Principle
A DoS attack aims to occupy resources of a device by sending numerous connection requests. As a result, the device cannot provide functions properly or even crash. DoS attacks target a server, making the server deny requests from authorized users.
The distributed denial of service (DDoS) attack is an upgrade of the DoS attack. The attacker initiates DoS attacks from multiple hosts, affecting a larger scope and causing more damages.
Symptom
DDoS attacks target downstream servers connected to network devices. When a DDoS attack occurs, the upstream and downstream interfaces on the network device receive a large number of IP packets, which may reach the maximum bandwidth of the upstream or downstream interface. If the attack traffic reaches the maximum bandwidth of the downstream interface, users connected to this interface access the network slowly or even cannot access the network. If the attack traffic reaches the maximum bandwidth of the upstream interface, all users connected to the network device are affected.
Scenario
As shown in Figure, users connected to the S7700 cannot access the network. The S7700 frequently fails to be managed.
DDoS attack
Cause: Traffic on the S7700 interface connected to the A7450 reaches the maximum bandwidth, which indicates a DDoS attack. Bandwidth for authorized users cannot be guaranteed, services are interrupted, and the S7700 is frequently disconnected from the NMS.
Solution: Capture packets on the S7700 interface connected to the A7450 and analyze the characteristics of attack packets. Block the attack source. Deliver an ACL to filter out packets from the attack source.