Chapter 2. DDoS Detection

The first step in mitigating a DDoS attack is to know the attack is happening. This might sound obvious, since a volumetric attack will by nature tie up computing resources, such as bandwidth, CPU, buffer, memory, or a combination of all of those. But just as DoS, distributed or otherwise, comes in many shapes and sizes, our detection needs to match the ever-increasing types of attacks.

There are many ways to stop an ongoing or potential attack, some of them are obvious, some are less known. Our goal for detection is to quickly and accurately diagnose the attack and lower the mean time to mitigation.

In this chapter, we will look at some of the common ways to detect DDoS attacks using information gathered in poll-based and flow-based monitoring. When needed, there are instances where we need to perform packet inspection using network mirrors. We can also use anomalies and a frequency-based detection mechanism for possible DDoS attacks.

It is our opinion that there is no single detection mechanism that can detect all types of DDoS attacks. In our experience, whenever possible, all of the detection technologies mentioned in this chapter should be set up in advance and continuously validated with ongoing feedback from live traffic. The machine needs to be trained to recognize potential signals of attack from actual attacks in order to accurately predict the next one.