DDoS Attack Detection Using NetFlow Analyzer

A distributed denial of service (DDoS) attack is basically a flood of illegitimate traffic that is sent to a network resource from an IP address or a group of IP addresses, rendering the network resource unavailable. A DDoS attack is a serious security threat facing all types of networks, from the simplest enterprise network to the most complex corporate network. Fortunately, NetFlow Analyzer can help you detect DDoS attacks and mitigate the harm they might otherwise cause.

Understanding DDoS

DDoS attacks take advantage of the TCP three-way handshake that is carried out for every connection established using the TCP protocol. Not surprisingly, hackers have found a number of ways to defeat the three-way handshake.

diagram-v-28In a DDoS attack (aka flooding), the attackers disturb the sequence of the three-way handshake either by not responding to SYN-ACK from the server or by sending a SYN packet continuously from a non-existent IP (spoofed IP).

In the three-way handshake, the responding server maintains a queue for sending the SYN-ACKs. During the attack, the client doesn’t respond to the SYN-ACK sent from the server so that the server is made unavailable. The server maintains a queue of SYN-ACK for all the SYN packets received from the spoofed IP address. At one time, the queue overflows and the server become unavailable.

diagram-v-29There are various types of DOS attacks, such as Network Time Protocol (NTP) DDoS attack, ICMP floods, teardrop, peer-to-peer, slow read, and reflected/spoofed.

Last month, an attack on a not secure NTP (Network Time Protocol) server was reported to be the largest DDoS attack ever, with  an attack size of approximately 400 Gbps.  The attackers used a technique called NTP reflection. They spoofed the source IP address of the sender, who periodically sent request packets to NTP servers for time sync. As a result, a large set of responses were sent by the NTP server to the spoofed address, causing temporary congestion on the network and reducing the resource availability.

Mitigating DDoS Attacks with NetFlow Analyzer: One Customer’s Approach

One of our esteemed customers is James Braunegg  from Micron21. James has done a lot of research on DDoS attacks and has written and published many blog posts on his website detailing his findings, including how to identify and mitigate a DDoS attack. And, for the record, James uses ManageEngine NetFlow Analyzer to identify and mitigate anomalies on his data center network and keep it running efficiently with high availability.

To give you an appreciation of James’ expertise, he holds a Monash University post graduate master’s degree (MBMS) and joined Micron21 in 2004 to establish the company’s technical operations. James’ background involves running a highly successful IT hardware company for the past 20 years, along with supporting corporate networks and end-user custom software solutions focusing on individual customer support. His main focus in Micron21 is the management of the data center and its supporting infrastructure.

How James Identifies DDoS Attacks

In one recent episode, James used NetFlow Analyzer to analyze the abnormal spikes in his data center traffic (see image below). By using NetFlow Analyzer’s alerting mechanism, he was able to identify the abnormalities and mitigate the DDoS attack easily.

ASAM 1ASAM 2Being a data center management specialist, James’ job is to ensure high availability to Micron21 clients. Using NetFlow Analyzer, he could identify an NTP DDoS  attack on another client . Click here  to learn how NetFlow Analyzer helped James identify this anomaly, and click here to read his most recent post about NTP DDoS attacks. James has also documented his experience about using NetFlow Analyzer, security analytics, and anomaly detection. You can download the case study here.

“Winding back the clock by say 4 or 5 years , I remember trying lots of software and evaluating lots of options with one goal in mind: find attack traffic and quickly identify the source and destination along with the protocol in near real time, enabling us to lower the time it took to deal with threats, relying on SNMP data for this purpose was useless,” said James. “In the end we chose ManageEngine NetFlow Analyzer, which provided a fantastic starting point for us in providing real-time visibility. While now we use NSFOCUS hardware mainly for DDoS detection and mitigation, we still to this day use ManageEngine Netflow Analyzer within our NOC.”

James closes with a recommendation and an invitation for you: “I still today highly recommend ManageEngine Netflow Analyze, if you need any more information please contact me!”

Reference:

http://www.computerworld.com/s/article/9246230/Attackers_use_NTP_reflection_in_huge_DDoS_attack

Praveen Kumar

NetFlow Analyzer Technical Team

 

 

 

You Can Learn More About the ManageEngine Product Line By Going to manageengine.optrics.com

The original article/video can be found at DDoS Attack Detection Using NetFlow Analyzer

Leave a Reply