When we reviewed Kentik Detect last year, the main issue we had with the product was its alerting feature. In the time since then Kentik has not only improved on this feature, but they’ve added more functionality to it too. In this review we’ll cover how you can use Kentik’s Alerting feature to detect and prevent DDoS attacks.
A Distributed Denial of Service (DDoS) attack is an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources, often compromised through the use of malware or trojans. More than 2000 daily DDoS Attacks are observed worldwide according to Arbor Networks, and they account for 1/3 of all downtime incidents. This is a pretty serious problem!
Policy & SQL based Alerting
Alerts can be configured in a Policy and/or SQL-based fashion. The former allows users to build alerts by filling in a form. The latter as the name suggests, allows users to build alerts through SQL queries.
If you don’t have any SQL experience, don’t worry you won’t need to become an SQL expert to use this feature. While the Policy option might be easier to use, rest assured it certainly does not lack in function or power.
In order to cater for the majority of readers, this post will cover Policy based alerts. If you would like to read more about SQL alerting, Kentik has detailed documentation and examples in their Knowledge Base.
Kentik Alert Library
When I’m using a new product or feature, the first thing I look for is the documentation as well as configuration examples. Kentik does a fantastic job of providing both of these things through their Knowledge Base and Kentik Alert Library respectively.
The Alert Library, a subset of which is shown in the image below, provides ready to use alerts for the most common events. Using them means you’re able to start alerting instantly without having to write your own policies.
If you find that the default policies don’t quite hit the nail on the head, clicking the ‘Copy’ button in the ‘Action’ column allows you to make a copy of the policy and modify it to your heart’s desire.
Custom and copied Alert Library policies are created, modified and enabled/disabled on the Alert Policies page, as depicted below.
Components of an Alert Policy
Both the Kentik Alert Library and Alert Policies pages give us a 10,000 foot view of what each policy does through their ‘Dimensions’ and ‘Metrics’ columns. If you want finer details you can obtain them simply by editing the policies.
Let’s use the UDP BADPORTS ATTACK policy (which we saw in the first image of this article) as an example. Its description tells us: ‘Attack of significant BPS on known attack vectors’. How does it do this though? Well, there’s only one way to find out. Let the editing begin!
As we can see in the alert details, it’s possible to specify the devices to which it applies; the query, defined using multiple dimensions (e.g. interface, destination, etc.); and the filters. For those who are new to Kentik, please see our Kentik Detect Review for more information on Dimensions and Filters.
Finding the details of a filter is as easy as hovering your mouse pointer over it:
Now that we know what information the alert is checking, let’s now discuss alert thresholds and the actions the system takes when thresholds are breached.
The main panel consists of the following sections:
- General Settings
- Historical Baseline Settings
Let’s now take a quick look at how these sections are configured for the ‘UDP BADPORTS ATTACK’ alert.
Note: I’ll avoid dissecting each option in the images above because Kentik’s documentation already does this in detail.
In the above images, we see that Kentik has given users the ability to set escalating thresholds. This not only provides a massive amount of flexibility in regards to notifying the relevant stakeholders depending on the severity of the breach, but it also allows you to implement mitigative actions if so desired as covered in the next section.
Kentik Alerting for DDoS Protection
The mitigation option provided with each threshold allows users to protect their networks from DDoS attacks. From blackholing routes using Remotely-Triggered Black Hole (RTBH) to redirecting traffic to appliances from vendors like Radware and A10, Kentik is able to automate the implementation and reversal of these measures during the breach and after it respectively.
It is this automation that really makes the tool really powerful. Having your network automatically defend itself is a huge benefit which will result in countless hours of saved engineering time and effort. That time and effort can be put to better use than spending on manually defending against DDoS attacks.
DDoS threat is real and out there, so it has to be taken seriously into account. Many tools are trying to solve the problem. Kentik has a powerful alerting feature that can help engineers in automating the detection and mitigation of an attack.
What we liked the most is the ability to configure a mitigation that fires automatically when the attack is detected based on the configured thresholds. The mitigation platform could be a Remotely Triggered Black-Hole routing (RTBH) or a third party system like Radware DefensePro or A10 Thunder TPS. A mitigation method can be configured to be run on the selected mitigation platform.
The benefit of an automated in-house solution is definitely the reduced cost; it is just a fraction of a service such as DOSarrest or Verisign. Having the option of setting your own policies and threshold allows a great customization of your reaction to a possible DDoS attack.
What we would like to see in future releases is some embedded examples of integration with third parties mitigation tools. As mentioned, Kentik Detect enables integration with systems such as Radware DefensePro or A10 Thunder TPS. The third-party system is added as a new mitigation platform and configured as a mitigation method, after which it can be added to a threshold in an alert policy. Kentik recommends to contact the Support team for this integration, so it would be nice to have a ready-to-use example as a starting point.
Note that Kentik’s alerting functionality isn’t just useful for DDoS, though that’s the focus of today’s review. It can also be used for many network operations cases. We will possibly explore those use cases in a future review.
In summary, Kentik alert is definitely a great tool to have in every production environments to quickly react and mitigate DDoS attack. You can never have enough security for modern networks, so being ready for the worst case scenario helps in limiting the impact of any attack.