Akamai Prolexic Routed DDOS Protection

So what is Akamai prolexic routed DDOS protection?

Prolexic Routed is a simple and effective approach for businesses to secure all online and IP-based applications in their data center against DDoS assaults. Prolexic Routed, a customizable and comprehensive service, blocks DDoS attacks in the cloud far before they reach the data center. It protects against the broadest spectrum of DDoS attack types, including today’s high-bandwidth, long-lasting web attacks and the growing threat of potentially crippling DDoS attacks that target individual applications and services.

Prolexic Routed is built on a DDoS mitigation solution that uses 19 worldwide scrubbing centers to minimize latency and improve network robustness. Traffic is sent to the nearest scrubbing facility, and proactive mitigation processes are in place to prevent attacks. The remaining DDoS traffic is assessed by Akamai SOC experts, who quickly and effectively apply the most effective mitigation for each attack vector. Clean traffic is routed to your apps and data centers, while outbound traffic is returned to customers.

Customers can connect to any scrubbing center via virtual tunnels, which provide over 50 traffic delivery channels for three tunnels and considerably improve global network resiliency, even in network events outside Akamai’s control. Akamai’s Prolexic Routed Service uses the Generic Routing Encapsulation (GRE) protocol to establish virtual circuits to the customer’s router. The GRE tunnel appears to connect Akamai and client routers directly. To improve robustness and reliability, unique GRE technology produces many-to-one virtual tunnels from each scrubbing center (19 Scrubbing Centers), giving clean traffic extra bandwidth. Akamai’s Prolexic Routed (GRE) Service employs traditional IP routing protocols to intercept incoming client data and inspect it for distributed anomalies associated with distributed denial of service (DDoS) attacks. The Routed service provides security across protected subnets to Akamai client networks. In asymmetric routing, only inbound traffic is examined. Outbound traffic is routed directly to the end-user. During traffic inspection, legitimate traffic is discovered and passed on, while attack traffic is discreetly rejected.

The customer uses the Border Gateway Protocol to transmit network advertisements to Akamai. Customers can use these network advertisements to activate and deactivate the service as needed. Akamai’s activation is complete when its scrubbing facilities transmit these ads to upstream carriers and peers, usually taking seconds. The service is available as an Always-On solution, which routes traffic via the Prolexic platform at all times and has a 0-second SLA, or as an On-Demand alternative, which does not route the customer’s normal flow through the Prolexic platform.

How the process works (Always-On):

The “Always-On” deployment method for Akamai’s Prolexic Routed service means that your traffic is always routed through Akamai’s scrubbing centers, even when you’re not under attack. This setup provides continuous DDoS protection and can react more quickly to an attack because there’s no need to reroute traffic once an attack is detected.

Here’s how it works:

  1. BGP Announcements: In an Always-On setup, you will make BGP announcements for your IP prefixes through Prolexic’s network. BGP is the protocol underlying the global routing system of the internet, which makes decisions about the path that traffic will take to reach its destination.
  2. Routing Traffic: All your inbound traffic is continuously routed through Akamai’s Prolexic Routed service. It doesn’t go directly to your network but instead always passes through Akamai’s DDoS scrubbing centers.
  3. Scrubbing Centers: At the scrubbing centers, traffic is analyzed using advanced DDoS detection methods. Legitimate traffic is allowed to pass, while traffic associated with DDoS attacks is blocked.
  4. Clean Traffic: The scrubbing center then forwards the clean, legitimate traffic to your network. To your network and to the end-user, it appears as if the traffic has taken the normal path, as the original source and destination IP addresses remain the same.
  5. Attack Mitigation: If a DDoS attack is detected, the malicious traffic is already being routed through the scrubbing centers and can be blocked there, preventing it from ever reaching and overwhelming your servers. There’s no need to “swing” the traffic in the case of an attack because the traffic is already being scrubbed.

The primary advantage of the “Always-On” deployment method is that it can potentially offer faster response times to DDoS attacks, as there’s no delay from having to reroute traffic. However, it may be more expensive than on-demand services because all traffic, not just attack traffic, is being scrubbed. It also requires you to trust your DDoS protection service with all your inbound traffic, not just your attack traffic, as they will have visibility into and control over all your incoming traffic.

