This blog post is a follow-up to our recent post, “Announcing Upgraded and More Secure Prolexic Attack Reports,” and here we’ll take a deeper dive into one aspect of that announcement. Namely, we’ll explain in greater detail the two new categories of advanced forensics data in Prolexic attack reports: packet capture (PCAP) and top Source IPs (SIPs).
After a DDoS attack, our Prolexic customers want to know as much as possible about the attack, and so we’re constantly trying to improve attack reports to display the information they need. One request we hear frequently is that customers want more data about the attribution of the attack and details of the payload.
Introducing PCAP and SIPs
To deliver on this request, on May 17th we introduced PCAP files and top Source IPs into Prolexic attack reports. These reports are found in the Routed Events portal within the new Akamai Control Center (the next generation of the Luna interface).
- PCAP data lets customers see a small sample of the actual packets traversing Akamai's scrubbing center during the attack. Since it allows a view into unencrypted payloads, this data can be useful for understanding vectors and for attribution.
- SIP data lets customers know the top-volume connections during the attack. This data can assist with understanding how much volume each source was delivering and can also help with attribution as well as possible regional impact(s).
While PCAP and SIP data points have traditionally been manually captured and shared on request, their new appearance in your attack reports should make for a more reliable means of exposing this important information to your internal teams for additional post-attack triage.
How it works
When Prolexic detects a likely DDoS attack on your systems, it will trigger a PCAP collection for the relevant destination IP from the relevant scrubbing center. Prolexic will also internally query Akamai’s proprietary flow telemetry system to see the top SIPs hitting that destination IP in the relevant scrubbing center; all of this information then appears in your attack report. These records are subsequently encrypted, transmitted, and stored for 90 days.
From your Routed Events screen in Security Center click into an attack report. You will see a new button, “Get PCAP/SIPs”.
Click this button and then select your desired record based on location, timestamp, and/or record type. Here’s what that selection window looks like:
If you select a PCAP, you’ll need to open it using a PCAP reader such as Wireshark, which will look like this:
If you select a JSON, you can read the raw file, but we suggest opening it in a JSON viewer such as Code Beautify or something similar. That will give you a view like this:
- Neither the PCAP nor SIP records are filtered exclusively to malicious actors; the records represent all traffic traversing the Akamai scrubbing network during the event.
- Using these records as a source for blocking IP addresses without additional research could result in blocking legitimate user or partner traffic.
- The SIP information is sampled, and only includes the top 100 source IPs, so it is not meant to be exhaustive.
- Similarly, the PCAP information is a small snippet of representative traffic near the time of detection, not a full record.
We hope that this new PCAP and SIP advanced forensics data will help you further strengthen your security stance. Meanwhile, we will continue striving to constantly improve Prolexic’s product and customer experience.
Craig Sparling is a senior product manager at Akamai Technologies.