DRDoS (Distributed Reflection Denial of Service) now is the most popular and powerful DDoS method. As the continual reports like "The largest DDoS attack - XXX G bps attack against YYY is ongoing" we can see, the "YYY" may change or not while the "XXX" is steadily rising. We have to know it better if we want to solve this problem better. Based on backbone network traffic we can get, our team runs the Chinese biggest public available PassiveDNS database (passivedns.cn), and the Global DDoS Attack Detection System (ddosmon.net). In this talk, I want to share some of my practical experience about DRDoS monitoring in backbone network, and some analysis results from the perspective of our data.
The following questions will be covered:
- DRDoS: the most popular and powerful DDoS method a) DDoS in all network traffic b) DRDoS in all DDoS
- DRDoS Monitoring in Netflow a)Process Architecture & Data Modeling b) Keypoint Feature: package size length/dispersion, talker dispersion, well-known port, fragmentedpackets c) Partial Data d) ICMP as Side Effect Indicator e) Interesting Case: tracking unknown amplifier
- DRDoS Monitoring in PDNS a)Observing Point Matters b) Keypoint Feature: src port/transaction id/query type c) Side Effect: query spike to authority server d) Interesting Case:bug caused attack fail
- Cross Validation
- Amplifier Utilization Report: Kill Top, Kill Half
- FQDN Utilization Report: Kill Top, Kill Almost All