FlowTraq: What DDoS attacks can be detected and how?
Issue
What DDoS attacks can be detected and how?
Solution
We detect SYN floods, RST floods, TCP null floods, and XMas attacks all through the same basic method: the flow records come in with TCP flag combinations set, and we watch for levels of those flags (in terms of new sessions per second) that are above the thresholds set. Flow records don't give enough visibility to check payloads for further information, and anyway, it's easy enough to fake realistic payloads. In any case, the relevant patterns are clear in the flow records. For an SYN flood, for example, the sharp rise in the number of packets only marked SYN or SYN-ACK tends to be obvious.
On DDoS detection, we do not use baseline-based or statistical anomaly detection because we believe it results in large numbers of false positives. The reason for this is that while most DDoS attacks are statistical anomalies, most statistical anomalies are not DDoS attacks, particularly during low-traffic periods of time (weekends, middle of the night) during which it's hardest to deal with false positives. The reason for that is that when traffic levels are generally low, it's easy to exceed the average by several orders of magnitude (say, by leaving a large download for after-hours, or having someone in another country have a popular tweet link to your website). That traffic may be hundreds or thousands of times what's normal (and possibly a security concern) and still not rise to the level of a threat to the network.
As a best practice, we use flat thresholds derived from peak traffic levels and external information about link capacity to determine when an incoming attack rises to the level of a threat to the network.
On DDoS detection, we do not use baseline-based or statistical anomaly detection because we believe it results in large numbers of false positives. The reason for this is that while most DDoS attacks are statistical anomalies, most statistical anomalies are not DDoS attacks, particularly during low-traffic periods of time (weekends, middle of the night) during which it's hardest to deal with false positives. The reason for that is that when traffic levels are generally low, it's easy to exceed the average by several orders of magnitude (say, by leaving a large download for after-hours, or having someone in another country have a popular tweet link to your website). That traffic may be hundreds or thousands of times what's normal (and possibly a security concern) and still not rise to the level of a threat to the network.
As a best practice, we use flat thresholds derived from peak traffic levels and external information about link capacity to determine when an incoming attack rises to the level of a threat to the network.
Related Bugs
Attachments
Related Files
NOTICE: Riverbed® product names have changed. Please refer to the Product List for a complete list of product names.
Can't find an answer? Create a case