Behavior analysis techniques

Behavior analysis techniques in DDoS mitigation

There are 2 major schools of thought in the practice of DDoS mitigation: Signature vs. heuristic based filtering. Signature based filtering is the most common method, detecting attacks based on each attack’s predetermined “fingerprint,” and effectively blocking the attack based on this day. While highly efficient, this prevents real time mitigation of “zero day” (brand new) attacks.

Network Behavior Analysis (NBA), one primary method used by Black Lotus, images known valid traffic patterns and  performs analysis against traffic that does not match the expected behavior. When traffic is abnormal, the NBA systems must make the determination whether the abnormality was organic in nature or the result of a DDoS attack. When it is determined that the spike could not have occurred as the result of organic changes in traffic patterns, the traffic is temporarily blocked.

Human Behavior Analysis (HBA), a patent-pending method by Black Lotus, uses similar concepts applied to Layer 7 traffic. When a Layer 7 request is received by a Black Lotus proxy system, either deployed as a remote proxy or a local web application firewall (WAF), it is inspected to determine whether the request originated from an actual human. The Black Lotus systems maintain intelligence on the expected request patterns and are able to block requests that do not match the expected behavior. Using this logic, even a single malicious request can be identified as a member of a botnet. This information is then used to augment NBA methods and form a more effective DDoS mitigation system.

Figure 1. An illustration of the OSI model differentiating Layer 4 and Layer 7 DDoS attacks.

Figure 2. Why traditional DDoS mitigation solutions have difficulty tackling the Layer 7 problem.

Fact: Modern DDoS mitigation solutions cannot effectively stop Layer 7 attacks.

The first DDoS attacks in 1999 attacked TCP and UDP services at the transport layer, resulting in an insidious threat to an internet in the midst of a “.com boom.” Despite several CERT advisories, few understood the severity of the budding attacks that now represent one of the most dangerous threats to public infrastructure. Forward thinking companies began developing products and services that tackled this “Layer 4 problem,” referring to the layer of the Open Systems Interconnection (OSI) model dealing with IP transport protocols. Black Lotus, on the other hand, began working on Layer 4+7 strategies, incorporating the application layer which deal with the protection of application specific threats to availability.

10 years later in 2009, the first Layer 7 attacks hit the internet like wildfire, taking even protected companies offline. Larger companies and those using CDN’s were able to absorb the impact of this threat, though at a very significant cost. Testing by Black Lotus revealed that there were no DDoS mitigation appliances available to the public that would defeat this threat. The concept of Human Behavior Analysis (HBA) was born.