A New Approach to Defending Against DDoS Attacks

DDoS (Distributed Denial of Service) attacks are getting larger, more sophisticated, and more pervasive. Just today (October 21, 2016), DDoS attacks against Dyn, Inc have impacted the availability of sites such as Twitter, Netflix, Github, and Spotify.

Typical DDoS mitigation strategies rely on defending the victim (destination) as close to the destination as possible. This can happen in a number of ways.

One defense strategy is to redirect traffic, destined to the victim, through an alternative network that is designed to identify malicious traffic, drop the malicious traffic, before sending the legitimate traffic to the victim. This generally works well for volumetric or protocol based attacks. However, this requires that a network with a vast amount of capacity be available and sitting idle, except in times of attacks.

Another defense strategy is to utilize network and application firewalls, sitting in front of the destination, to identify the malicious traffic and drop it before sending the legitimate traffic to the destination. This generally works fine for some protocol and application based attacks.

Then, in some cases, volumetric attacks are so large, that they completely overwhelm the destination network. In this case, they use a BGP community, known as Remote Triggered Black Holes (RTBH) to tell their upstream service providers to drop traffic destined to the victim before it even reaches the destination network. In this case, the victim is sacrificed for the availability of rest of the network. This is typically the worst case scenario, as the victim still goes offline, conceding a victory to the attacker.

These countermeasures obviously are not going to scale with ever growing attacks. This is why we need the architects and builders of the Internet to come together to standardize on a new method of defending against the these attacks. We need a global community of real time analytics that identify malicious sources and use RTBH techniques to automatically take the offending sources off the Internet, instead of the victims. This technique will require that every Internet provider agree on a standard, and abide by it.

October 21, 2016

Posted In: DDoS, Miscellaneous Hacking, Net Nuetrality, Network Connectivity, network security, Security

Troubleshooting Internet Connectivity

This evening, I noticed that I was having some horrible Internet connectivity issues, from home. Trying to stream anything online? Forget it. Frustrated, I started troubleshooting the issue, fully expecting that I would end up opening up a trouble ticket with my ISP, sending them all my available troubleshooting information, and asking them to resolve their issue.

Turns out, the issue was a simple fix – on my side, but I figured that I would provide my troubleshooting steps as a learning experience for anybody whom runs across this page.

Background information: My home Internet connectivity is provided by Cable Internet with a 30Mbps downstream / 5Mbps upstream.

The first thing that I did was go to http://speedtest.rackspace.com. From this page, you can run the OOKLA speedtest application from any of their data centers. This provides excellent information on download & upload speeds, latency, and jitter. I ran the test from the Dallas and Chicago data centers. Right off the bat, I noticed that I was getting a fraction of the download speed that my Internet service is configured for. This can be seen below:

Screen Shot 2015-03-13 at 1.44.38 AMScreen Shot 2015-03-13 at 1.47.58 AM


This immediately pointed to a real issue, but I didn’t yet have all the information that I needed to take to my ISP. Next, I used an application called MTR. MTR is a traceroute application, that when ran correctly makes it visually easy to spot potential network issues. I ran an MTR report destined to one of my cloud servers at Rackspace.

You look at the ‘loss%’ column, you will notice that the MTR reports packet loss, starting at hop 4. This packet loss continues at every hop in the path. Hop 4 is the gateway of my Cable Internet. This suggests that the actual network issue exists between my cable modem and my providers router. To further solidify this finding, I ran a 100 count ping to that same server, hosted at Rackspace.

Indeed, the ping saw the same packet loss. Before opening a ticket with my Internet provider, I decided to power cycle my cable modem. After my cable modem was back online, I ran the same tests.

First with the speed tests.

Screen Shot 2015-03-13 at 2.03.07 AMScreen Shot 2015-03-13 at 2.04.27 AM


Huge difference! Next, I ran the same MTR report.

Notice how the packet loss is completely gone now? Finally, I ran the same 100 count ping.

Confirmed. No packet loss. As you can see, the issue ended up being that my cable modem needed to be power cycled. No inundating my Internet provider with a trouble ticket tonight.

Simple tools, such as MTR, traceroute, and ping can provide a lot of information about network connectivity problems. At the very least, they can assist you in narrowing down where to look.

March 13, 2015

Posted In: Network Connectivity, Rackspace, troubleshooting