Under DDoS: Instant Access to Live Information


Published on

The following presentation uses data from an actual DDoS attack to demonstrate some of the more typical uses and benefits of Incapsula’s Real-Time Event Monitoring capabilities.

Published in: Technology, Business
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Under DDoS: Instant Access to Live Information

  1. 1. Real-Time Event Monitoring Under DDoS: Instant Access to Live Information Disclaimer: The following is a description of an actual DDoS attack against one of Incapsula’s clients. To demonstrate Incapsula’s new Real-Time reporting capabilities, this presentation makes use of an actual screenshots and data from that event. Some facts, like IP and URL addresses, were altered to preserve anonymity.
  2. 2. Incapsula Maximum Security, Performance & Availability Through an application-aware Global CDN platform, Incapsula provides any website and web application with best-of-breed Security, DDoS Protection, Load Balancing & Failover solutions. Incapsula’s Real-Time Event Monitoring feature support all of these services by providing Accurate Visibility of Layer 7 Traffic Flow. --------------------------------------------------------------------------------------------------------------------------------------- The following presentation uses data from an actual DDoS attack to demonstrate some of the more typical uses and benefits of Incapsula’s Real-Time Event Monitoring capabilities.
  3. 3. It Starts with an Email Alert… 12:25:36 PM The event starts with an email alert, reporting on a suspicious activity on our client’s site. Incapsula’s Automated DDoS Protection was activated. Right now, the site is under attack.
  4. 4. Real-Time: First Evaluation 12:26:02 PM Incapsula’s Real-Time Monitoring is the next “go-to” spot. • Immediately you can see that Incapsula is blocking 515 malicious HTTP requests per second, which amount to 86% of all incoming traffic. • You can also see that response times of your servers are slightly higher than usual.
  5. 5. Real-Time: Servers’ Health & Activity 12:26:07 PM Using one of the available view options, you can now drill down to get a better picture of server health and load distribution. Both servers are active and the load distribution is even, which is good. The next step is to get more information about the DDoS offenders…
  6. 6. Real-Time: DDoS Offenders’ Identity 12:26:13 PM The Session Report shown here provides you with the information you need. You notice a suspiciously large chunk of traffic from outside the US. There is also an abnormally high percentage of “Firefox” visitors. Although they use browser user-agents, it looks like not all of them support JS or Cookies.
  7. 7. Real-Time: Tracking of Attackers’ Movement 12:26:27 PM The adjusted More button provides you with additional information about the offenders’ activity. When you use it to review the latest blocked sessions, you notice that they all share the same Entry Point; “/blog/” - an inactive, auto-generated, URL.
  8. 8. Real-Time: List of Attacking IPs 12:26:33 PM By filtering the data stream to show only the Blocked traffic, you also get instant views of the Top 5 attacking IPs. The full list is accessible as well, with a click on the More button.
  9. 9. Real-Time: Instant Access to Live Actionable Data Incapsula’s Real-Time Monitoring efficiently provides access to the most recent information about security events, incoming traffic and servers’ activity. In this case, literally in a matter of seconds, the website’s operator was able to collect all of the information he needed to understand and react to the attack, including: • Information about malicious traffic volumes • Information about the attack’s impact on availability • Status report of origin server health • Overview of server load distribution • Updated list of the spoofed user-agents • Latest information about the attacker’s point-of-entry • Updated list of attacking IPs
  10. 10. Real-Time: Enabling Data-Driven Decision Making Incapsula’s Real-Time view provides accurate visibility into Layer 7 traffic. Access to this live data enables data-driven decision making, as each piece of data can be leveraged into tactical action that enriches and supplements Incapsula’s automated DDoS Protection and Load Balancing solutions. Explore this new screen to uncover more view options, which will support you through a diverse array of security and server management scenarios…
  11. 11. Stay Safe