What does a ‘network attack’ look like?

Today, the popular content delivery network Akamai is reporting that ‘network attacks’ are 95%+ above ‘normal’.

Screengrab from Akamai’s ‘real-time web monitor’

It’s hard to get a feel for what data Akamai are using here or what the baseline is, but it caught my attention because of some attacks against our own network that we saw over the weekend.

It also got me thinking: ‘what does a network attack actually look like?’ for a hosting company.

To answer that, I suppose I need to explain what I mean by a ‘network attack’.

A network attack can come in many forms, but the most common type that we experience is a DDoS – a distributed denial-of-service attack. This type of attack is intended to disable access to a server or network by overloading it with network requests. Almost any network or server is vulnerable to such attacks because its job is to respond to network requests, e.g. to display a web page or access other content be it public or private. Depending how powerful they are, servers (and multiple groups of servers in clusters) can handle hundreds, thousands or even millions of simultaneous requests. A DDoS attack harnesses hundreds or even thousands of compromised computers or servers connected to the Internet to overwhelm the target servers by sending thousands or millions of requests (hence the term ‘distributed’). The sheer weight of requests will often rapidly overwhelm a server’s ability to respond as it runs out of resources. Hence, servers and websites ‘go down’. (The Wikipedia article on DDoS attacks has more background).

It’s important to note that however properly a server is configured, it can still be vulnerable to DDoS attacks. A DDoS attack exploits the very basic function of a server – to answer network requests and serve up content. An attack also often happens with little warning. And because it passes through network hardware that is at the edge of our network (thus usually shared by some other customers), it can have a wider impact.

Bytemark NOC – not really

But let’s make one thing very clear. A network attack happens in real time. Unlike the popular media image of an ISP, we don’t have a NORAD style mission control centre to monitor attacks through the paradigm of global warfare. There are no progress bars, or red lines curving over a map to warn us of what’s about to happen.

What does happen is that the target server is no longer able to serve the content that it would normally be expected to serve. If the network attack is large enough, it can also begin to affect other sites on our network. This is clearly an unacceptable situation.

So what we need is a system that monitors client servers, detects when they’re not serving content normally and then alerts the right people in the most effective way to take action. That action being to “null route” all the traffic directed at the target server, i.e. configure our network infrastructure to redirect it to nowhere, meaning it’s dropped and ignored. We also need to contact the client and explain what’s happening, as well as let everyone else know through our forum.

Summing up, responding to network attacks (like a DDoS) is an important part of what we do as a responsible hosting provider. What they ‘look like’ isn’t particularly sexy (though I do now wish we had a WarGames style command centre). However, our visibility of network attacks is optimised for rapid and efficient response be it night or day.

In the light of recent attacks across the Internet, I hope this has shed some light on how we handle these challenging events.