As 5G networks begin to take form in the standardization process, and the number of IoT devices out in the wild continues to grow, the Mirai botnet served as a jagged reminder of the dangers that this device footprint could pose to enterprises. With crushing DDoS (distributed denial of service) attacks a severe problem for businesses, Kentik is hoping that it can become an indispensable tool for enterprises and operators worried by the scale of IoT growth, which could be accelerated further by 5G.
Kentik’s VP of product marketing, Alex Henthorn-Iwane, explained that Kentik isn’t rooted squarely in AI or IoT, but strongly overlaps both fields. Fundamentally an analytics tool, used by operators and networks, Henthorn-Iwane said that Kentik is seeing (and helping to bring about) a change in industry thinking on the use of analytics and detection in DDoS protection – tackling a way of thinking that is still widely entrenched in the 1990s.
For Kentik, the big data components are the means of changing that way of thinking – which stems from a time where services were largely standalone, and didn’t have to worry about external operational dependencies. As Henthorn-Iwane noted, most organizations are not aware of the extent of their dependence on other IT and cloud systems, and AWS’ recent S3 outage was a glaring example of the problems that begin cropping up across industries when a key component encounters difficulties.
This mesh of dependencies represents a vast attack surface for operators and enterprises, and Kentik is positioning itself as the attack detection engine – a way of inspecting the network traffic to help prevent the roaming hordes from ever reaching the city walls. Kentik’s proposition is that the old methods of network monitoring are not good enough today, and that its system is the answer.
Henthorn-Iwane likens the attack surface to supply chains, shipping lanes that are vital to world trade. However, global trade couldn’t exist until a naval hegemony was able to protect those lanes. A federated DDoS mitigation system could provide this, and could be funded in the same way as MNOs’ roaming chargebacks.
There is the risk that, as consumer IoT devices race to the bottom in terms of their costs, shortcuts are going to be taken in device security, giving attackers a huge and growing supply of DDoS-ready devices to use, and consigning any battle for absolute security on the end-devices doomed to failure. As such, this leaves the networking and transport infrastructure as the battleground for IoT security.
Founded in 2014, Kentik’s 50+ staff are headed up by CEO Avi Freedman, former VP networks at Akamai, and CTO Dan Ellis, Netflix’s former director of net operations. With $38m funding, Kentik’s public customers include Yelp, Pandora, Neustar, Dailymotion, PenTeleData, OpenDNS, and ServerCentral.
With its main systems, Kentik is able to process huge amounts of data – both in real-time streaming analytics and in historic archives. Running on powerful bare-metal servers, Kentik’s software is deployed via Docker containers. It claims to process an average of 125bn daily flow records, and store over 75TB of that flow data each day. It also claims to be 100 times faster than MapReduce, and 10 times more efficient than Elastic and Spark.
The platform is able to ingest data and index it, handling multi-billion rows and multi-field query answering. The data is then stored across multiple server shards, turning it into smaller chunks that can be better processed by the platform, and compressed using ZFS. Kentik spent a lot of time creating its database systems so that they could support multi-tenancy, after finding that other databases couldn’t scale to support the multiple users fairly.
Collectively called the Data Engine, this system takes the data inputs and essentially converts them into dashboards and alerts for the users, which can then be used inside their own applications. In the DDoS mitigation field, this means feeding them into something like Radware’s DefensePro or A10 Network’s Thunder TPS, systems that can handle the incoming malicious traffic. Another option is the rather fetchingly named Remote Triggered Black Hole (RTBH), as a means of dropping traffic before it gets to the protected network.
Kentik is providing the anomaly detection, via its Kentik Detect product, as an alternative to the current DDoS detection appliances – arguing that the current generation of devices are resource-constrained and inaccurate. Using machine learning features, Kentik says its system is better able to determine a baseline, and therefore generate fewer false negatives and positives.
In this sort of deployment, the Detect system would be monitoring millions of IP addresses, measuring their activity against the baseline readings. Users can then set up to eight parameters to monitor, and then customize the alerts they generate. Kentik says this provides a 30% increase in DDoS detection accuracy.