider or a digital business enterprise.
As organizations tackle the critical need for DDoS protection, the key to success will be a combination of autonomous learning capabilities and operational efficiency. By moving from static baselining to automated, dynamic baselining, you can provide more accurate and responsive protection while easing the workload for strapped security teams.
About the essayist: Ahmed Abdelhalim, Senior Director, Security Solutions, A10 Networks
This article appears as a Guest Essay on the Last Watchdog on Privacy and Security by Byron Acohido .