DDoS Blog

Monitoring TCP Connection States

Oct 22nd 2013

Added By : Justin Chan

Our newest software release will be a large update from our current software in place, offering many more configuration features and advanced monitoring. Currently, the DOSarrest staff members are already using the new software internally on the admin end, and are going through the final touches before releasing it to our customers. The monitoring features have already allowed us to detect malicious traffic quicker and easier, and offer even more low-level packet inspection than before.

One notorious type of DDoS attack is, of course, the SYN Flood attack. These types of attacks are actually relatively simple to mitigate, and we protect our customers from these on a daily basis already. However, these can also be the largest types of attacks in terms of bandwidth as well. Our new monitoring system has the ability to break down our traffic, to analyze the TCP connection states. In the case of a SYN Flood, the connection states will normally have a burst of traffic, and our system will be able to break it down into the exact connection states, and we will see the common behavior of a SYN attack. We have dedicated hardware for monitoring this to ensure we have the quickest results available to us.

We already have automatic filtering for SYN protection in place since the inception of the company, as this is a crucial aspect of DDoS protection. SYN protection is seamless and is always on, and we already ensure that all of our customers are protected by this. What our new monitoring features offer, however, is better alerting and setting thresholds. It brings to our attention quickly that there is malicious activity, and this could also mean the attackers could change tactics and use a different type of DDoS attack on our customers.

A SYN attacks is just one example; monitoring TCP connection states allows us to see any other attacks that attempt to take advantage of vulnerabilities in the TCP state tables. Ramping TIME_WAIT, increases in SYN_ACK, and other table indices pattern changes allows our team to see an issue emerging so they can mitigate well in advance.

Here is a sneak preview of what our monitoring graphs will offer. In the case of a SYN attack, the stable graphs will have sudden peaks or sudden rises in traffic, and we would be alerted immediately.
index

Justin Chan,

DOSarrest Security Operations Analyst


 DDoS Blog

DDoS Article Categories