Akamai's Behavioral DDoS Engine: A Breakthrough in Modern DDoS Mitigation
The evolving DDoS threat landscape
As digital infrastructure grows, so do the threats posed by distributed denial-of-service (DDoS) attacks. What were once simple volumetric assaults have evolved into highly sophisticated, multi-vector campaigns that target the most vulnerable aspects of the application layer. Traditional defense mechanisms that rely on traffic throughput, static thresholds, and signatures are not as effective against such complex threats, necessitating a more adaptive and intelligent approach.
Key trends in DDoS attacks
- Multi-vector attacks: Attackers increasingly leverage combinations of multiple vectors, making it challenging for static defenses to identify and mitigate attacks. In the past 18 months, more than 11 trillion Layer 7 DDoS attacks were recorded across high-tech industries, commerce, and social media.
- API exploitation: As companies increasingly rely on APIs, attackers exploit these entry points. In 2024 alone, 108 billion API attacks were observed, with many of these attacks being DDoS-based.
- Growing threat complexity: The financial services industry has seen a surge in Layer 7 DDoS attacks due to geopolitical tensions. These attacks are becoming more sophisticated, using botnets and AI, with a notable increase in attacks targeting European banks.
Introducing Behavioral DDoS Engine*
To combat these evolving threats, Akamai has developed the Behavioral DDoS Engine, a cutting-edge capability added to the Akamai App & API Protector solution that adapts to attack patterns in real time. This innovative engine offers businesses the protection they need against sophisticated and persistent DDoS threats.
Understanding behavioral DDoS mitigation
Most traditional DDoS defenses rely on the rate and volume-based detections, often configured with static thresholds and susceptible to false positives. In contrast, Akamai’s Behavioral DDoS Engine continuously learns traffic patterns, allowing real-time identification and mitigation of attacks while minimizing any disruption to legitimate traffic.
By using machine learning to monitor anomalies, it can differentiate between normal spikes (like viral events) and sophisticated DDoS attacks, ensuring proactive, accurate protection without manual intervention. This adaptive approach provides a more effective defense against complex threats.
The behavioral analysis includes:
Real-time traffic monitoring: The engine constantly monitors traffic and analyzes requests to establish a baseline of normal activity.
Machine learning models: Advanced algorithms analyze deviations from normal traffic patterns, identifying threats in real time. This allows the engine to rapidly classify anomalous behavior and take necessary action, mitigating even subtle threats without human intervention.
Differentiating legitimate traffic: The engine can differentiate between legitimate traffic spikes, such as those caused by a viral event, and actual Layer 7 DDoS attacks, which are often highly distributed and mimic legitimate behavior.
A powerful addition to your defense-in-depth strategy
Akamai's Behavioral DDoS Engine is a powerful addition to your defense-in-depth strategy, complementing traditional rate-based detection approaches. Although rate limiting remains valuable for managing traffic, it often requires manual tuning.
The Behavioral DDoS Engine automates threat detection via advanced machine learning and insights from the Akamai global platform, particularly 946 TB of daily security events data. Together, these tools provide a balanced approach — combining the precision of rate limiting with the adaptability of behavioral analysis, ensuring robust protection against complex DDoS threats.
Tailored DDoS protections based on your website or API needs
The Behavioral DDoS Engine delivers advanced tracking and predictive analysis, monitoring traffic trends across dynamic traffic dimensions, such as country source of traffic, client TLS patterns, and network fingerprints. By analyzing traffic for each hostname and HTTP method, the new capability tailors protection strategies to the unique needs of each website or API.
This adaptability ensures the engine stays up-to-date with emerging threats and security research, without additional efforts required from customers. The engine can also automatically adjust traffic dimensions to use as the threats evolve. The result is a robust defense that enhances security while maintaining a seamless user experience.
Figure 1 illustrates the new baseline traffic reports that help improve user confidence by showcasing the traffic baseline status and key protection insights.
Fig. 1: Baseline traffic status and key protection insights in a Behavioral DDoS Engine report
The solution detects any abnormal spikes in the traffic and filters it out from the baseline traffic to ensure accuracy and precision (Figure 2). This results in clean traffic that is used to generate multiple dimensional views, each tailored to different HTTP request methods, such as GET, POST, and OTHER (even including less-common methods, such as PUT, PATCH, DELETE, etc.).