How the process works (On-Demand):

Here’s how the process works:

  1. BGP Announcements: Your network announces its IP ranges to the world using the Border Gateway Protocol (BGP). BGP is the protocol that makes the internet work by advertising which IP addresses belong to which networks. When you use Prolexic Routed, you start announcing your IP ranges to Prolexic’s network as well.
  2. Attack Detection: When a DDoS attack is launched against your network, the traffic surge is detected. This detection can occur either by automated systems or by your network team noticing the abnormal increase in traffic.
  3. BGP Rerouting: Once an attack is detected and confirmed, you or the Prolexic platform will change the BGP announcement to route all of your traffic through Prolexic’s network instead of going directly to your network. This is known as “swinging” the traffic to Prolexic.
  4. Scrubbing Centers: Once your traffic is being routed through Prolexic’s network, it enters their scrubbing centers. These are data centers specifically designed to filter out DDoS attack traffic. They use a variety of techniques to distinguish between legitimate traffic and attack traffic, blocking the latter.
  5. Clean Traffic: After the traffic has been “scrubbed” of DDoS traffic, the remaining legitimate traffic is sent on to your network. This is done in such a way that the traffic appears to come directly from the original source, maintaining the original source IP addresses.
  6. Return to Normal Operation: Once the DDoS attack is over, you can swing the BGP announcement back to direct traffic to your network instead of through Prolexic’s network. This returns your network to normal operation, but with the ability to quickly swing traffic back to Prolexic if another attack is detected.

This setup allows Prolexic to effectively protect your network from DDoS attacks, but it also requires a certain level of network sophistication. You or your team needs to understand how BGP works and how to manage BGP announcements. You also need to be able to detect DDoS attacks quickly and respond by swinging your traffic to Prolexic.


Below is an example diagram for data flow:


Below is an example for the Akamai scrub centers:
Akamai will be able to dynamically update the list of scrubbing centers advertising client routes in order to improve platform traffic flow, mitigation efficiency, and collateral damage.


Some Key Features:

Scrubbing Centers: Today, Akamai’s Prolexic network contains 19 globally distributed scrubbing centers with a total bandwidth of 8.0 Tbps. Amsterdam (Netherlands), Ashburn (USA), Chicago (USA), Dallas (USA), Frankfurt (Germany), Hong Kong (China), London (UK), Los Angeles (USA), Melbourne (Australia), Miami (USA), New York (USA), Osaka (Japan), Paris (France), San Jose (USA), Singapore (Singapore), Stockholm (Sweden), Sydney (Australia), Tokyo (Japan), and Vienna (Austria) (Austria).

Your network traffic is routed via Akamai’s 19 globally dispersed scrubbing centers using the Border Gateway Protocol (BGP). I have an example configuration post here on how to set up BGP:

Akamai DDOS Template

Support for DDoS attacks: Prolexic Routed is a fully managed security service that assists enterprises in responding to DDoS attacks. Akamai employees analyze current assaults in real-time and react to shifting attack vectors and multi-dimensional threats.

Always-On vs. On-Demand: Prolexic Routed is available as an Always-On service, which provides the quickest detection and mitigation capabilities, or as an On-Demand service, allowing enterprises to tailor and apply DDoS mitigation as needed. I recommend you use Always-On.

Safeguard IP Subnets: Organizations may safeguard entire IP subnets, including all web and IP-based applications within those subnets. It can also do any supporting network and data center equipment by routing the network traffic through Prolexic Routed and their data center’s network bandwidth.

Dynamic Protection: Prolexic Routed provides active protection against various possible DDoS attack types, regardless of complexity and even as they alter throughout an assault. This protection encompasses both network-layer and application-layer DDoS assaults, such as UDP and SYN floods and HTTP GET and POST floods.

Zero-second mitigation – By tailoring proactive mitigation measures to your network traffic, you can lock down your attack surface and quickly neutralize the bulk of DDoS attacks instantly.