GUEST ESSAY: A primer on how, why ‘dynamic baselining’ fosters accurate DDoS protection

By Ahmed Abdelhalim

Businesses today need protection from increasingly frequent and sophisticated DDoS attacks. Service providers, data center operators, and enterprises delivering critical infrastructure all face risks from attacks.

Related: The care and feeding of DDoS defenses

But to protect their networks, they’ll need to enable accurate attack detection while keeping operations manageable and efficient.

Traditional static baselining methods fall short on both of these counts. To begin with, they rely on resource-intensive manual processes to define an organization’s “normal” traffic patterns, imposing a burden on both the protected organization and their own security personnel. The uncertainty and approximation inherent in this approach leads to tradeoffs on exactly where to establish the baseline. Set it too high and you’ll miss smaller attacks. Set it too low and you’ll deal with constant false positives.

Dynamic baselining makes it possible to offer more accurate and efficient DDoS protection and protection-as-a-service. By allowing the system to learn its own baseline traffic patterns, set its own thresholds, and adapt automatically as traffic changes, service providers and large enterprises can simplify operations while ensuring more accurate attack detection.

Limits of static baselining

Under ordinary circumstances, an increase in network traffic can seem like good news. A DDoS attack, on the other hand, is distinctly bad news. By flooding a victim’s network with bogus traffic, an attacker can slow performance or even knock its services offline entirely.

Organizations can help mitigate the threat of a DDoS attack, but first, they need to be able to recognize the difference between normal or “peacetime” activity and abnormal, malicious traffic. This can be tricky if thresholds are simply set to detect large-scale DDoS attacks while missing smaller ones, presenting this as an acceptable risk.

A security team, seeking a more accurate level of detection, may query the protected organization or application owners on what their normal traffic levels are in order to establish tailored baselines. This seems reasonable, except that many companies don’t have this kind of detail readily available. It also imposes an additional operational burden.

Another approach employed by security teams is to assume the burden of monitoring the traffic for a period of weeks and come up with a proposed baseline. This is likely more effective in terms of accuracy, but it’s far from scalable as a service model for DDoS protection-as-a-service.

Choose Your Poison

When organizations can’t tailor a DDoS detection threshold to specific needs or specific end subscribers, they have two options. One is to set a level that’s much higher than what normal traffic would realistically reach. You’ll catch large-scale attacks, but you may be exposed to any number of smaller attacks, degrading performance for their business and the end users.

Or you can choose to set the threshold lower in order to catch more attacks. Unfortunately, you’ll also get more false positives. In that event, traffic will be diverted to a mitigation device, subjecting end users to an unnecessary increase in latency and degradation of the user experience. This is particularly noticeable by users and the application owners when the mitigation device or facility is in a geographic location different from that of the servers. 

Accurate, efficient protection 

Static baselining imposes too much of an operational burden on organizations — and even then, the resulting attack detection is too inaccurate.


Dynamic baselining alleviates that operational workload while enabling a better understanding of normal and suspicious network activity. The system automatically learns the peacetime baseline for customers, sets thresholds that reflect the observed patterns, and then adapts those thresholds over time as traffic changes. Able to differentiate between the types of increases associated with the dynamic business environment or end-user behavior on one hand, and malicious surges originating from botnets on the other hand, the system can alert accurately on genuine attacks of all sizes while avoiding the disruptions of false positives or false negatives.

The efficiency of automated, dynamic baselining allows organizations to provide better DDoS protection to protect critical infrastructure, whether a service provider or a digital business enterprise.

As organizations tackle the critical need of DDoS protection, the key to success will be a combination of autonomous learning capabilities and operational efficiency. By moving from static baselining to automated, dynamic baselining, you can provide more accurate and responsive protection while easing the workload for strapped security teams. 

About the essayist: Ahmed Abdelhalim, Senior Director, Security Solutions, A10 Networks


Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone