Stonefish — Automating DDoS Mitigation at the Edge

The evolution of DDoS protection

DDoS mitigation products and services have been in use for nearly two decades. But as web application infrastructure has shifted to take advantage of the cloud, so have DDoS mitigation requirements. The evolutionary steps can be grouped into four categories:

  • Specialized hardware
  • Scrubbing centers
  • Cloud-based protection
  • CDN-based protection

Specialized hardware

Specialized hardware has been the choice for DDoS protection since the early days of web applications. The value proposition is straightforward — place an appliance in a data center, connect it to the network, configure it, and let it do its job in identifying and mitigating attacks. However, in many instances, manual intervention is required, pulling critical staffing away from normal operations. And appliances can be very expensive to maintain as they require large amounts of standby capacity and network to handle today’s cloud scale attacks.

Scrubbing centers

Scrubbing centers are often located in PoPs. Compared to specialized hardware, scrubbing centers scale on demand, in some cases to multiple Tbps. Traffic is analyzed in a centralized data cleansing station, and malicious traffic is removed. The advantage of scrubbing centers is their ability to support multi-protocol data center defenses.

Cloud-based protection

Cloud-based protection, such as those offered by AWS, Azure Cloud, and Google Cloud Platform, is ideal for companies using the vendor’s other services, such as compute, database, storage, functions, and so on. DDoS protection is enabled natively, but as is the case with most cloud-based services, security is one of many services, and getting specialized security support often requires a service contract.

CDN-based DDoS protection

CDNs are similar to cloud providers in that services are distributed across many edge locations in the cloud. CDNs, however, often specialize in offering additional security services, support, and tools that improve responsiveness and accuracy. Coupled with a massive frontline network architecture, CDNs can provide automatic protection on highly configurable stacks that afford customers a great deal of visibility and control.

Stonefish design goals

Stonefish is a DDoS mitigation platform purpose-built to protect our delivery network. We developed our DDoS security stack using a mix of open source and custom software that runs on our commodity hardware, allowing us to provide a highly scalable and automated DDoS platform that enhances the ability of our frontline NOC to provide DDoS mitigation support. We designed Stonefish to deliver to the following minimum specifications:

  • Defend against a broad range of DDoS attacks, from volumetric to state exhaustion.
  • Protect against layer 3 and 4 attacks.
  • Leverage our existing commodity server hardware and network capacity.
  • Build a security stack that is software-centric with a control plane that acts as the brain.
  • Be cloud-based, automated, and intelligent.
  • Deploy a control plane that manages the DDoS rulesets and creates rules on the fly in an automatic response to attacks and enforces our policies globally.
  • Create a data engine that detects and filters out bad traffic within seconds.

Stonefish architecture

Taking a software-defined approach to Stonefish enables us to house our DDoS mitigation on our distributed server infrastructure, enabling every PoP in our global network to function as a scrubbing center that can detect and filter out bad traffic. Stonefish is built with a modular software architecture, which allows us to easily add functionality to the system against an ever-evolving threat landscape.

  1. The browser sends a request for content to an Internet-facing application.
  2. The router receives the request and sends it to our load balancing infrastructure.
  3. A sample of the traffic is sent from the load balancer to Stonefish.
  4. Stonefish analyzes and scores the traffic.
  5. If bad traffic is identified, it sends instructions to the load balancer to drop the traffic.
  6. The NOC is notified of an attack and will follow-up if further action is needed.

How our NOC and Stonefish work together

Stonefish is one of many tools our NOC uses to monitor our applications from a security and performance point of view. It is built into a dashboard that alerts staff of sophisticated attacks in real time. While Stonefish blocks DDoS attacks automatically, it is also configured to alert for anomalies, which engages our NOC specialists to investigate and take action.


As one of the largest global content delivery networks, that processes between 10–15% of all Internet traffic, we defend against and mitigate DDoS attacks against thousands of customer websites daily.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Formerly Verizon Media Platform, Edgecast enables companies to deliver high performance, secure digital experiences at scale worldwide.