The Collateral Damage of DDoS Attacks - Part 2. Information needed
Mar 5, 2018
In order to mitigate collateral damage made by DDoS attack, it needs to be detected in the first place. So, how The network (or NOC personnel) could become aware of attack?
The end-user who is victim of attack informs NOC about event. This could be done in multiple ways starting from support line call and ending on integrated M2M communication between OSS’es of both parties. In all these cases actual detection is done by end-user, and SP depends on it.
SP subscribe and gets live feed of security threads form specialized organizations such CERT’s and security companies (e.g. Kaspersky LAB, NETSCOUT ARBOR). This feeds however are more global and could be incomplete. Also, they tend to be rather post-mortem for majority of attacks due to detection-analysis-publication cycle, and usable only for long-lasting one.
The SP – owned/operated DDoS detection and analytic infrastructure. This infrastructure however need to be feed with some raw data to analyze and potentially identify attack. And this data need to come from somewhere – typically network devices owned by SP – routers, firewalls, load-balancers, IDP systems, DNS servers, etc.
All above could be combined, in system of logical structure as shown on picture below.
Further down this article, I will focus on network as source of raw data. Primary because in current works of short-living attacks this is only reliable source of real-time information. Also, for SP who owns network this source is in full control.
There are 2 classes of network devices – routers (and switches) that are mostly stateless packet forwards, and flow-aware devices such firewalls, load-balancers, IDP/IPS, etc.
In typical SP network flow-aware devices are sitting on the edge and are exposed to only minimal fraction of traffic. Although information provided by these devices could be in-depth, it covers only negligible part of total traffic, and insufficient to detect volumetric Attack that impact network resources causing collateral damage to end-user experience. These sources can provide additional information to augment what is available on/form routers.
The set of all edge/peering routers collectively forwards entire traffic – legitimate and malicious. Therefore, observation of this traffic allows to detect attacks. Unfortunately, routers are high-throughput devices designed to handle packet in stateless manner and base on well-defined fields in packet headers. They do not have enough CPU power to perform DDOS detection[i]. Therefore, pragmatically solution is sent raw information about transit traffic to external collector and then logic (as shown on picture above).
[i] Some vendor’s routers has option to install service card, that provides extra CPU power. Sending traffic from linecards to service card is then possible, while service card analyze traffic including information in packet payload and flow state. This however comes at cost of burning slot in chassis, cost of service card hardware. Typically service cards has way lower capacity then I/O linecards, so it represent system bottleneck.