Network security is an increasingly difficult challenge. Distributed denial of service (DDoS) and other network based attacks continue to grow in size and sophistication. In particular, the number of compromised devices that form the botnet launching the attack and the attack logic used in mitigating attack counter-measures have made these attacks more virulent. It is no longer feasible to simply absorb attacks or wait them out.
Absorbing attacks involved creating a large enough distribution platform with resources sufficient to respond to valid traffic as well as invalid attack traffic. In other words, absorption involved providing enough capacity or supply to exceed the extra load or demand created during an attack.
Content delivery network (CDNs) provide such a large distributed platform. CDNs operate multiple points-of-presence (PoPs) in different regions. Each PoP has multiple servers that respond to client requests and serve requested content on behalf of different content providers in return.
Even with a vast deployment of PoPs and servers, botnet size has increased past the point of the CDN being able to simply absorb the amount of traffic coming from the botnet. In other words, a botnet is no longer some small set of devices that can be easily detected as sending illegitimate traffic. Botnets are large enough and involve so many different devices that it is extremely difficult to differentiate the attack traffic from actual user valid traffic.
Accordingly, there is a need for robust network attack detection and mitigation. With respect to attack detection, there is a need to quick identify signatures of an attack localized on a specific region or PoP before that attack compromises performance in that region and before that attack spreads to other regions or PoPs. In other words, there is a need for localized or distributed attack detection and leveraging the detection for initiating global or platform wide attack protections in advance of the attack cascading across the platform.
There is also a need to maintain a near real-time comprehensive view of the entire distributed platform in order to detect attacks focused not on any given region but on the distributed platform as a whole. In other words, there is a need for global attack detection whereby the accumulation of attack traffic at any one PoP may not meet attack thresholds, but the aggregate amount of attack traffic received across all PoPs of the distributed platform is sufficient indicia of an attack.
In all such instances, there is further a need for rapid automated mitigation of any detected localized or distributed attack. To this end, there is a need for the distributed platform to autonomously implement counter-measures that correctly target and block the illegitimate attack traffic from wasting server resources while permitting legitimate user traffic through to the servers for a response.