So what does a DDoS attack look like? Well, a vintage I Love Lucy video comes to mind.
Remember when Lucy and Ethel get a job in a candy factory? Their job is to wrap each piece of chocolate as it passes by on a conveyer belt. As long as the belt moves at a steady pace, they can easily grab and wrap each piece. But when they “speed it up a little,” the candy comes at them so fast and furious they can’t keep pace; it spills all over and the production line breaks down.
A Denial of Service looks like that. Like the unmanageable stream of candy on the conveyer belt, the DDoS hacker floods the network and the target end-point with more traffic than it can physically handle.
From the TV viewer’s perspective, the source of the trouble and the remedy are obvious. Lucy and Ethel, on the other hand, can do nothing but react.
When your company is being attacked, you are in a similar situation. Without the perspective of the entire process, you can do nothing but react, and the result is not a comedy classic. Generally, these DDoS attacks do more than halt your production line — they put you out of business!
At AT&T’s Global Network Operations Center, in Bedminster, New Jersey, we have the perspective of the entire process. We see the flow of traffic on our network, one of the largest. And we see the flows between our network and the other networks of the Internet. It’s an unmatched point-of-view.
This flow, which is actually the movement of data packets from originations to destinations, occurs in a predictable way.
This graph depicts a typical day:
The dotted lines represent the expected traffic flow. The colors represent the actual. Notice how predictable the traffic flow is.
This is because the traffic reflects our collective behavior. We are all creatures of habit and our predictable, individual behavior, multiplied by the hundreds of millions of other users worldwide, produces smooth curves.
Here’s how an attack looks at the GNOC:
One end-point (i.e., one customer) is being bombarded with traffic. The yellow volume represents the increase in packets and the increase in transactions caused artificially by the hacker.
Before the big spike manifests itself, however, AT&T can detect the slowly unfolding change in traffic behavior that always precedes the attack. At that point, we can redirect that flow of traffic and instead of letting it go to the target end point; we can redirect it to a scrubber, which filters out the DDoS traffic. Then we redirect the clean traffic back to the original destination.
This scrubbing of traffic occurs deep in the network, far, far away from your business. When an attack reaches the end of the production line, in other words, when it reaches your business, it is generally too late to wage an effective defense. The defense needs to be in the traffic flow, it needs to be in the network. An AT&T Managed Security Service, for example, is network-based so the attack never gets as close to your business as would be the case if you tried to manage an attack on your own.