One of our customers experienced a large Distributed Denial of Service attack (DDoS) on their network.  This had an impact on their business until the resolution was implemented.   Even with a properly configured firewall, the attack saturated the customer’s link to the Internet and disrupted some of their internal network; it wiped out all of their cloud services including voice communications and secure partner access, as well as VPN access to remote sites.

What happened ?

The attack utilized the Network Time Protocol (NTP) amplification issue as documented in http://www.kb.cert.org/vuls/id/348126.  The attacker flooded multiple network time servers with malicious queries from a spoofed IP address (our customer’s .132 address), while the servers redirected the responses to our customer’s .132 address.

How the vXRE detected it

The internet connection was saturated with NTP traffic, all aimed at .132, and the same destination port 49635.  The vXRE immediately recognized the bandwidth problem, and issued an alert for network and security operations to drill down.  In a matter of minutes following the initial attack, network and security operations were able to understand the issue, and quickly identified the offending IP addresses from the alert.

How it was resolved

Ten minutes following the start of the attack, the customer was able to filter the traffic on their network and provide useful data to their upstream provider to take action on restoring normal communications.  In this case, live traffic analysis enabled rapid root cause identification, and our customer mitigated the bite of a DDoS attack.