Administration and reporting
Inspector administration is performed either through the secure HTTP
Web interface or directly on the console through Secure Shell. An
embedded firewall developed by Mazu and based on the same packet-
processing platform used for the Inspector DDoS analysis on the device
limits access to these secure protocols. These administration tools
provide four main functions: configuration, attack detection, attack
characterization, and traffic analysis monitoring.
Configuration settings allow you to enable SNMP monitoring and set
system thresholds. With SNMP enabled, an alert can be sent via your
network management system (which can then send e-mails or a page) when
a DDoS attack is identified.
When Inspector determines an attack is under way, it alerts the
administrator, either through SNMP or a message on the Web interface
overview page. Then, it enters attack characterization mode. Attack
characterization mode provides detailed information and analysis of a
possible DDoS attack. Initial information is seen on the overview page
during the attack.
The attack incident report page provides detailed information on attack
histories and lets you drill down to specific packet details for each
Inspector lets you inspect your traffic from a high level down to
individual packet contents. You can view a graph of all traffic and
eliminate certain traffic types, such as all User Datagram Protocol
(UDP) packets. You can also view traffic from specific IP addresses and
time ranges. When under attack, this interesting view lets you see the
differences in healthy traffic and attack traffic. The online reports
are excellent and provide detailed information, but we would like to
see some printable reports to present to management to summarize
attacks, give an overview of what occurred and show other detail.
Inspector is an effective solution to identify DDoS attacks in large
carrier-class networks. Starting at $100,000 for only monitoring and
attack characterization, it is not a solution for the faint of heart.
Overall, TrafficMaster Inspector provides fast, efficient anomaly-based
monitoring, but it does not provide any filtering recommendations. To
do that, administrators must create their own filters based on the
attack characterization information provided by Inspector or purchase
Enforcer, which will implement filters in real time on a packet-by-
How we did it
We set up a Gigabit Ethernet attack network with two servers, each a
900-MHz Pentium III with 128M bytes of RAM, as an attacker and a
server. TrafficMaster Inspector sat in the middle of these two
machines, monitoring and capturing all network traffic.
We launched a variety of distributed denial-of-service attacks using
various tools and packet generators available at the Packetstorm Web
site. Attacks included ping floods, ACK attacks, random ICMP floods,
random IP floods, and TCP reset floods. The ping flood attack sent a
large number of Internet Control Messaging Protocol (ICMP) packets. The
ACK attack sent a large number of TCP packets with the ACK flag set.
The random ICMP floods sent a large number of ICMP packets with various
aspects, such as IP address and time to live, randomized. The random IP
floods sent a large number of randomized packets, and the TCP reset
floods sent a large number of TCP packets with the reset flag set. With
each attack, approximately 50,000 to 60,000 packets per second were
sent across the network.
We also used a traffic generator (Traffic Source available at
http://sourceforge.net/projects/traffic) to generate several hundred
megabits of traffic to simulate a sudden increase in legitimate traffic
to see if Inspector flagged it as suspicious. This traffic included
HTTP, FTP, SMTP and general broadcast traffic.