Fig. 2: Behavioral DDoS Engine report highlighting baseline normalization activity
Hands-off approach tailored to your risk appetite
Behavioral DDoS Engine offers three protection levels, which allows you to choose the option that best aligns with your business risk tolerance and security needs (Figure 3).
Fig. 3: Behavioral DDoS Engine report highlighting sensitivity levels against baseline
Strict: Offers rapid response to even slight anomalies; recommended for high-security environments, where minor deviations in traffic might signal a potential DDoS attack
Moderate: (Akamai recommended) Delivers a balanced approach, offering robust protection while optimizing the level of false positives; Ideal for most operational environments, where some traffic fluctuations are expected
Conservative: Provides tolerance for more substantial traffic deviations and large traffic fluctuations that might otherwise trigger DDoS protections unnecessarily
Behind the scenes: How it all comes together
The solution is crafted from several key ingredients, and each component is vital in the overall recipe (Figure 4).
- The detection engine identifies DDoS attacks using a multidimensional view of traffic and leveraging intelligence from the baseline generator.
The mitigation engine identifies and counters DDoS attackers using combinations of dimensions and leveraging intelligence from both the baseline generator and the threat signals.
The threat signals, including Platform DDoS Intelligence heuristics, offer insights into DDoS attackers based on historical attack data, leveraging both Akamai's extensive data and the expertise of the Akamai Threat Research Team.
filler
The baseline validator, aided by AI-based tuning, is a crucial component that evaluates hundreds of DDoS attacks each month to fine-tune the solution.
The noise/FP reduction, is a machine learning model framework that transforms raw data into valuable insights for both the baseline generator and the baseline validator.
The baseline generator is the primary component that processes the clean data over a two-week period. Additionally, it uses the latest threat research findings to create multiple traffic profiles and settings for the detection and mitigation engines.
Best-in-class efficacy and precision
The Behavioral DDoS Engine enhances security by improving detection accuracy while minimizing legitimate user impact. It offers proactive mitigation by anticipating and neutralizing threats before they impact operations.
Let's look at two case studies that outline how the Behavioral DDoS Engine can help security teams with increased operational efficiency, reduced manual intervention, and seamless integration into existing workflows, which provides more streamlined security management without sacrificing protection. [Note: Results may vary based on the sensitivity settings that customers choose and respective traffic baselines. The precision rate in the case studies below was observed in relation to the strict sensitivity settings.]
Case study 1: Detecting a highly distributed Layer 7 DDoS during the Olympic Games in Paris
The target was a ticketing website. This was a highly distributed attack that sent a surge of 1.4 billion HTTP GET requests with use of TLS randomization from more than 7,000 IP addresses across 839 networks. The Behavioral DDoS Engine showed superior precision with 99.95% detection and mitigation rate.
Case study 2: Protecting an APJ ecommerce home page from a highly distributed DDoS attack
This was a DDoS attack generating, at its peak, 185 million HTTP GET requests with the use of TLS randomization from more than 5,000 IP addresses across 643 networks. The Behavioral DDoS Engine again showed superior precision with 99.50% detection and mitigation accuracy.
A new era of DDoS defense with Akamai App & API Protector
Akamai’s new Behavioral DDoS Engine marks a significant leap in modern threat defense, delivering proactive, intelligent protection to meet the demands of today’s complex threat landscape. This innovation enhances detection accuracy, reduces manual intervention, and seamlessly integrates into existing workflows.
Learn more
Ready to see Behavioral DDoS Engine in action? Connect with us for a demo, early access, or a technical exploration of how Akamai can bolster your DDoS mitigation strategy.
Bonus! Get the recipe for advanced Layer 7 DDoS attack defense
Download the Cybersecurity Chef: Crafting the Ultimate Cookbook for Layer 7 DDoS Resilience today and equip your team with the knowledge and the tools to stay ahead of the latest threats in cybersecurity.
Modern Layer 7 DDoS protection is not just about preventing downtime — it's about safeguarding your brand, your customers, and your bottom line. Features like rate limiting and behavioral DDoS protection from application-layer DDoS attacks are essential to ensure that HTTP requests are properly managed and malicious traffic is mitigated.
*Behavioral DDoS Engine is currently available for a select set of customers. Platform-wide access will be available in 2025.