USENIX Enigma 2016 - Building a DDoS Mitigation Pipeline logo

USENIX Enigma 2016 - Building a DDoS Mitigation Pipeline

Feb 19, 2016
Marek Majkowski, CloudFlare Over the last two years we've fully rewritten CloudFlare's DDoS mitigation pipeline. Our initial goal was to relieve the our over-worked OPS team and reduce their distractions related to reacting to DDoS'es. The system we created proved to be capable of much more than we expected. Not only it is quicker and makes less mistakes than human operators, but also it allowed us to deploy new mitigation techniques much faster. The main design goal of the new pipeline was to avoid latency and be able to deploy mitigation in real-time, immediately after the threat is detected. To achieve this first we use sampled packets from switches (sflow) and http logs as a data source and automatically categorize them into various attack types. Then, the categorized attack metadata runs through a rich logic expressed in our reactive programming engine, which allows us to express high level constraints. Finally, this metadata is a source for the centrally-managed iptables mitigations framework. While composed of many moving pieces, our framework is, at least in spirit, fairly simple, and most importantly practical. We've successfully automated mitigations to most common attacks and nowadays the OPS team rarely needs to manually deploy mitigations. In this talk we'll discuss the design of the new mitigation framework, the context behind it, our incremental development and the future work. Sign up to find out more about Enigma conferences: Watch all Enigma 2016 videos at: