DDoS attacks come in many shapes and sizes, making mitigation difficult and complex. The general gist is to overwhelm the infrastructure of the target — whether routers, bandwidth, DNS or application servers. Importantly, DDoS attacks can target both application and network layers.

The most common categories of DDoS attacks are:

Volumetric: Flooding the bandwidth and routers of an enterprise’s network. Examples include UDP floods, ICMP floods, DNS reflection, and NTP reflection attacks.

Flooding the bandwidth and routers of an enterprise’s network. Examples include UDP floods, ICMP floods, DNS reflection, and NTP reflection attacks. IP Fragmentation: Overwhelming network infrastructure by consuming and overloading memory as a server recombines non-initial packet fragments. Examples include TCP, UDP, and ICMP fragment attacks.

Overwhelming network infrastructure by consuming and overloading memory as a server recombines non-initial packet fragments. Examples include TCP, UDP, and ICMP fragment attacks. TCP Connection: Overwhelming a load balancer or application server by spawning lots of connections and holding them open, preventing legitimate traffic from creating connections. Examples include SYN flood attacks.

Overwhelming a load balancer or application server by spawning lots of connections and holding them open, preventing legitimate traffic from creating connections. Examples include SYN flood attacks. Application: Attacks to target and overwhelm connections to the application server with malformed requests and slow responses. Examples include HTTP GET and POST attacks.

Three Approaches to DDoS Mitigation

In order to thwart these varied and often concurrently used types of attacks, organizations use a combination of three mitigation strategies:

On-Premises: A variety of tactics can be employed, such as source or destination filtering using ACLs, remote-triggered black holes and intrusion prevention systems in order to reduce the volume of traffic continuing through the network. These may be implemented using a dedicated appliance or through load balancers placed at the network edge.

A variety of tactics can be employed, such as source or destination filtering using ACLs, remote-triggered black holes and intrusion prevention systems in order to reduce the volume of traffic continuing through the network. These may be implemented using a dedicated appliance or through load balancers placed at the network edge. ISP Collaboration: Using similar tactics as an on-premises appliance, enterprises work with their ISPs to filter or black hole traffic before it even reaches their network.

Using similar tactics as an on-premises appliance, enterprises work with their ISPs to filter or black hole traffic before it even reaches their network. Cloud-based Mitigation: During an attack, an enterprise will reroute traffic using DNS or BGP to a third party mitigation vendor who will use scrubbing centers to filter the traffic. The mitigation vendor will then pass along legitimate traffic to the enterprise network.

DDoS attacks typically manifest themselves to users as an unavailable service due to congested bandwidth, overloaded routers and overloaded application servers. With ThousandEyes it becomes clear where in the network this congestion is happening during the course of an attack, and which infrastructure is being overwhelmed.

Network Topology of an Attack on a Global Bank

Let’s look at an example of a real, volumetric DDoS attack against a U.S. bank, a type of attack that happens frequently. Prior to the attack, at approximately 3pm Eastern, the application availability looks fine as measured by ThousandEyes endpoints around the globe (Figure 1).

Figure 1: Before the attack, all agents showing zero errors and full availability

As the attack begins around 3:30pm, nearly half the endpoints around the world report connection failures to the banking site (Figure 2).

Figure 2: Agents begin turning red, signifying connection failures

The application availability of less than 50% is due to network congestion (and potentially some filtering) that is causing widespread packet loss from nearly all of the endpoints (Figure 3). Due to the levels of packet loss, most of these endpoints simply cannot access the banking service.

Figure 3: ThousandEyes agents now showing packet loss to all global endpoints

Monitoring Mitigation Techniques During an Attack

At this point the bank’s DDoS mitigation measures kick into gear. As the attack is underway the bank uses a cloud-based mitigation service to redirect and filter, or ‘scrub’, the traffic so that it will no longer overwhelm their network. Despite the cloud-based mitigation, there is still significant packet loss during the attack both within the mitigation provider and the bank’s own network. In Figure 4, we can see that at this point during the attack there are three scrubbing centers filtering North American, Asian and European traffic before it gets to the bank’s network. However, one of the three scrubbing centers (Scrubbing Center 1) appears to be struggling with the traffic volume, or is excessively filtering traffic.

Figure 4: Path visualization during DDoS mitigation. Nodes in the DDoS mitigation vendor’s network are highlighted in yellow. See three points indicating scrubbing centers.

Despite the use of a cloud-based DDoS mitigation, and potentially other mitigation strategies, application availability does not stabilize for nearly 12 hours. Monitoring the efficacy, and fine tuning strategies of DDoS mitigation throughout an attack is crucial to ensure that application and website users have minimal impact. In this situation, having insight into the performance of external providers such as ISPs and mitigation vendors can be invaluable in keeping service levels high.

Find out more about using monitoring and analyzing DDoS attacks using ThousandEyes with a downloadable PDF, ThousandEyes for DDoS Attack Analysis. Read on to Part 2 where we will discuss monitoring BGP routing changes during a DDoS attack.