Fastly Attribute Unmasking

Attribute Unmasking Datasheet

The adaptive technique powering Fastly DDoS Protection

Fastly’s adaptive Attribute Unmasking automatically detects, identifies, and mitigates DDoS attacks targeting applications and APIs. The proprietary technique is highly accurate and can mitigate DDoS attacks in seconds. It is the primary technique found in Fastly DDoS Protection and is built on three core principles:

1. Everything starts with rapid, accurate detection of malicious traffic

2. Avoiding false positives is priority, so mitigations are safe to run

3. Defense tactics should be deceptive, minimizing information available to attackers

Rapid, accurate detection of malicious traffic

Rapid detection is core to Attribute Unmasking. Most attacks quickly scale from zero requests per second (RPS) to millions or hundreds of millions of RPS and often finish less than a minute later. When looking at the attacks Fastly saw from over 90 days of data, the attack is often over by the time a human can be made aware of an attack and equipped to respond. (Image 1): 

Image 1: Observed attack duration in seconds*

• 90% of the attacks have a total duration of 150 seconds or less

• 50% of the attacks are under 52 seconds

To mitigate as fast as possible, Fastly DDoS Protection performs attribute unmasking processing and decision-making across the global edge rather than running through a centralized function that has less capacity and inevitably serves as a bottleneck. Our software-defined network removes dependencies on specialized hardware and other components like routers. It gives Attribute Unmasking the power and flexibility to rapidly process, analyze, diagnose, and respond effectively without impacting legitimate traffic.

Accurate Detection

Identifying and distinguishing attacks from organic traffic can be challenging because advanced attacks often blend with legitimate traffic. Assuming teams can identify the attack manually, this also means that it costs more for your defense team to mitigate it (time, resources, computation, business impact, etc). Attribute Unmasking extracts accurate attacker identities from a comprehensive list of characteristics in Layer 3 and Layer 4 headers, TLS information, Layer 7 details, and more. This includes characteristics like IP address, http protocol, TLS properties, geoip, network egress/ingress routes, and more.  It ingests the metadata from inbound requests and extracts the elements that match the shape and volume of traffic over time that match the shape and volume of the attack. This process is the most accurate and safe way to detect attackers for mitigation because nearly every attack has unique characteristics. 

Attribute Unmasking is also built on a modular system that enables us to rapidly enhance detection and mitigation capabilities as new classes of attacks are discovered without needing to develop an entirely new mechanism to respond. When new attacks like the Rapid Reset attack come along, Fastly implements new functions to detection and response modules, which keeps response times incredibly short, even for novel attacks. 

Best of all, customers never need to worry when it’s happening because it rapidly and accurately detects DDoS attacks for mitigation automatically.

Safe mitigation

Every automated system has a risk of generating false positives and blocking legitimate traffic. Automated systems alone or in combination with human error have a long history of creating outages, but if policies become too lenient actual attacks are let through.

Building on rapid detection and accurate signature extraction, Attribute Unmasking implements safe mitigations without impacting legitimate traffic. Its mitigations are always on and are considered safe at all times without consequence because they’ve gone through in-depth validation and code review processes. Attribute Unmasking can’t be overwhelmed by multiple synchronized attacks and is also capable of mitigating multiple attacks at the same time to help your services remain performant and available no matter the adversary.

Deceptive tactics

Information is power when it comes to DDoS attacks. When attackers learn something about a network or gain insight from their previous attempts, it informs how they execute their next attack. It’s a cat-and-mouse game of constant evolution, and by withholding information from the attackers, you are making them work harder to figure out if they need to change tactics or how they should adapt. When most platforms detect an attack they act swiftly to close the connection on the attacker or deny access to their platform in another way. This signals to the attacker that they’ve been discovered, and also that if they try the same approach again it is likely to be more easily identified and blocked. Attribute Unmasking aims to intentionally minimize the amount of information (of any form) that is sent back to the attackers. 

Attribute Unmasking in action

Here’s a simplified example of Attribute Unmasking detecting, identifying, and mitigating a DDoS attack against one of our customers. Attribute Unmasking monitors customer traffic at all times for anomalous spikes in traffic patterns (Image 2). 

Image 2: Detection of sample attack

When an attack is detected, Attribute Unmasking works in milliseconds to test individual attributes until it finds one that best aligns with the attack curve (Image 2).

Image 3: Testing individual attributes

Once Attribute Unmasking finds an initial best-match attribute, it quickly repeats the process, combining additional characteristics to build an equation that gets closer to representing the surplus of attack traffic. With each additional attribute added to the equation, the technique shrinks the degrees of freedom needed to further improve the model. This process continues until Attribute Unmasking creates a unique equation that matches the surplus of attack traffic, and it confidently blocks the attacker's unique identity (Image 3).

Image 4: Testing sets of attributes

This might sound like a computationally intensive process, but detection, identification, and mitigation occur in seconds because of the power and speed of Fastly’s global edge. While this example was a single attack, it can simultaneously defend against multiple targeted attacks from different malicious actors too.

As the sophistication and rate of DDoS attacks continue to rise, complex or manual solutions are rendered ineffective. Attribute Unmasking is the automatic solution to accurately detect, identify, and mitigate DDoS attacks targeting your Apps and APIs. Attribute Unmasking is the primary technique found in Fastly DDoS Protection, and it works in seconds without any tuning to ensure your team doesn’t spend resourcing to have effective security and end users don’t feel the performance and availability impacts of attacks. If you'd like to learn more about how Fastly DDoS Protection can help you automatically mitigate the impact of application DDoS attacks, contact us.

**Attack duration data was collected by looking at the ingress requests to Fastly network from 2023-07-01 to 2023-10-12. The onset of attack is registered when a 30% increase from anticipated baseline is detected, and it ends when traffic is back to expected levels. We have excluded known organic traffic spikes and load testing from this dataset.