This is the second in a series that explores DDoS attacks and their potentially devastating effects on a school district’s systems. See my related posts on preventing a DDoS attack at your school, and tools to protect your school against DDoS. This article deals with the zen of DDos detection and its role in DDoS protection.
How does a blind man describe an elephant? Describing a DDoS attack is like asking the blind man about an elephant. It's big, you know it's there, but you're missing the whole picture. DDoS attacks leave a trail that can help you find and stop the attack and create a picture. The secret is knowing the trail to follow.
In my last post, we learned that DDoS attacks deny access to a resource by attacking your school’s weak link. Most of your district relies on a few key resources that could be attacked. The true challenge is preparing for an attack before it happens. Your IT team needs to have detection tools before an attack occurs. Not being able to interpret an attack can lengthen the impact on your school. How do you prepare to detect an attack?
Start with a preventive monitoring system
I always begin with the "where" in creating my picture. Where is an attack coming from? Your school needs a preventative monitoring system. I use offsite monitoring systems to watch innersync.wpengine.com and our client sites. I have monitoring tools to watch resources like disk space, databases, firewalls, and other critical systems. When we have an unplanned event happen on our network, I'm prepared. I can pull up a dashboard with the status of every device on my network. Our tech team can see where a fire is starting.
You need to invest the time in deploying a monitoring system for your network. With so many free monitoring systems available, it’s reckless not to have one. If an attack occurs and you can't see the resources affected, it's hard to react. Monitor as much as you can for any technology your school depends on.
Determine what’s under attack
If you are under attack, your monitoring system will help you pinpoint any resource running above its normal levels. If you don't have a monitoring system, draw a mental line between the end user and the resource. The goal is to find the resource under attack.
I always start with IP devices like firewalls and routers. Routers and firewalls are the all-knowing eye of your network. Any connection that needs to happen between two devices crosses a router or firewall. Start with the routers or firewalls between the resource and the user:
- Do you see high levels of CPU or memory usage?
- Is there a surge in connections going to a host or service?
- If your Internet connection is slow, what does your provider see?
All of our current networks rely on the IP protocol, which uses TCP and UDP packets to send and receive data. TCP packets look for a response, meaning that TCP connections wait before they timeout. TCP attacks overwhelm a device by leaving a huge amount of TCP connections in a waiting state. UDP connections are for connections where data quality isn't critical, but time is. UDP is for requests that are time sensitive, such as VoIP and streaming media. UDP attacks often used to overload bandwidth of a connection, or the CPU of a device. When you look through the connection logs, you should get an idea of the resource under attack.
How is the DDoS attack occurring?
Now that I know what is under attack, the next question is how is someone attacking this device? It could be a simple attack where someone is overloading an Internet connection, or it could me more complicated. When I know the specific host under attack, I break down the different tools I have to analyze what is happening. If the device under attack is a switching device like a firewall, router, switch, or access point, I use a packet sniffer to decipher the attack.
For servers, I see if the attack is on the server, or a service on the server. Someone might attack your web server, or they might attack Apache or IIS on your server. Most application servers like Microsoft IIS, Apache, and Tomcat have connection limits on the service they provide. A common attack is to open X number of simultaneous connections to your web server. The web service overloads, stops taking connections, and keeps everyone from working. I feel I know a good "how" when I understand where the attack is coming from and how the attack is happening.
Why is the attack occurring?
When I know the where and how of an attack, the final question is why. Why is someone attacking this resource? When I say "why," I'm looking for a general, not literal answer. I'm not looking for the exact person, I'm looking for a general answer of why this resource was attacked. I look for a, "Someone is attacking our general website to make us look bad," or "The testing server is under attack because people are taking tests," kind of answer. I need to know "why" so I can reach the final step of detecting a DDoS attack.
How to respond to a DDoS attack at your school
When I know an idea of why someone is attacking a resource, I can plan a proper response. My response needs to:
- Have communication. I notify affected users during and after the attack. Most people are more patient when they know the status.
- Weigh the costs. When applying extra resources, you have to take into account the overall impact of the attack. I measure impact by the number of users that cannot access a system, and the cost if the users cannot work.
- Have a countermeasure. Be ready to neutralize the method of attack. Flood attacks are often resolved by using proxies or changing IP addresses. Connection attacks are stopped using firewalls and access lists, proxies, private connections, and changing configurations.
- Contact the authorities. Have a report for law enforcement. Document everything, and call your local sheriff’s department to start a report. The more you log and monitor, the more effective the investigation.
Remember, DDoS attacks leave clues – a trail of indicators that help you form that big picture of the big elephant. The clues, when connected, can help you find and stop the attack. Every DDoS attack is a learning experience. Some experiences are more stressful than others. I hope this outline helps you improve your detection skills when an attack occurs.
My next post will cover key tools to detect and prevent DDoS attacks against your school.
NOTE: This article is the second in a series of three articles dedicated to DDoS and schools. If you are a school IT manager, CIO, or an especially technical-minded school administrator, check out the other two that address detection and handy tools for dealing with DDoS attacks at your school.
Eric's background as a technical CEO with a big-picture focus brings the experience and vision that both gains the respect of technical audiences, and gets the attention of the progressive school leaders and administrators.