This presentation describes a real DDoS attack and how an IntruGuard appliance gives you visibility into the attack by analyzing it further.

1. Hemant Jain’s Visibility into a Real Distributed Denial of Service (DDoS) Attack

3. Overall View Over a Month These two graphs here depict the daily traffic over a month’s period in terms of packet rate and Mbps respectively. The upper half is outbound traffic and the lower half (in negative) is the inbound traffic. You can see two peaks which correspond to two large inbound attacks. The purpose of the appliance is to maintain the normal traffic and only pass what’s legitimate. That’s what it is doing here by dropping the excess packets (shown as white ear under the maroon lines). What’s being allowed is the blue area.

4. View of another link This graph shows the second link on the same device. This link has larger and continuous attacks over the month’s period. As you can see the appliance maintains the normal behavior and drops excessive packets. This maroon line shows what’s incoming and the blue and green lines show what gets out of the appliance after DDoS mitigation based on behavioral analysis. The white envelope is the attack that’s getting dropped.

5. Tabular Form Data For The Links Note: Port 2 and Aux 2 here are connected to the Internet and Port 1 and Aux 1 are connected to the LAN side. If the attack ingresses on Port 2 and Aux 2, what gets forwarded on Port 1 Egress and Aux 1 Egress is the filtered traffic. DDoS mitigation (1) = Port 2 Ingress – Port 1 Egress DDoS mitigation (2) = Aux 2 Ingress – Aux 1 Egress

6. Aggregate Drop Traffic This graph shows the aggregate dropped traffic and gives you visibility into excess traffic that’s getting flitered by the appliance. Packets are dropped due to multiple reasons and are shown in different colors. These are drilled down further in subsequent graphs on subsequent pages.

7. Top Attacks and Top Attacker Reports IntruGuard appliances give you a visibility into the Top Attacks, Top Attackers, Top Attacked Destinations, etc. for the last 1 hour, 1 day, 1 week, 1 month, 1 Year. These IPs are obfuscated.

8. Packets Dropped at Layer 3 This graph shows the dropped traffic due to certain Layer 3 reasons which are shown in the table below.

9. Packets Dropped at Layer 4 This graph shows the dropped traffic due to certain Layer 4 reasons which are shown in the table below. More than 1 billion packets were dropped due to SYN flood during this period. And over 58 million packets dropped due to few specific IPs sending too many SYN packets/second.

10. Packets Dropped at Layer 7 This graph shows the dropped traffic due to certain Layer 7 reasons which are shown in the table below. IntruGuard appliances monitor HTTP opcodes, URLs and anomalies and can pinpoint the excessses in any one of the dimensions.

11. Count of Unique Sources This graph gives you a visibility into count of unique sources coming to your network. As you can see here, there is a large peak during Week 21 which corresponds to an attack. The number of unique sources almost reached 1 million. These could be spoofed IP addresses too.

12. Number of Established TCP Connections This graph shows the number of established TCP connections. Since there is no obvious peak here, and the previous graph of count of unique sources had a large peak, it means the attackers were primarily spoofed IPs.

13. Concurrent Connections/Source This graph shows the number of established TCP connections that any single source made. The appliance monitors up to 1 million sources. These are clipped to a certain threshold based on past behavior.