Analysis of a DDoS attack
Traffic analysis and attack detection
To detect the attack, we use the netflow sent by the routers and analysed by the Arbor Peakflow boxes. Each router sends a summary of 1/2000 of the traffic that is actually passing through it. The Arbor Peakflow boxes analyse this and compare it to the attack signatures. If the comparison is positive, mitigation is activated within seconds.
The signatures analysed are based on traffic thresholds of "packets per second" (pps, Kpps, Mpps, Gpps) or "bits per second" (bps, Kbps, Mbps, Gbps) on certain packet types, such as:
- IP Fragment
- NULL IP
- Private IP
- TCP NULL
- TCP RST
- TCP SYN
- Total Traffic.
Given that it is necessary for certain thresholds to be triggered, and that only 1/2000 of the actual traffic is analysed, setting up the mitigation can take between 15 and 120 seconds.