Patrice Boffa

Security Readiness for Global Events: How Akamai can help

Blog Post created by Patrice Boffa Employee on Oct 13, 2014

This is a follow up post to my recent article entitled "Let's watch the game first and attack later."  We received a lot of interest in learning how Akamai's Professional Services could help support a major global online event like the World Cup, and details around the attack trends that we observed during the World Cup.

 

In general, a successful readiness and support approach can be divided into three stages:

      Event Preparation

      Event Execution

      Post Event Wrap-up

 

Preparation - Positioning KONA Rule Set (KRS)

Akamai's Professional Services team provides recommendations and operational best practices to help prepare and support the customers' event.

 

This year for the World Cup, 90% of the broadcasters, advertisers, partners and sponsors on Kona Site Defenderwere leveraging the Akamai Kona Rule Set (KRS).  The benefit of using KRS for our customers is a reduction in reported false positives and false negatives, helping our Professional Services team to better identify and block attacks while allowing legitimate traffic to pass through.

WAFRuleset.png

 


 

 

 

 

 

 

 

 

 

 

 

Having a low number of false positives and false negatives allows us to have better visibility into the malicious activities we monitor during the event.

EdgeHits.png

 









Readiness - 50% of the malicious activities happened in the first week

Event preparedness includes the following actions that the Professional Services team offers, making sure our customers are ready on Day 1 of the event.  Including:

·       Proactive risk mitigation

o   Recommended configuration

o   Operational best practices

 

This year's World Cup, 50% of all of the malicious activity we saw occurred during the first week.  Akamai was able to successfully mitigate all of them by following our preparation and event preparedness methodology that focuses on proactive risk mitigation.

 

WAFTriggered.png

 

 

 

 

 

 

 

 

 

During the Kona implementations ahead of the tournament, Akamai's Professional Services team fine-tune Web Application Firewall policies and reduce the number of false positives and false negatives, allowing customers to deny malicious requests without any risk of blocking legitimate users and requests.

 

Execution - 60% DDoS Attacks and 40% Application Layer Attacks

During the event execution phase, Akamai's Professional Services team focuses on proactive monitoring and alerting functions, including:

·       Mitigation of risk

·       Timely response

·       Expedite resolution and escalation if required

 

For large events like these, web applications have different exposure:

      Customers usually release those applications right before the event, making it difficult for attackers to profile the application ahead of time

      Customers tend to enhance the applications during the event itself as they discover potential issues

      Time constraint - attackers only have few weeks to perform their attacks if they want them to be noticed

 

By performing proactive monitoring, we observed an inversely proportional split of attacks between the World Cup, an event-based application and a non-event based customer application.  DDoS attacks are the simpler type of attacks to perform in a short time window to affect customers' sites and investments.

 

Attacks.png

 

 

 

 

 

 

 

 

 

 

The percentage based of DDoS attacks was significantly higher (60%) compared to regular WAF activity on the Akamai platform (usually 35%).

 

Live event support - Limited human mitigation

During the World Cup, the Akamai Security Operations Center monitored and alerted our customers in real-time on their traffic activities, Web Application Firewall activities and IP activities. To reduce security response times, preparation and preparedness is key.  If we define a good defense strategy and we implement it properly, the human intervention during a security event should be limited to monitoring and minor adjustments.

 

The use of Akamai Rate Controls is the most effective way to help protect against network and application layer DDoS attacks. The Akamai platform monitors and controls the rate of requests against the Akamai servers and the customers' application, allowing us to dynamically block clients exhibiting excessive request rate behaviors. Akamai'sProfessional Services can help set optimal rate controls and have the platform mitigate DDoS attacks without human intervention.

 

Akamai Rate Controls can be applied at different request stages:

      Client to Akamai Edge

      Forward requests from Akamai to customers' application

      Response requests from customers' application to Akamai

 

In order to provide effective dynamic mitigation, we need to be able to look behind IP addresses to find behavioral anomalies in requests.  Akamai Rate Controls can take into account a combination of user-agents, cookies, and session IDs within the rate control so we can isolate unique users behind proxies.

 

Akamai helped deny requests from users behind 221,381 unique IP's during the World Cup that were targeted towards the global broadcasters, advertisers, partners and sponsors' applications.

 

Interesting enough, if we correlate those denied IP's across all those customers, we see that only 0.02% of those IP's attacked multiple customers.

 

In the top 30 IP's targeting multiple customers, two IP's generated the most of the requests denied

      A TOR exit node in Miami

      A Massachusetts based University

 

Map.png















How can Akamai help?

 

Akamai's Professional Services has been actively helping our customers to secure their web applications in order to maximize their World Cup investments.

 

Our event readiness and support approach has successfully supported all major global online events over the years. This approach is divided into the following stages:

      Event Preparation

      Capability assessment and contingency planning

      Implementation and tuning

      Escalation procedures

      Event Execution

      Pro-active alert/monitoring

      Live event support

      Post Event Wrap-up

 

Contact Akamai Professional Services today to arrange a technical call to discuss how Akamai can help protect you for any future event including holiday readiness campaigns.

 

This is a post from Patrice Boffa, senior director of global service delivery, and Sabrina Burney, solutions architect at Akamai.


Outcomes