Attack detection

Attack detection is a critical part of DDoS mitigation, as it allows you to identify and respond to attacks before they cause significant damage. This process depends on developers to instrument their applications, and operators to monitor the system and respond to alerts.

Instrumentation

Instrumentation is the process of adding code to an application to collect data about its current state (e.g. resource utilisation) and behaviour (e.g. error rates). This data can be used to detect traffic surges, and tell the difference between legitimate and malicious traffic.

This data, known as telemetry data, should focus on the business logic of the application, as opposed to the underlying infrastructure (e.g. CPU usage). Telemetry data comprises:

• Logs: Textual records of events, errors, and debugging information.
• Metrics: Numerical data about the application’s state, such as the number of accounts created in the last hour.
• Traces: Data about the flow of requests through the application.

OpenTelemetry is a popular standard for collecting telemetry data in a vendor-neutral way.

Monitoring and alerting

For indications of an attack, operators should monitor telemetry data from the app and the rest of the infrastructure (e.g. reverse proxies). Operators should also configure alerts to be notified when unusual activity is detected, including budget alerts to avoid unexpected costs.

Security Information and Event Management (SIEM) tools can help operators detect attacks by allowing them to correlate data from multiple sources. SIEM products include:

• Datadog Cloud SIEM.
• Elastic SIEM.
• Google Security Operations.
• IBM QRadar.
• Microsoft Sentinel.
• Splunk Enterprise Security.