Tracking Network Floods

When it comes to working at a DC, attacks are a fact of life. Someone will ultimately get annoyed at a client and start throwing down with the botnet, their home system etc. These attacks can be hard to isolate at times because they can be on nearly any service, as well as using a wide variety of protocols. These attacks can do anything from making a server slow to respond to taking an entire data center out. When a system goes down due to an attack, there are a few things that must be known:

  • Who is DoSing or who is being DoSed (don’t assume your machine is the “victim” insidious PHP scripts are plentiful these days)
  • The magnitude of the attack
  • What protocol they are using

To find these out, you need proper network infrastructure set up. To this end I like Cacti on the switches for ease of usability in finding overall traffic, even though NFsen is nice for a quick check by IP however it can be flawed in picking up distributed or spoofed attacks in my experience. When attempting to isolate the problems one should have a “tiered” approach where they start checking at the most basic level which is a single server. If the attack is largerĀ  one should try to see if it’s a single rack/switch being attacked and seeing if it can back track to a single server being the target. At this point, there are a few options. Null routes are an option if all fails, even null routing the server’s IP so that other traffic doesn’t get affected can be done as a last resort. The option that you probably have the most control over is server side mitigation. This will be the topic of my next blog. See you then!