In order to stop a DDoS attack, you have to know what you’re up against. In a distributed denial of service attack, multiple computer systems, compromised by a malware or virus relentlessly send traffic to a target network or machine. This attack makes computer or network resources unavailable to users.
Before taking any remedial action when a DDOS attack is suspected, it is important to check that the slow service delivery is as a result of lagging internet connection. The United States Computer Readiness Team or US-CERT gives a list of symptoms that serve as pointers that your computer resources may be under attack. An unusually slow network performance where accessing or opening files or websites drags, the unavailability of a web resource, disconnection of an intranet or internet link and a dramatic increase in the number of spam mail received.
DDOS attacks can also manifest as problems in the network branches adjacent to the computer system under attack and can serve as a great alert to network administrators.
In cases where DDOS attacks are initiated on a very large scale, internet connections in entire geographical areas surrounding the target machines may be affected. To determine is a computer resource is under DDOS attack, network administrators can go to the command prompt and attempt to ping outside their network, normally to a website like Google.com. By observing the time and also the percentage of packets lost displayed in the ping statistics, a correct diagnosis can be made concerning the state of the network.
The time it takes to transmit 32 bytes of data is normally about 40ms. At the initial stages of a DDOS, this may take 800ms. The computer system will eventually respond with a “Request Timed Out”. By identifying the initial stages of a DDOS attack it is possible to prevent your computer and network resources from completely being taken offline.
For more details concerning what is happening on the network, administrators can make use of NETSTAT. This allows the administrator to see all the current TCP/IP connections. A large number of TCP/IP connections from the same IP address is usually a good indication of an attack. You can confirm that an attack is in progress when the state of these connections indicates SYN_RECEIVED.
To find out the IP address targeting your network, run the TCPView program or any program that indicates all the current connections on a computer.
Author Bio. Casey King is a cyber security professional that helps companies and website owners stay online with industry leading DDoS protection and professional web hosting solutions.