Go back

The Art to Troubleshooting DDoS Attacks

by Mark Harris Jun 8, 2017

The following article is part 1 in a 3-part series about troubleshooting DDoS attacks, and it’s a guest post by Matt Conran of Network Insight. In this article, Matt covers the NetBrain approach to DDoS and how effective team collaboration is the only way to win against the escalation of attacks.

DDos Attack


We are on a losing streak with recent DDoS attacks; existing approaches are clearly lagging. It’s not just about creative machine algorithms for early detection or advances in mitigation solutions. The entire DDoS solution must be addressed as a whole, including how teams respond to such events.

The key element to stop a DDoS is the troubleshooting. This needs to be intertwined into the detection and mitigation solution in an automatic API approach. NetBrain solution provides this missing piece for troubleshooting any kind of DDoS effectively.

NetBrains solutions allow engineers to map any kind of traffic flow enabling a level of visibility that is required to track the security events that target all layers of the Open Systems Interconnection model (OSI) model. All this can be done in seconds – a powerful tool to combat cyber criminals.

Team Collaboration

Armed with the NetBrain tool set, network and security teams can automate any network task or workflow. Different teams can collaborate and visualize any part of the network on demand, displaying detailed aspects of that section.

Winning against a DDoS is not just a technical battle. The facilities within NetBrain improve team collaboration and promote preparation which is equally as important. NetBrain plays a vital role and removes the panic when DDoS hits you.

The Art of Networking

The Art of Networking creates numerous different intelligent networks. No two networks are ever the same. This makes troubleshooting DDoS an individual process with most of the talent in the minds of engineers. NetBrain incorporates tools to extract troubleshooting information into a centralized database, making it easier to combat a DDoS event automatically. This is why the platform’s name is Adaptive Network Automation – adapting to every network and task.

NetBrain is the first to start a DDoS collaboration effort. This offers NetBrain customers the ability to pool together and share executable runbooks that are used to combat DDoS attacks. Collaboration is a key ingredient to winning against DDoS.

How does it work?

The solution is based on Dynamic Network Mapping, Executable Runbooks and Out-of-box Integration; glued together to form one complete DDoS solution. Engineers can create a dynamic map of any part of the network in seconds, just select two points and the map carries out the analysis.

The runbook gives that extra poke by performing read only analysis, pulling tailored data from the network. It lets you get right into the weeds. The extracted details are infinite; it’s like having a complete interface to your network. It is similar to how Google provides a search blanket for billions of websites.

API Integration

The NetBrain rich out-of-box integration features allow the platform to fully integrate with any DDoS detection and mitigation solution. NetBrain Application program interface (API) enables the transient transition; filling the missing piece of the DDoS puzzle — troubleshooting and workflow team collaboration.

Dynamic Map

The dynamic map is the key component that allows engineers to map a critical flow and search any data point to get full visibility around it. It acts as a single pane of glass for all the configuration, performance data, statistics, events and logs with the ability to pull data from other 3rd party systems.

It recursively logs into every device pulling data from sources like firewall rules, load balancing logs, routing tables, VRF designs and much more into an easy task to view Graphical User Interface (GUI). It performs efficiently and swiftly than traceroute ever could. It extracts a level of detail that would otherwise take hours through the manual approach. NetBrain carries out all this in merely seconds.

Data Point Search

NetBrain allows engineers to search any data point for detailed and tailored network visibility in seconds. For example, if you are troubleshooting a DDoS event that is causing an issue with Open Shortest Path First (OSPF) adjacency, you can drill down for a unique customized map and turn on various layers of information for further analysis. Or if you suspect DDoS in a particular site, you can drill down into that specific area for more information.

Virtually Infinite Details

Once you have selected the data points, you can zoom in for almost endless details to include performance metrics, designs or security features, or even configuration checks.

Executable Runbooks

To go to an extra level of detail, engineers can run an executable runbook. This allows you to automate virtually any network management task. Executable runbooks are auto-triggered, expandable, result tracking and community-backed, enabling real-time visualization and DDoS impact analysis.

A runbook provides an excellent methodology and is a container for automation. Every step or play in a runbook is a piece of the automaton in a workflow. As they are executable, they can be triggered by an external system and external event. A DDoS detection system can trigger a runbook after traffic anomaly detection.

For deeper granularity, additional steps inside the runbook are known as Qapp . Qapp are powered by Python but this is all abstracted by a Wizard-driven GUI. You don’t need to be a programmer. They are like a file extension with several components; each component can have the “statements” commands.

Streamlined DDoS Example

The triggering of a DDoS event pulls in all the resources from the Adaptive Network Automation technology set. An external IDS system signals an attack and reports an event. This automatically triggers a number of executable runbooks based on the type of attack detected.

Example Runbooks

Runbooks operate at any layer of the OSI model, aiding the troubleshooting of the most sophisticated DDoS attacks. They can pull out load balancer or web server logs to look for specific errors in Transmission Control Protocol (TCP) headers. Manually this would take an age. Any show command is executed and presented visually. Real-time analysis is carried out on each and every hop.

Different stages within a runbook can be triggered from irregular traffic patterns enabling the additional Qapps for deeper network analysis. For example, if the interface counters are increasing, or there is a high level of HTTP processes on a backend server due to HTTP DDoS attack, it can automatically trigger a series of Qapps for further inspection. All this is done with no human interaction.

Intermittent Issues

Some DDoS attacks are more silent and cause intermittent network issues. They are harder to troubleshoot as you need to be present at the moment to capture the data while it’s happening. Automatically triggered runbooks can check every aspect of networking, even the general overall network health capturing intermittent issues. This dramatically reduces false positives with little human interaction.

Closing Comments

Runbooks are a powerful way to influence a team to run a set of actions. A series of runbooks are abstracted from the mind of an engineer and anyone else can use, learn and execute them. The network hero is often overworked and now the person can offer all his knowledge to a series of runbooks, enabling broader team integration. Runbooks are a great way for team collaboration and improving workflow integration. They can be enriched time after time with lessons learned and added along the way.

Team collaboration is a vital component for efficient DDoS troubleshooting. More than often, there are multiple teams involved, for example, network, security and application required. How do you track changes during troubleshooting events from multiple teams? Or pool diagnostic data from several verticals? NetBrain offers collaboration media so that engineers can work together on one map. All activities are tracked and in line with each other. For example, all diagnostic data, notes or actions are saved for everyone involved to see. It provides one single source of truth for all DDoS troubleshooting.