Athena is an internally developed, custom distributed denial of service (DDoS) mitigation platform that powers the Verisign DDoS Protection Service.
DDOS MITIGATION TECHNIQUES
Gain more insight into the three components of Athena
Many of the attacks we see are typical straightforward layer-3 and layer-4 attacks (i.e., simple attacks that target network services at the User Datagram Protocol [UDP] and Transmission Control Protocol [TCP] levels). These types of attacks try to starve the network-layer functions below an application, like bandwidth or the ability for routers to route packets. Most of these attacks can be handled at the network layer by using some mitigation techniques like applying IP reputation lists that have millions of IP addresses, packet inspection to determine legitimacy, blacklisting, whitelisting, etc.
Athena Shield is a fast DDoS mitigation system that handles our layer-3 and layer-4 filtering using the techniques described above. It gets its speed from a massive amount of internal performance tuning. Athena Shield can also inspect and filter on higher-level protocols across packet boundaries, dropping junk packets before they come anywhere near the back-end systems. Packets that pass the initial sniff test can either be forwarded directly or subjected to additional validation by the Athena Proxy.
Connection-oriented protocols like HTTP(S) can be difficult to defend because obtaining the full picture of a transaction requires interaction with the protected server. Athena Proxy stands in for that server in the initial stages of a transaction, allowing Verisign to inspect and filter HTTP- and HTTPS-level content. With Athena, the request string, method, query parameters, headers and body content become trivial to parse and inspect.
Through this inspection we can spot anomalies in the header values and create the mitigation rules needed to block the bad traffic. The Athena proxy also has features that allows us to verify various types of clients. After the proxy inspects and drops bad requests, legitimate requests go back to the protected servers to be handled by their applications.
Athena Load Balancer
Verisign handles an average of 70 billion daily DNS queries across the globe. As a result, it was not enough just to augment DDoS mitigation equipment. Although the COTS gear could handle our needs under normal traffic times, the load-balancers were at risk of failing under the load of a massive, complex attack to our DNS or DDoS platforms. As a result of this, Verisign built its own load balancing system to better fit our stringent requirements, and Athena provided the perfect platform to start with.
Today, Athena Load Balancers are deployed across our entire constellation, protecting all Verisign services. The advantage of the Athena Load Balancer is that it performs line-rate attack filtering right at the load balancer before requests even touch any of the transaction services. This allows the Athena Proxy, Shield, ATLAS DNS platform or any of our applications to focus on the complex application-level attacks that are specific to that platform, greatly increasing our resolution capacity.
Remember, platform capacity is not just reliant on the size of bandwidth or ability to filter out layer-3 and -4 DDoS attacks. The Athena Load Balancer also handles all health checks and internal routing protocol communication with our routers, allowing Verisign to remove points of failure, a practice that is critical in designing a highly resilient network platform.
As attacks continue to grow and become more complex, Verisign continues its commitment to innovating on the mitigation side by keeping a constant eye on new technologies and specifications that customers are using. The explosion of mobile, the next version of HTTP, and the custom protocols that customers are developing are what our engineers and product teams are closely watching now.