Anatomy of an OTT Traffic Surge: Microsoft Patch Tuesday
Summary
Last Tuesday, August 13 was the second Tuesday of the month, and for anyone running a network or working in IT, you know what that means: another Microsoft Patch Tuesday. Doug Madory looks at how the resulting traffic surge can be analyzed using Kentik’s OTT Service Tracking.
Last Tuesday, August 13 was the second Tuesday of the month, and according to my friend, security researcher Brian Krebs, Tuesday’s set of patches included, “updates to fix at least 90 security vulnerabilities in Windows and related software, including a whopping six zero-day flaws that are already being actively exploited by attackers.” (emphasis in original)
It is also a traffic surge that can be analyzed using Kentik’s OTT Service Tracking.
OTT Service Tracking
Kentik’s OTT Service Tracking (part of Kentik Service Provider Analytics) combines DNS queries with NetFlow to allow a user to understand exactly how OTT services are being delivered — an invaluable capability when trying to determine what is responsible for the latest traffic surge. Whether it is a Call of Duty update or a the first-ever exclusively live-streamed NFL playoff game, these OTT traffic events can put a lot of load on a network and understanding them is necessary to keep a network operating at an optimal level.
The capability is more than simple NetFlow analysis. Knowing the source and destination IPs of the NetFlow of a traffic surge isn’t enough to decompose a networking incident into the specific OTT services, ports, and CDNs involved. DNS query data is necessary to associate NetFlow traffic statistics with specific OTT services in order to answer questions such as, “What specific OTT service is causing my peering link with a certain CDN to become saturated?”
Kentik True Origin is the engine that powers OTT Service Tracking workflow. True Origin detects and analyzes the DNA of over 540 categorized OTT services and providers and more than 50 CDNs in real time, all without the need to deploy DPI (deep packet inspection) appliances behind every port at the edge of the network.
Microsoft Patch Tuesday
Again, according to Krebs:
This month’s bundle of update joy from Redmond includes patches for security holes in Office, .NET, Visual Studio, Azure, Co-Pilot, Microsoft Dynamics, Teams, Secure Boot, and of course Windows itself. Of the six zero-day weaknesses Microsoft addressed this month, half are local privilege escalation vulnerabilities — meaning they are primarily useful for attackers when combined with other flaws or access.
Kentik customers using OTT Service Tracking observed the following statistics, illustrated below. Microsoft Update traffic experienced a peak that was almost 4.5 times that of the previous day. The update traffic was delivered via a variety of content providers including Fastly (47.5%), Akamai (22.8%), Edgio/Limelight (15.1%) and Qwilt (13.7%).
When broken down by Connectivity Type (below), Kentik customers received Microsoft’s latest round of patches and updates from a variety of sources including Private Peering (58.5%, both free and paid), Transit (31.1%), IXP (7.0%) and Embedded Cache (3.5%).
In addition to source CDN and connectivity type, users of Kentik’s OTT Service Tracking are also able to break down traffic volumes by subscribers, specific router interfaces and customer locations.
How does OTT Service Tracking help?
Previously, my colleague Greg Villain described enhancements to our OTT Service Tracking workflow which allows providers to plan and execute what matters to their subscribers, including:
- Maintaining competitive costs
- Anticipating and fixing subscriber OTT service performance issues
- Delivering sufficient inbound capacity to ensure resilience
Major traffic events like Microsoft’s Patch Tuesday can have impacts in all three areas. OTT Service Tracking is the key to understanding and responding when they occur. Learn more about the application of Kentik for subscriber intelligence.
Ready to improve over-the-top service tracking for your own networks? Get a personalized demo.