Fastly Attribute Unmasking

Attribute Unmasking Datasheet

The adaptive technique powering Fastly DDoS Protection

Fastly’s adaptive Attribute Unmasking automatically detects, identifies, and mitigates DDoS attacks targeting applications and APIs. The proprietary technique is highly accurate and can mitigate DDoS attacks in seconds. It is the primary technique found in Fastly DDoS Protection and is built on three core principles:

1. Everything starts with rapid, accurate detection of malicious traffic

2. Avoiding false positives is priority, so mitigations are safe to run

3. Defense tactics should be deceptive, minimizing information available to attackers

Rapid, accurate detection of malicious traffic

Rapid detection is core to Attribute Unmasking. Most attacks quickly scale from zero requests per second (RPS) to millions or hundreds of millions of RPS and often finish less than a minute later. When looking at the attacks Fastly saw from over 90 days of data, the attack is often over by the time a human can be made aware of an attack and equipped to respond. (Image 1): 

Image 1: Observed attack duration in seconds*

• 90% of the attacks have a total duration of 150 seconds or less

• 50% of the attacks are under 52 seconds

To mitigate as fast as possible, Fastly DDoS Protection performs attribute unmasking processing and decision-making across the global edge rather than running through a centralized function that has less capacity and inevitably serves as a bottleneck. Our software-defined network removes dependencies on specialized hardware and other components like routers. It gives Attribute Unmasking the power and flexibility to rapidly process, analyze, diagnose, and respond effectively without impacting legitimate traffic.

Accurate Detection

Identifying and distinguishing attacks from organic traffic can be challenging because advanced attacks often blend with legitimate traffic. Assuming teams can identify the attack manually, this also means that it costs more for your defense team to mitigate it (time, resources, computation, business impact, etc). Fastly DDoS Protection takes a two-step approach to accurately detecting attacks. It creates custom, continuously-updated baselines for traffic throughput AND multiple individual traffic attributes for every service it operates on.

Fastly DDoS Protection considers both the nature of the traffic spike and its attributes when detecting whether your service is experiencing an influx of legitimate traffic or an attack. This approach minimizes false positives, enabling legitimate traffic to quickly rise due to a sale, busy season, viral moment, etc. but if the attributes remain normally distributed, no action is taken. 

When both traffic rate and attributes significantly deviate from their baselines  Attribute Unmasking extracts accurate attacker identities from a comprehensive list of characteristics in Layer 3 and Layer 4 headers, TLS information, Layer 7 details, and more. This includes characteristics like IP address, user agent, TLS properties, geographic location, and more.  It extracts metadata from inbound requests and computes elements that match the attack. This process is the most accurate and safe way to detect attackers for mitigation because nearly every attack has unique characteristics. To maximize accuracy, Attribute Unmasking repeats this process for every attack and doesn’t rely on long-term static rules like other solutions that can be prone to false positives. 

Attribute Unmasking is also built on a modular system that enables us to rapidly enhance detection and mitigation capabilities as new classes of attacks are discovered without needing to develop an entirely new mechanism to respond. When new attacks like the Rapid Reset attack come along, Fastly implements new functions to detection and response modules, which keeps response times incredibly short, even for novel attacks. 

Best of all, you never need to worry when it’s happening because it rapidly and accurately detects DDoS attacks for mitigation automatically.

Safe mitigation

Every automated system has a risk of generating false positives and blocking legitimate traffic. Automated systems alone or in combination with human error have a long history of creating outages, but if policies become too lenient actual attacks are let through.

Building on rapid detection and accurate signature extraction, Attribute Unmasking implements safe mitigations without impacting legitimate traffic. Its mitigations are always on and are considered safe at all times without consequence because they’ve gone through in-depth validation and code review processes. For example, there are built-in controls to prevent rules from being made on single attributes that are prone to false positives, like country code. Additionally, Attribute Unmasking can’t be overwhelmed by multiple synchronized attacks and is also capable of mitigating multiple attacks at the same time so your services remain performant and available no matter the adversary.

Deceptive tactics

Information is power when it comes to DDoS attacks. When attackers learn something about a network or gain insight from their previous attempts, it informs how they execute their next attack. It’s a cat-and-mouse game of constant evolution, and by withholding information from the attackers, you are making them work harder to figure out if they need to change tactics or how they should adapt. When most platforms detect an attack they act swiftly to close the connection on the attacker or deny access to their platform in another way. This signals to the attacker that they’ve been discovered, and also that if they try the same approach again it is likely to be more easily identified and blocked. Attribute Unmasking aims to intentionally minimize the amount of information (of any form) that is sent back to the attackers.

Attribute Unmasking in action

Here’s a simplified example of Attribute Unmasking detecting, identifying, and mitigating a DDoS attack against one of our customers. Attribute Unmasking monitors traffic at all times for anomalous spikes in traffic patterns and their attributes (Image 2).

Image 2: Detection of sample attack

When an attack is detected, Attribute Unmasking works in milliseconds to test individual attributes until it finds one that best aligns with the attack curve (Image 3).

Image 3: Testing individual attributes

Once Attribute Unmasking finds an initial best-match attribute, it quickly repeats the process, combining additional characteristics to build an equation that gets closer to representing the surplus of attack traffic. With each additional attribute added to the equation, the technique shrinks the degrees of freedom needed to further improve the model. This process continues until Attribute Unmasking creates a unique equation that matches the surplus of attack traffic, and it confidently blocks the attacker's unique identity (Image 4).

Image 4: Testing sets of attributes

This might sound like a computationally intensive process, but detection, identification, and mitigation occur in seconds because of the power and speed of Fastly’s global edge. While this example was a single attack, it can simultaneously defend against multiple targeted attacks from different malicious actors too.

Exploring Attribute Unmasking’s rules

Fastly DDoS Protection gives visibility to every rule Attribute Unmasking automatically creates to mitigate an attack; each contains a summary of the attributes it is blocking against and the traffic impacted (Image 5).

Image 5: Example of Attribute Unmasking's Rules

With this information, organizations can quickly validate the efficacy of the rules. Take the example above – the rule was built in seconds to mitigate an attack on a major retail organization. You can feel confident in the efficacy of the mitigation because:

1. A single IP sent such a high volume of requests that Fastly DDoS Protection detected it as an attack

2. The user agent is a known enumeration tool used by cyber attackers

3. The path they were targeting doesn’t exist for this customer

4. The entirety of surplus attack traffic came from a single country that the organization doesn’t typically receive end users from

Where other competitive solutions are popularizing their ability to block in milliseconds using static rules that may be prone to error over time (especially with the rise of AI-usage by attackers), Fastly DDoS Protection custom-crafts every rule with this level of tailored accuracy and visibility so you can rest easy knowing you’re protected.

Automatically mitigate attacks with Fastly DDoS Protection

As the sophistication and rate of DDoS attacks continue to rise, complex or manual solutions are rendered ineffective. Attribute Unmasking is the automatic solution to accurately detect, identify, and mitigate DDoS attacks targeting your Apps and APIs. Attribute Unmasking is the primary technique found in Fastly DDoS Protection, and it works in seconds without any tuning to ensure your team doesn’t spend resourcing to have effective security and end users don’t feel the performance and availability impacts of attacks. If you'd like to learn more about how Fastly DDoS Protection can help you automatically mitigate the impact of application DDoS attacks, contact us.

**Attack duration data was collected by looking at the ingress requests to Fastly network from 2023-07-01 to 2023-10-12. The onset of attack is registered when a 30% increase from anticipated baseline is detected, and it ends when traffic is back to expected levels. We have excluded known organic traffic spikes and load testing from this dataset.