There are many services to defend or mitigate DDoS attacks, but it is still a difficult problem how to find out that a website has been compromised at the first time. Here we list four monitoring tools and methods to help identify DDoS attacks.

Tool 1: Internal server, network and infrastructure monitoring

The company has many monitoring software and applications to choose from, but Nagios is the most popular. It can help you monitor the internal infrastructure and applications, servers, operating systems, network protocols, system metrics, and network infrastructure.

For example, the monitoring software checks the HTTP server to ensure the normal operation of the website or Web server. If the server fails to operate normally, the monitoring software will give a real-time notification.

Most DDoS attacks target a Web server or application side. The monitoring software may find problems such as slow HTTP server speed, high CPU load utilization, or complete collapse. However, these situations cannot be 100% determined as DDoS attacks, which will also depend on the IT administrator's judgment of the abnormal state.

Tool 2: External performance monitoring

IT administrators can use an external performance monitoring solution to evaluate a potential DDoS attack. Unlike the tools installed inside the user's network, external performance monitoring solutions are usually provided by a third party, which continuously probes websites or applications through monitoring nodes located around the world.

External monitoring generally includes the following monitoring schemes:

1. Use a virtual browser to check the normal operation time and performance of the website or application 2. Use a real browser to check the degraded performance, errors and services of the website or application 3. Monitor network services such as DNS, FTP and e-mail

External third-party monitoring solutions are very meaningful for DDoS. The goal of this type of solution is to continuously monitor the website, server or application side. In case of machine failure, slow response and other problems, these are precursors of DDoS attacks. However, the external solution can tell the IT administrator that the machine performance is degraded or completely crashed, but the reason is still uncertain.

The purpose of third-party monitoring is to protect the normal operation of Internet server suppliers, hosting companies and servers. Slow response times and machine outages indicate that a supplier or server is damaged.

Before enabling the DDoS protection service, the most important thing we need to do is to carefully record all the monitoring data from the third party.

Tool 3: Netflow or Peakflow traffic analysis

Netlow developed by Cisco is another good choice for monitoring DDoS. It is mainly used to collect IP traffic information and gradually becomes an industry benchmark. It supports multiple platforms and is widely used.

Cisco defines Netlow as a data sequence package. The meanings of the fields in the data are as follows:

Source address | destination address | source autonomous domain | destination autonomous domain | inflow interface number | outflow interface number | source port | destination port | protocol type | number of packets | number of bytes | number of streams

Some anti DDoS service providers can find attacks from your Netflow data. For example, we can define a normal state, that is, establish a baseline, based on the network data collected over a period of time. Once affected by adverse factors, the traffic data will be abnormally high or low.

We can establish low, medium and high thresholds for alarm purposes. Once the threshold value is exceeded, users can receive alerts via email, phone or other means.

However, this scheme also has defects. For example, you can't export Newlow data at all, because it usually requires you to own or rent your own router.

Tool 4: Pre monitoring

The last monitoring scheme to capture DDoS involves the installation of DDoS monitoring equipment in the network or data center. Some anti DDoS service providers provide such solutions - local monitoring and protection devices handle DDoS attacks within the available bandwidth. If the attacks exceed the bandwidth, they switch to cloud protection.

Compared with other monitoring options we talked about, this scheme is certainly the most expensive. So price is also an important factor we should consider.

conclusion

The problem of DDoS attacks is becoming increasingly serious. Almost all companies have been trying to do D protection. The problem they are facing is "How do we know we are attacked?" There is no perfect solution in the world. What you need to do is to find the best choice for the business according to your infrastructure, budget and any details.