Spotting a DDoS attack in your network

17 Aug 2017

‘Blizzard Entertainment Hit With Weekend DDoS Attack’, ‘World of Warcraft, Overwatch, Hearthstone and other games hit by DDoS’ and ‘Kids these days: the 16-year-old behind 1.7 million DDoS attacks’ are just three of the headlines about DDoS attacks in August, I didn’t open the other 19,000 results. I think it is fair to say that DDoS attacks are a very real threat, the tools for which are easily accessible or bought and unfortunately potential victims are currently not prepared for an attack. A scary demonstration of freely available malware is the Mirai botnet, which can be linked directly to most of the recent 100Gbps attacks.

So, let’s start at the beginning, DDoS is a Distributed Denial-of-Service attack, in which multiple compromised computer systems attack a target, such as a server, website, or other network resource, and cause a denial of service for users of the targeted resource. The flood of incoming messages, connection requests or malformed packets to the target system forces it to slow down or even crash and shut down, thereby denying service to legitimate users or systems. DDoS attacks are actually one of the oldest types of ‘hacks’, but crucially they constantly evolve, making it harder to defend against them. 

Who's in your network? (probably not this guy, it's a stock photo...or is it? It definitely is) 

DDoS attacks are often used as decoys to divert the attention of security teams away from other simultaneous attacks, a successful hack will use various methods to gain entry in to your network. Even the largest enterprises today find it nearly impossible to build out sufficient infrastructure to scale in response to a large DDoS attack, which is why we see so many familiar names in the headlines.

In order to spot a DDoS attack in your network, you need to understand your typical network traffic, baseline behaviour and have a clear plan of action in case you are hit; which should include the identification of your most critical systems and which steps you should follow to protect them from being compromised. Look out for your busiest periods as this is when a DDoS attack is most likely to happen, an attacker will piggyback on existing traffic as well as their own to enhance the ferocity of the attack.

There are a variety of methods which allow security teams to gain insight into what’s going on in a network. One of the more popular approaches is flow as virtually all routers support some form of Flow technology, such as NetFlow, IPFIX, or sFlow. However, not all flow technology is created equally, do not be misled by ‘sampled flow’, sampling is exactly what it says it…sampled. It will not give you the full view and scope of the data traversing your network, a flow analytics device has to be able to scale and evaluate the behaviour of a complete traffic stream to be sure something is wrong, and to avoid false positives.

A new type of solution is required that sits alongside existing security solutions such as firewalls and IDSs which will provide the advanced tools to help you understand the; who, what, when and why of how you were breached. Such an approach demands a more granular inspection and analysis of attack traffic. The TDAC (Telesoft's Data Analytics Capability) is that solution, delivering an innovative, new approach that subjects hyper-scale traffic to the most detailed scrutiny available today. Talk to telesoft today to find out more about our hyper-scale data analytics