ThousandEyes provides monitoring of DDoS attacks as they occur by visualizing their impact on applications and networks from multiple vantage points. This allows organizations to see how well their DDoS mitigation services are performing and where traffic is being routed. A major US bank uses ThousandEyes to monitor their Akamai/Prolexic prefixes and ensure quick migration of traffic if their infrastructure comes under attack. ThousandEyes also monitors DDoS mitigation providers to ensure smooth traffic routing and optimal performance during attacks.

1. DDoS Incident Monitoring
Solution Use Case
OVERVIEW
DDoS (Distributed Denial of Service) is a malicious attack against an organization's network,
application/website or services essentially rendering those resources unavailable. Cyber criminals
use multiple methods to carry out these attacks. For example, in 2018, one of the largest attacks
saw a 1.4 Tbps flood of traffic aimed at Github’s website, taking it offline briefly. When these
attacks occur the consequences vary. In 2017 it was estimated that the average cost of a DDoS
attack was approximately $2.5 million USD. But it’s more than just financial; in today’s social
climate, brand recognition and loss of consumer trust have a huge impact on a business.
It is important an organization is be able to identify, detect and protect against these attacks.
Many organizations have traditional network monitoring solutions in place which can identify
anomalies such as an increase in throughput or bandwidth consumption over their network.
Organizations may also employ the services of a DDoS mitigation provider, for example, Neustar,
or Akamai/Prolexic. The provider will use a number of strategies to mitigate the attack including
redirecting the organization’s traffic through its own network (scrubbing centers) to remove the
malicious traffic. Organizations may subscribe to a service in which they are always monitored
and protected (always-on) or to which traffic is redirected only when they are under attack.
HOW THOUSANDEYES IS RELEVANT
ThousandEyes provides an external perspective into an application's performance, monitoring
DDoS attacks while in progress. ThousandEyes visualizes the impact of an ongoing DDoS attack,
shows the effectiveness (or otherwise) of the response and records performance data for real-time
sharing and detailed forensics.
ThousandEyes makes it easy to understand the impact of a DDoS attack on the digital experience
as well as the improvement delivered by DDOS detection and mitigation services while the attack
is in progress, specifically:
• Clearly track the impact of DDoS attacks to see what is being stressed: DNS, ISP networks,
edge routers or an overloaded application server.
• Identify underperforming elements within your cloud mitigation provider such as overloaded
scrubbing centers or misrouted traffic.
• Easily correlate this information against baseline traffic behavior, compare time periods and
save data for later forensics.
The figure above shows BGP path changes made to mitigate the DDoS against Github. Dotted
red lines donate paths withdrawn, while solid red show new advertisements. The figure shows
traffic being switched to Prolexic for scrubbing. (Note: only three BGP monitors shown to reduce
diagram complexity).
© Cisco Systems, all rights reserved. Version 2.0. March ’21. Author: Bob P. boporter@cisco.com
ThousandEyes
Partner
CDX

2. Solution Use Case - DDoS Incident Monitoring
Page 2
CUSTOMER USE CASE EXAMPLE
A major US bank runs BGP tests to monitor their Akamai/Prolexic prefixes to ensure availability
for a quick migration of traffic in the event of an attack against their infrastructure.
The benefit of this is the bank can see if their mitigation provider successfully moves their traffic
and allows them to restore connectivity and performance.
Additionally, several DDoS mitigation providers are customers of ThousandEyes. They use
ThousandEyes to monitor and optimize their DDoS Infrastructure. It’s important for them to make
sure migrations are smooth, paths are optimal and customer performance is maintained.
FAQ
How are you able to detect a DDoS attack?
ThousandEyes customers monitor their end customer-facing services from many vantage points
across a region or the globe. A key characteristic of a DDOS attack is the simultaneous degradation of
service as seen from many of these vantage points together.
Are you able to show the before, during and after a DDoS attack for forensic purposes - may
affect your compliance posture?
Yes. Since ThousandEyes provides the ability to navigate test results forwards and backwards in time,
this can readily be done. The ability to generate snapshots of data across a time duration for later
offline review is also key.
Do you have to set up separate tests to identify when an attack is occurring and how it impacts
different assets?
Essentially, no. Since ThousandEyes users are usually already testing end-customer facing assets
from a geographically dispersed set of cloud agents the affects of a DDOS attack will be captured.
However, customers may elect to setup tests to mitigation providers to ensure timely availability.
Finally, customers may decide to run BGP monitoring tests for their entire address space in the case
their app-related tests don’t cover the full space. This BGP monitoring aids the monitoring of DDOS
mitigation response.
ADDITIONAL REFERENCE MATERIAL
• Blog post: How GitHub Successfully Mitigated a DDoS Attack
• Blog post: Neustar Protects Digital Businesses using ThousandEyes
• Background info: Understanding DDoS
ThousandEyes
Partner