Blog

Introducing Network Traffic Profiling in Prolexic

March 4, 2019 · by Craig Sparling ·
Categories:

Akamai’s Prolexic Routed is a powerful DDoS defense that protects your data center infrastructure against large, complex attacks.

One of the advantages of being protected by Prolexic Routed is that you can get deep insight into the traffic traversing Akamai’s DDoS scrubbing network. Many Prolexic customers—often large enterprises with highly complex network footprints—have told us that Akamai is the only platform that lets them see all traffic across their networks. For many customers, this traffic data can be extremely valuable in making decisions regarding IP allocation, ACL configuration, threat research, and more. Customers’ desire for such visibility was the driver behind today’s introduction of a superior level of network traffic profiling we call the Routed Profiles report.

As of today, all Prolexic Routed customers now have access to the Routed Profiles report; this report lets you see what type of traffic traverses Akamai’s DDoS scrubbing center network for any security configuration or shortname, protected subnet, or IP address. All subnets routed through Prolexic will have full network traffic profiles, which provides additional value—especially those customers deploying Prolexic Routed in an “Always On” posture.

Here’s a sample use case: if you want to know whether it’s safe to block all UDP traffic to a subnet that you believe to be HTTP-only, the Routed Profiles report can verify that there isn't some unknown service waiting to cause you an issue when the block is put in place.

This can be expanded to other likely attack vectors and can also support the deployment of Prolexic’s proactive mitigation controls.

Ready to take a look for yourself? Just log into the Akamai Luna Control Center and you’ll find the Routed Profiles report in the analysis section of Akamai Security Center. We think you’ll like what you see.

How to use the Routed Profiles report

1. When you open the Routed Profiles report, the default view will load with yesterday's traffic for one policy domain.

2. At this point, you can customize the report by (each item is noted in the screenshot below):

A. Day or week
B. Period starting date
C. Specific network, whether that’s a policy domain, a protected subnet, or a CIDR
D. Whether you'd like to see traffic before or after it passes through the DDoS scrubbing/mitigation network

dashboard

3. For any of the available dimensions, you can see a breakdown of traffic by percentage starting with visual of how dominant the top five are. For example, in this slice of the screenshot above, you can see that TCP has the highest traffic percentage (84%), followed by UDP (12.4%), and so on:

Top five

4. You also can click into any dimension to get a breakout by bytes or packets seen during the time window. In this dimension panel you can (each item is noted in the screenshot below):

A. View traffic types on that dimension via bytes or packets, and choose to sort by either.
B. Hover over any dataset to see the details and percentage of traffic represented.
C. Download the data to a CSV
D. Load more to expand beyond the first set of displayed results.

dashboard 2

Two caveats about the Routed Profiles report:

  • For each dimension, we have a limited number of results. For example, we will show the top 10 source IPs during the period; we will not show ALL source IPs. However, for other dimensions—such as protocol, for which there is usually a rather limited number of results—the list will often be exhaustive.

  • All of the data driving these reports is sampled. The data is meant to help you understand the most common usage of your network. Thus, an individual entry in a dimension not being included on the list does not definitively mean there was zero traffic from that dimension in the period.

    • Simple example: A source IP not being on the list may simply mean it wasn't in the top 10.

    • Advanced example: Having ICMP not listed on the protocols list may mean there was such minimal traffic on ICMP protocols that it didn't happen to be caught in a sample; it does NOT necessarily mean that zero ICMP happened on your network.

Craig Sparling is a senior product manager at Akamai Technologies.