Calm down, very calm! You are neither the first nor the last to suffer from DDoS attacks. At first it is hopeless, but there are techniques that can help you tackle this major problem in your network.
Let’s go, I have separated in a few parts what to do
- Identify if it is really an attack and who is attacking
It is common to have false positives, where you think it is an attack, but it is actually an abnormal traffic, for example an update of Windows or Apple iOS or devices running Android where several devices update at the same time making it look like an attack, but it is a real but abnormal traffic.
If your case is not a false-positive and you really confirm that it is a DDoS Attack the next step is to identify which interfaces and where the attack is directed, to which client or which equipment.
But how to do this? There are several ways to discover this traffic, we can mention
- If it is a Mikrotik Router you can use the Torch Tool (Tools -> Torch) and analyze which IP has an abnormal consumption
- If you are using a Linux or FreeBSD Server/Router you can use tcpdump and analyze which IP’s have abnormal communication
- On Cisco, Juniper, Huawei or Nokia Routers you will need a Netflow Analyzer like Made4Flow to evaluate which IP’s have abnormal communication
- If you can’t use netflow (Netstream, jFlow, Netflow v5/v9/IPFIX or Traffic Flow from RouterOS), you can make a port-mirror and mirror your router’s port traffic to a server or host that can analyze the traffic
But in the midst of so much traffic, how can you know anything abnormal? Usually DDoS attacks occur on ports that use amplification, as mentioned in our article on what is DDoS, we can cite NTP or SSDP as examples. When you assess that there is increased traffic (usually a lot of packets and a lot of bandwidth from many different sources) to a specific IP you can move on to the next step.
- Use the Blackhole – RTBH
The Blackhole or RTBH – Remote Triggered Blackhole is a technique where we literally send an IP to the “black hole” and this IP stops functioning both in your network and in the Internet, thus interrupting the attack. Through a BGP advertisement it is possible to make the IP stop working and be sent to your carriers informing them that that IP should not receive traffic.
Blackhole solves the problem in attacks directed at 1 or a few IPs, but if the attack is directed at many IPs Blackhole is not effective because of the maximum number of prefixes announced in the BGP session.
If you want to know more about Blackhole check out our article!
- Easily configured
- Broad support (all routers support it)
- Attack is stopped quickly
– The IP will stop working completely
– If the attack is directed at multiple IP’s it can be a bigger problem
The Blackhole is functional but only to a certain extent, in larger attacks or if the attacks were insistent and the techniques change by attacking several times, it will not meet your demand.
- Use a Mitigation Link or Scrubbing Center
When the attacks change and start attacking multiple IP’s the Blackhole technique will not meet the demand and to continue operating it is necessary that someone cleans the attack traffic from the real traffic, for this there are companies that sell mitigation links that are known as Scrubbing Center or Anti-DDoS.
In this type of link you direct your Download traffic to them through BGP and they will use their servers, routers, appliances, and techniques to clean up the Attack traffic from the real traffic.
If you want to know more about Link Mitigation check out our article them, there we show in more detail how it works.
- The attacked IP(s) are still working
- The whole problem of receiving the attack is transferred to these companies
- Cost of this link
- Increased latency
- More complex configuration, as it requires traffic engineering in BGP when an attack is occurring
- Automate everything
DDoS attacks will occur when you least expect them, so creating the protection framework with automation is extremely necessary.
For this Made4Flow has an Anti-DDoS module where it can take the action of sending an IP to blackhole or direct to Mitigation when it detects a DDoS attack.
With it you can receive alerts via e-mail and have the peace of mind that the tool is working for you and taking automated actions to protect your network.
If you like this post, please share it!
In the next articles we will tell you how to prevent attacks, how to set up a blackhole on Mikrotik, Cisco, Juniper or Huawei routers and many more information about DDoS.
Until next time