Professional Documents
Culture Documents
SPT-RCA - Client Raised Possibility of DDOS Attack-181123-185348
SPT-RCA - Client Raised Possibility of DDOS Attack-181123-185348
SPT-RCA - Client Raised Possibility of DDOS Attack-181123-185348
Issue Raised :
Client informed over evening of 15th November that they saw unusual traffic in one of their Service and unusual tail latencies
Investigation :
Traffic
Utilization
Memory Usage
Summary of all
OBSERVATIONS
Requests
There are very Short impulsive Peaks in requests that have been there since long, are very short lived and occur at near same time of day
indicating it is a common traffic pattern and not artificially Induced
These Increase in Latenices co-relates with the impulsive peaks, Normal and expected behaviour
Traffic
Utilization
Summary
Conclusion
The impulsive Spikes are very short lived and seems to occur 2-3 times a day every day and the peak is only in order of 2-3X that of
average.
Increase the Instance Size( Memory, CPU, Network Bandwidth) to next available ladder and monitor the traffic and keep increasing until the
traffic smoothens out
To Ensure protection of Google Cloud deployments from multiple types of threats, including distributed denial-of-service (DDoS) attacks and
application attacks like cross-site scripting (XSS) and SQL injection (SQLi) Google Cloud Armour can be used.
link : Google Cloud Armor overview
Sudden Spike: A sudden, unexplained, and significant increase in network traffic is a strong indicator of a DDoS attack.
Traffic Patterns: Look for traffic that doesn't follow your normal user or usage patterns. For instance, a high volume of traffic coming
from a particular geographic region that doesn’t usually visit your site.
Repeated Requests: A high number of requests over a short period, especially if they are similar or identical, can be a sign of an attack.
Suspicious IP Addresses: Multiple requests from the same IP address or range of IP addresses in a short time frame.
3. Resource Exhaustion
Bandwidth/CPU Overload: An unexpected maxing out of bandwidth or CPU resources can be a symptom of a DDoS attack.
Unusual System Reports: System reports showing unexplained overuse of system resources.
4. Service Disruptions
Inability to Access the Service: Users reporting that they cannot access the service, especially if the issues are widespread and not
localized.
API or Service Failures: If you notice your APIs or other backend services failing inexplicably, it could be due to being overwhelmed by
requests.
Non-human Traffic: A large amount of traffic that doesn’t appear to be human (e.g., no user-agent, odd access times, high speed, and
frequency of requests).
Traffic from Unusual Locations: An unexpected amount of traffic from countries or regions that do not align with your typical user
base.
1. Initial Assessment
Identify the Symptoms: Confirm that the issue you experienced was indeed a DDoS attack. Common indicators include a sudden
surge in traffic, unusually slow network performance, or complete unavailability of your website or application.
Gather Basic Information: Note the time and duration of the attack, any error messages, and which parts of your application were
affected.
Metrics Analysis: Use Google Cloud Monitoring to analyze traffic patterns and server responses during the time of the attack.
Request Patterns: Look for patterns in the requests that are abnormal, like identical query parameters, user agents, or referrers.
Geographic Origins: Analyze if the traffic is coming disproportionately from specific countries or regions.
Traffic Volume: Compare the traffic volume during the attack to normal levels.
Geographic Blocking: If the attack is from specific regions and those regions are not significant for your business, consider blocking or
rate-limiting traffic from those areas.