Tuesday, May 7, 2013

DDoS in Action

Not sure if I should be excited, but, this is the first time I am experiencing DDoS on a VPN server. Now, my mind is all about my past infocomm security topic to think about how DDoS works.

DDoS

The DDoS existed since 1998 and it is happening to me right now. In a nutshell, DDoS means that some adversary is using a BotNet (a large group of computers) to attack a single system to prevent access for legitimate users.

There are wide range of attacking method such as ICMP flood and TCP Syn flood. I will not discuss on the attack as they are widely discussed in Google.

Symptom

Before my real experience, I always think that DDoS only affect a single system. But now, I know I am wrong.

An DDoS attack to my VPN server caused network congestion to my organization's 10Mbps Internet to slow down. The reason being is the BotNet is sending enormous amount of data in my network, and as a result, the Internet router is overloaded and caused the slow down in Internet as well.

So, if you encounter a sudden slow down in accessing a system or the whole network/Internet, you may be encountering a DDoS attack

Treatment

First, you need to identify which system is being attack. For me, since I have access to the data center, I physically unplug LAN cable from my router to isolate the problem. And this method helped me to single out my VPN server is being attacked.

After you had identified the system, inspect all logs from the system and identify if you are genuinely under DDoS attack.

If you are under DDoS attack, you can do the following

1. Change the system IP address
2. Set up the firewall to filter the IP of the DDoS attack
3. Set up IPS to detect future DDoS attack
4. And many more if you search Google :)

Reference

http://staff.washington.edu/dittrich/talks/sec2000/timeline.html
https://en.wikipedia.org/wiki/Denial-of-service_attack

No comments:

Post a Comment