Get a Positive ID on DDoS Attackers, Part 2

Administration and reporting

Inspector administration is performed either through the secure HTTP

Web interface or directly on the console through Secure Shell. An

embedded firewall developed by Mazu and based on the same packet-

processing platform used for the Inspector DDoS analysis on the device

limits access to these secure protocols. These administration tools

provide four main functions: configuration, attack detection, attack

characterization, and traffic analysis monitoring.

Configuration settings allow you to enable SNMP monitoring and set

system thresholds. With SNMP enabled, an alert can be sent via your

network management system (which can then send e-mails or a page) when

a DDoS attack is identified.

When Inspector determines an attack is under way, it alerts the

administrator, either through SNMP or a message on the Web interface

overview page. Then, it enters attack characterization mode. Attack

characterization mode provides detailed information and analysis of a

possible DDoS attack. Initial information is seen on the overview page

during the attack.

The attack incident report page provides detailed information on attack

histories and lets you drill down to specific packet details for each

suspected attack.

Inspector lets you inspect your traffic from a high level down to

individual packet contents. You can view a graph of all traffic and

eliminate certain traffic types, such as all User Datagram Protocol

(UDP) packets. You can also view traffic from specific IP addresses and

time ranges. When under attack, this interesting view lets you see the

differences in healthy traffic and attack traffic. The online reports

are excellent and provide detailed information, but we would like to

see some printable reports to present to management to summarize

attacks, give an overview of what occurred and show other detail.

Conclusion

Inspector is an effective solution to identify DDoS attacks in large

carrier-class networks. Starting at $100,000 for only monitoring and

attack characterization, it is not a solution for the faint of heart.

Overall, TrafficMaster Inspector provides fast, efficient anomaly-based

monitoring, but it does not provide any filtering recommendations. To

do that, administrators must create their own filters based on the

attack characterization information provided by Inspector or purchase

Enforcer, which will implement filters in real time on a packet-by-

packet basis.

How we did it

We set up a Gigabit Ethernet attack network with two servers, each a

900-MHz Pentium III with 128M bytes of RAM, as an attacker and a

server. TrafficMaster Inspector sat in the middle of these two

machines, monitoring and capturing all network traffic.

We launched a variety of distributed denial-of-service attacks using

various tools and packet generators available at the Packetstorm Web

site. Attacks included ping floods, ACK attacks, random ICMP floods,

random IP floods, and TCP reset floods. The ping flood attack sent a

large number of Internet Control Messaging Protocol (ICMP) packets. The

ACK attack sent a large number of TCP packets with the ACK flag set.

The random ICMP floods sent a large number of ICMP packets with various

aspects, such as IP address and time to live, randomized. The random IP

floods sent a large number of randomized packets, and the TCP reset

floods sent a large number of TCP packets with the reset flag set. With

each attack, approximately 50,000 to 60,000 packets per second were

sent across the network.

We also used a traffic generator (Traffic Source available at

http://sourceforge.net/projects/traffic) to generate several hundred

megabits of traffic to simulate a sudden increase in legitimate traffic

to see if Inspector flagged it as suspicious. This traffic included

HTTP, FTP, SMTP and general broadcast traffic.

Insider: How the basic tech behind the Internet works
Join the discussion
Be the first to comment on this article. Our Commenting Policies