Home Technical Articles Stonefish – Automating DDoS Mitigation at the Edge
Applications

Stonefish – Automating DDoS Mitigation at the Edge

About The Author

Outline

When operating a large global network that supports thousands of web applications and streaming media services, mitigating distributed denial-of-service (DDoS) attacks is part of our day-to-day operations. Having a resilient and intelligent DDoS mitigation platform is essential to the operation of our network and to the web services that depend on it.

To provide that protection, we developed Stonefish, our DDoS detection and mitigation platform that stops layer 3/4 attacks from impacting our customer’s web applications. Stonefish is the first layer of defense in Edgio’s holistic security solution at the edge, working 24x7x365, analyzing millions of packets per second, scoring them for threats, automatically taking action when necessary, and being monitored by our Support Team so they can perform additional analysis and mitigative action in real-time if needed.

In conjunction with Edgio’s Web and API Protection (WAAP) solution, Edgio provides unified multi-layered security that runs on every server in our entire edge network. Edgio WAAP includes access control rules (ACL), API security, application layer DDoS protection, advanced bot management, custom security rules as well as managed security rules. Every request is being processed by these layers of sophisticated security with minimal latency. We are proud to provide this to our customers as a one-stop-shop to detect and mitigate layer 3/4 and 7 attacks for all web applications sitting behind our platform while improving the performance and reliability of their site via a single control pane.

 

Stonefish Design Goals

Stonefish is a DDoS mitigation platform purpose-built to protect our network and infrastructure and all of our critical customer services that run on it. We developed our DDoS security stack using a mix of open source and custom software that runs on every Point of Presence (POP), allowing us to provide a highly scalable and automated DDoS platform that enhances the ability of our frontline Support Team to provide DDoS mitigation support.

We designed Stonefish to:

  • Detect and filter out bad traffic within seconds.
  • Defend against a broad range of DDoS attacks, from volumetric attacks to state exhaustion, across OSI layers 3 and 4 (layer 7 attacks are covered by our holistic WAAP).
  • Leverage our existing network architecture combined with software-defined detection and mitigation policies.
  • Be deployable via a cloud-based, single pane of glass control panel (with management APIs available)
  • Efficiently update rules and enforce policies globally across all of our PoPs in near real-time, in addition to rules automatically created on the fly in response to attacks.

Our efforts resulted in a fully automated system that detects and blocks the vast majority of DDoS attacks, providing enhanced security and peace of mind.

Stonefish Architecture

Taking a software-defined approach to Stonefish enables us to house our DDoS mitigation on our distributed infrastructure, enabling every PoP in our global network to function as a scrubbing center that can detect and filter out bad traffic. Stonefish is built with a modular software architecture, which allows us to easily add functionality to the system against an ever-evolving threat landscape without the use of any specialized hardware.

Stonefish leverages our massive global Anycast network. The globally distributed Anycast network enables us to route malicious traffic to the nearest PoP. This allows us to mitigate any attack at the edge near the source of the attack before it can reach a customer’s network and data center. The mitigation is seamless so most of the time, customers are unaware they are being attacked. Our services, meanwhile, are always on, using values such as the source IP address/port, destination IP/port, and packet fields to identify potential attacks and stop them before they can cause any damage.

Sampling and Scoring

All incoming network traffic is sampled and analyzed by Stonefish. A scoring system is used to determine the severity of maliciousness and automatically block bad traffic. The results of the analysis are also sent to our 24x7x365 SOC and evaluated if further action is needed. Here’s how it works.

  1. A client sends a request for content to an Internet-facing application.
  2. Our router receives the request and routes it to our load-balancing infrastructure.
  3. A sample of the traffic is sent from the load balancers to Stonefish.
  4. Stonefish analyzes and scores the traffic.
  5. If malicious traffic is identified, Stonefish sends instructions to the load balancer to drop the traffic based on the signal identified by Stonefish.
  6. Edgio’s SOC is notified of an attack and will follow up if further action is needed.

 

Enhancement to Stonefish

We’ve recently enhanced our distributed search and analytics engine to use Elasticsearch, which now powers the “brain” of Stonefish. Elasticsearch data is continually analyzed for changes to packet metrics via a custom software application. Our software retrieves scores for time intervals and compares them to previous intervals for anomalous or out-of-bounds changes. Each protocol has a custom query and detection logic for the most accurate identification possible, such as TCP, UDP, or ICMP packets. In addition, we’ve been investing in XDP (eXpress Data Path) technology over the last few years and updated our packet sampling to be done in the XDP layer. We have also leveraged the high-performance, programmable data paths in XDP to drop the attack packets more effectively.

 

How Our SOC and Stonefish Work Together

Stonefish is one of many tools our SOC uses to monitor our applications from a security and performance point of view. It is built into a dashboard that alerts our Support Team of sophisticated attacks in real time. While Stonefish blocks DDoS attacks automatically, it is also configured to alert for anomalies, which engages our SOC specialists to investigate and take action.

DDoS mitigation is included in every one of our service plans. Customers can access our Support Team for DDoS assistance by phone or email 24x7x365. Enhanced support and escalations for DDoS attacks do not require specialized security service rates or tiers, including proactive mitigation and customer support in the case of DDoS ransom. Edgio does not charge more if you’re under attack either, offering our customers predictable pricing (and no surprise charges).

 

Stonefish Prevents Massive DDoS Attack

On June 14th, 2022, Edgio prevented a large DDoS attack measuring ~176 million packets per second (Mpps) which targeted a multinational e-commerce client based in Asia. The attack lasted about 30 minutes and originated from the EU; our Anycast network quickly spread the load and mitigated the attack within the EU region despite customer’s infrastructure being located in Asia.

A few weeks later, Stonefish detected and stopped an attack double this size, approx. 355 Mpps; the customer, a leading French organization, was unaffected. That attack was about half the size of the largest ever recorded DDoS attack when measured in Mpps.

Despite the massive size of this attack, it was a non-event for our client which saw no impact on its origin as Edgio’s network absorbed 100% of the attack traffic. Our 24×7 SOC notified the client to make them aware even though no action was necessary from them. Edgio has 250 Tbps of bandwidth capacity and is one of the only edge platforms in the market to provide a fully comprehensive application security and L3/4/7 DDoS protection, supported by our managed security team and 24×7 SOC.

 

Conclusion

As one of the largest global edge-enabled security platforms that processes over 4% of all Internet traffic, we defend and mitigate DDoS attacks against thousands of customer websites daily.

DDoS mitigation is only one layer in an effective security defense, but it remains an essential one. We built Stonefish to automatically defend our customer’s web applications from layer 3 and 4 attacks by integrating an intelligent software stack on our massive network edge that can detect and mitigate these threats. Working in conjunction with our service teams, customers have proactive DDoS support that can work with them to block DDoS attacks from all layers.

If you’re interested in learning more about how Edgio can help your organization strengthen its cybersecurity posture, please contact us today to schedule a comprehensive assessment with one of our experts.