May 14th, 2011
Last post on Identification of DDoS attack did not cover analysis of the attack, in cases wherein bandwidth graph’s and connection status aren’t conclusive. In such a scenario, the best means is to inspect the packets coming into the server, and this can be done by examining the packets using tools like tcpdump.
“tcpdump” is a popular sniffer command that does a good job. Using the switch “tcpdump -w”, one could write the output to a file, which could then be analyzed using tools like wireshark to get to the bottom of the attack. You could easily get the protocol in question, and also perform multiple filtration’s to the results. More on it could be read from here.
Another quick means is to use tools like iptraf, which gives you insight into the breakup based on protocol, ports and interfaces. The advantage you have here is that you could use it in the server itself, unlike using tools like wireshark, that works in graphical(X11 environments) mode.
Actions you take from here on, is based on your findings on the nature of the attack. Many believe that much of the means of mitigating the attack is the sole responsibility of their Data-Center/Internet-Service-Provider. In reality, there are many things that a server owner could/must do, in reducing the impact a DDoS attack could make.
Some of them being methods to prepare your server to handle traffic in a far efficient manner, and others being means to counter the attack in real time. Here, both prevention and cure are equally important and together, should help you get a solution for the problem. A problem that actually does not have a definitive solution. Will discuss the methods in the coming weeks. Keep reading the blogs…
About the Author :
Sankar works as a Senior Software Engineer in Bobcares. He joined Bobcares back in April 2006. He loves grooming/mentoring people. During his free time, he listens to music, and enjoys singing..