How does one recognize that a distributed denial-of-service (DDoS) attack is traversing a PacketShaper?
Article ID: 165953
Updated On:
Products
PacketShaper
Issue/Introduction
One indicator that a DDoS attack is traversing a PacketShaper is an unusually high number of flows. Use the sys health command to show the current and maximum number of TCP and UDP flows. The last 2 lines of the output show this information.
TCP UDP Legacy Total
Flows (Current): 359486 142 216 359844
Flows (Maximum): 359486 1492 282 359844
On this particular PacketShaper, the normal number of TCP flows was historically never above 100,000.
The more telling indicator that a DDoS attack is taking place is an unusually high number of both Failed Flows Per Minute and New Flows Per Minute for some hosts. This listing is the output from host info -sp -n 25. (-sp sorts hosts by failed connections per minute).
There will usually be one host (the target of the DDoS attack) with a huge number of Failed Flows Per Minute and/or a huge number of connections in the "conn" column. In this listing, 149.36.73.42 is the target of the DDoS attack.
The attacking hosts are often a group of compromised systems flooding the targeted system with traffic. Typical of the attack, hosts will be a group of hosts with a similar pattern of connections, bandwidth, and New Flows Per Minute. In this listing, the 167.87.x.x hosts have probably all been compromised in the same way and are participating in the DDoS attack against 149.36.73.42.
PacketShaper# host info -sp -n 25
IP Address Conn RTT Cur 1 Min Peak --- New Flows Per Minute ---
to PS rate avg rate Client Server Failed
------------------------------------------------------------------------------------------
149.36.73.42 I 575959 --- 2.1M 2.2M 85.4M 329952 0 395807
167.87.1.5 O 23589 --- 44k 86k 223k 0 15327 0
167.87.1.3 O 29811 --- 90k 118k 216k 0 14987 0
167.87.1.4 O 21504 --- 207k 143k 211k 0 14830 0
167.87.5.39 O 22328 --- 61k 91k 223k 0 14766 0
167.87.5.67 O 22632 --- 57k 91k 228k 0 14553 0
167.87.5.58 O 22072 --- 77k 81k 229k 0 13931 0
167.87.5.61 O 22589 --- 110k 88k 204k 0 13932 0
167.87.5.34 O 19084 --- 89k 79k 239k 0 13515 0
167.87.5.55 O 19804 --- 74k 73k 223k 0 13405 0
167.87.5.70 O 20380 --- 65k 98k 233k 0 13327 0
167.87.5.60 O 20749 --- 74k 82k 237k 0 13290 0
167.87.5.72 O 21229 --- 68k 71k 225k 0 13272 0
167.87.5.21 O 19424 --- 46k 66k 235k 0 12707 0
167.87.5.86 O 17813 --- 68k 91k 211k 0 12272 0
167.87.5.121 O 16694 --- 105k 68k 236k 0 12223 0
167.87.5.68 O 17957 --- 90k 78k 212k 0 12133 0
167.87.5.109 O 17174 --- 30k 62k 326k 0 11510 0
167.87.5.113 O 15822 --- 37k 55k 259k 0 11502 0
167.87.5.44 O 15885 --- 74k 71k 228k 0 11225 0
167.87.5.115 O 15726 --- 42k 45k 257k 0 10879 0
167.87.5.116 O 16038 --- 43k 51k 257k 0 10880 0
167.87.5.112 O 14807 --- 35k 56k 263k 0 10607 0
167.87.5.114 O 13804 --- 45k 45k 261k 0 10137 0
167.87.5.108 O 14196 --- 59k 48k 337k 0 9482 0
From the PacketShaper perspective, a DDoS attack can easily overload the unit. The number of new flows per minute becomes more that the PacketShaper can handle. The result can be slow performance and increasing levels of dropped packets.
Enabling load shedding on the PacketShaper may help some, though blocking this traffic with a Firewall or other device before it hits the PacketShaper will be more effective.
Feedback
Yes
No
Powered by
