In my previous posts, I talked about what a DDoS attack is and my zen approach to detecting one. For my final post in this series, I am going to share with you some of my own tools I use to detect attacks, and while I’m at it, offer up a few solutions to defend against attacks. These are what I use; you may have other tools of your own to protect your school from DDoS attacks. Whatever tools you end up using to protect your school’s system, my goal is for you to simply be on guard, well equipped and diligent as you monitor and defend your school against DDoS.
IP device monitoring
Detection starts with monitoring. I prefer to monitor my IP devices, such as switches, routers, and firewalls, to get a handle on the connections, and historical trends. My top three picks for monitoring are:
- Nagios – Nagios offers a free seven-node download that is perfect for watching your Internet connection and firewall setup. Installation is simple if you you a virtual solution; just download the preset VM and go. Most schools use less than seven devices to provide internet access, so Nagios is a great solution to trace connections and bandwidth usage. The full platform has the tools to monitor almost any device on your network to ensure they’re running properly. Upside to Nagios: the VM (virtual machine) makes for a quick setup. Downside: while open source, it costs money to monitor your entire network.
- Cacti – Cacti offers an open source monitoring solution for anything that can send it data. Cacti supports Linux and Windows, but requires a detailed setup to make it work. Upside: No license costs, so you can setup Cacti to monitor everything. Downside: the configuration of Cacti is quite ‘involved,’ let’s say, and might not be for everyone.
- Icinga – Icinga is a fork of the Nagios project, without the licensing. The 2.0 version of Icinga is a complete rewrite of the project, but brings a suite of new features. Some of the impressive new features include workflows, and integrations with management systems. Upside: VM download makes testing a breeze. Downside: 2.0 is new, and support might be harder to come by.
When I know a host that is under attack, I use a packet sniffer to look at the traffic going to the host in detail. A packet sniffer is like tapping a phone call. When I tap a call, I know everything that the hosts are saying. Packet sniffers can be on-demand from a laptop, or a permanent monitoring setup.
- Snort – Snort is a granddaddy in the IT world. With Snort, you can monitor and capture network traffic in real time. In addition, Snort can watch and alert you of system attacks. The hardest part of Snort is getting a network port setup for prosecusmous mode. Upside: it’s free and you can watch an alert in real-time. Downside: the network setup can be tricky.
- Wireshark – Install Wireshark on a laptop to plug into your LAN or wireless network and check specific traffic in detail. Wireshark supports Windows and Mac, making Wireshark a great tool for everyone. Upside: it’s free and multi-platform. Downside: you still need to know how to get a switch (link) to let you monitor the traffic to a host.
Web system protection
For web servers, and anything that offers a web interface, I use Cloudflare for system protection. Protecting any DNS-named web site is simple with this proxy that sits between you and the Internet. Requests come in, and if they look valid, Cloudflare then forwards them on to your server. It offers a CDN (content delivery network) for your site, speeding up response times with less bandwidth. Cloudflare is great for protecting anything with a public web interface. Upside: easy management interface with rock-solid protection Downside: to use Cloudflare, you need to host your DNS with Cloudflare. Small price to pay.
DNS (domain name system) is essentially the naming system for anything your school has connected to the internet. Your DNS drives the resolution of names like innersync.wpengine.com or www.yourschooldistrict.edu to an IP address. DNS can be a weak link in any service that depends on the common name. Check your configuration with this this free tool.
- mxtoolbox.com – MX Toolbox offers a free DNS check that looks for mistakes in DNS systems. It also offers a range of tools to test other services.
For more information on how to avoid a whole bunch of server issues, check out this helpful article on the importance of dialing in your DNS setup properly at your school.
Do you still host your own email? Many school districts have moved to Google Apps for Education or Office 365. If you maintain on-premise email servers, you need a service to protect you from SMTP attacks. SMTP is the protocol that mail servers use to communicate. There are many options for a SMTP Spam and DDoS service, look for these key features.
- Hosted service – The service needs to hide your server behind it. If your network connection is down, your email is captured and delivered later. The service needs to allow your server to forward email through it as well.
- Multiple relays – In your MX record (link), there is a list of servers that can accept mail for you. Your service needs to offer multiple, redundant relays for inbound and outbound mail.
- Anti-virus and SPAM filtering – SPAM is a DDoS attack on real people! Filtering your mail effectively saves time. In cloud anti-virus offers an additional layer of protection.
- Archiving – Your district needs to maintain email archiving per the law. (link) Many hosted services offer email archiving in the same solution.
If you’re looking into email security options, be sure to check out this article that explores which platform to use: Google Apps for Education or Office 365 in Education.
Choose your DDoS protection tools wisely
I look at security from the classic "onion" approach. I build multiple rings of monitoring and security around every resource on my network. The "onion" keeps our systems as safe as possible from a single point of security failure. If one layer doesn’t get you, the next layer in will.
My point is, any defense that relies on a single system is designed and destined to fail. Consider this list of tools and tips as a good start on building your own onion. Remember, many DDoS attacks are preventable. However, with diligent monitoring, the right mix of tools, and a competent staff, you can build your onion – er, I mean – plan a strong defense before your school is attacked.
Do you have any DDoS defense tools of your own you use?
NOTE: This article is the third in a series of three articles dedicated to DDoS and schools. If you are a school IT manager, CIO, or an especially technical-minded school administrator, you might want to check out the other two articles that deal with detecting and preventing a DDoS at your school.
Eric's background as a technical CEO with a big-picture focus brings the experience and vision that both gains the respect of technical audiences, and gets the attention of the progressive school leaders and administrators.