How to Monitor Your Network During a DDoS Attack
Nick Kephart Director of Product Marketing
1
We are building a performance management platform architected for the cloud era We make monitoring complex enterprise networks easy and enable you to find and solve problems regardless of where they occur
About ThousandEyes
Founded in 2010 by UCLA PhDs and backed by:
What We Do Our Background
2
DDoS attacks target both application and network layers: 1. Network-Layer:
Attacks causing congestion, bandwidth consumption and saturating connections (e.g. UDP, TCP SYN, DNS)
2. Application-Layer: Low traffic, targeted (e.g. HTTP GET/POST, SMTP)
DDoS Attacks Target App and Network
Network: Volumetric
42%
Network: Fragment-
ation 15%
Network: TCP
Connection 20%
Application 23%
2013 DDoS Attacks by Type
Source: Prolexic Technologies; Arbor Networks
3
Network Topology of a DDoS Attack
Chicago, IL
YourBank.com London
Tokyo
Atlanta
Portland, OR
Sydney
Attackers flood your web service from around the world
Internet Enterprise
4
DDoS Mitigation Strategy 1: On-Premises
Chicago, IL
YourBank.com London
Tokyo
Atlanta
Portland, OR
Sydney
Appliance at network edge monitors and mitigates application-layer attacks
Internet Enterprise On-Premises DDoS Mitigation Appliance
5
DDoS Mitigation Strategy 2: ISP Collaboration
Chicago, IL
YourBank.com London
Tokyo
Atlanta
Portland, OR
Sydney
Attack traffic is routed by ISPs to a remote-triggered black hole
Internet Enterprise Remote-Triggered Black Hole
ISP 1
ISP 2
6
DDoS Mitigation Strategy 3: Cloud-Based
Chicago, IL
YourBank.com London
Tokyo
Atlanta
Portland, OR
Sydney
Traffic is rerouted, using DNS or BGP, to cloud-based scrubbing centers and ‘real’ traffic is routed back to your network
Internet Enterprise Scrubbing Center
7
Why Monitor DDoS Attacks
Global Availability Mitigation Deployment
Mitigation Performance Vendor Collaboration
8
We Help Monitor DDoS Mitigation
Application and network layer correlation
Visibility across ISPs, DNS, online DDOS mitigation, and
corporate networks
Live data sharing with vendors and internal teams
9
Easy to Deploy, SaaS-based Monitoring
Enterprise Internet Application or Service
Enterprise Agent (branch offices, data centers,
key customers)
Cloud Agent (at dozens of global POPs)
Active Tests DNS, BGP, HTTP,
Network
ThousandEyes SaaS Platform
Demo
11
Configure a Test
Start with a HTTP Server or Network test
Select testing locations
Views included in the test
Configure alerts
Choose a service to monitor
12
Understand Global Availability and Faults
Global availability issues
Problems at TCP connection and HTTP receive
phases
Availability dip to 0%
13
Understand Network Connectivity Metrics
Loss, latency
and jitter
Loss during height of attack
14
Find Congested Nodes and Links
Nodes with >25% packet loss
Packet loss in upstream ISPs
Bank website under attack
High packet loss from all
testing points
15
See Across Networks
Select networks
Highlight networks in yellow
Quickly select interesting data points
16
Confirm Mitigation Handoff Using BGP
New Autonomous
System (VeriSign)
Prior Autonomous
System (HSBC)
Withdrawn routes
New routes
Prefixes automatically
identified
View the Live Demo https://vimeo.com/104451012