Detect DDoS attacks with opFlow

Check out the original blog which inspired this page here: https://opmantek.com/network-security-determine-attack-vector-with-opflow/

Perform a quick google search for DDoS attacks and you will see that free tools used to carry out these attacks are littered all over the internet. These attacks have become increasingly easy to pull off making them a common occurrence. Identifying and preventing these attacks before they cause any damage is key in keeping your network performing smoothly. opFlow is well equipped to determine where these attacks are coming from.

The default page after opening opFlow displays the top 10 sources of network traffic. If you feel your network is under a DDoS attack, change the page to display the top 10 applications. To do this navigate to menu -> Advanced, this opens the menu below.

Figure 1 - Advanced Menu Window

From the advanced menu, change the summary type to "App Sources" also change the "Specific Time" section to match the time period that you feel the attack occurred. Click "Apply Selection" to confirm the changes.

Figure 2 - Top 10 Applications

In the example in Figure 2 above we see UDP:32760 in the second row, this is displaying normal traffic for this particular network. The domain traffic in the first row seems unusual. Viewing this information we have an idea that the attack traffic is related to UDP destination port 53. In order to get a tighter vector on this traffic navigate to menu -> Views -> Conversation Map. The time interval will remain the same as the "Specific Time" filter entered in the Advanced menu earlier.

Figure 3 - Conversation Map

The flow data table is found below the Conversation Map. Click on the time header of the flow data table to sort based on time. Next, change the records per page to 500. The conversation map will change to represent the 500 displayed flow records. Click on a flow data page that represents the time of the DDoS attack well. The conversation map above is indicating that all the traffic is focused on one destination. Disable the "Zoom Lock" on the map, then zoom into the center to determine what the attack target is.

Figure 4 - Flow Data Table

As shown in Figure 4 we can see that the attack traffic is focused on the DNS server, 10.248.114.10. Looking the flow data we see all the flows are a single packet, UDP, and the destination is port 53. We can also tell that none of these are valid DNS requests because at 1,308 bytes, the packet is way too big. DNS responses can be large but a single DNS request should not be more than 150 bytes. Based on this information, an ingress policy could be written that would discard any packets larger than 150 bytes that is destined to the DNS server on UDP port 53.

In the example below you can see the process in which the opFlow server collects and analyzes NetFlow information received by the router

Figure 5 - NetFlow Diagram