Recently our entire network was having significant packet loss and latency for about a 30 minute period. I later discovered that a client of ours with a 10mb/10mb account was the victim of a DDoS attack during the exact same time period, until he powered off the effected device. I have confirmed this by referring to our cacti graphs. My question is, how could a DDoS attack effect our entire network that is fed by a gigabit connection by someone with a connection limited to 10mb? Was this a mere coincidence? Any light that could be shed on the subject would be greatly appreciated. I would like to know as much as I can about how to prevent and identify when issues on my network are being caused by an attack like this. The thought that a clients device being the victim of an attack causing issues on my network is very alarming! Thanks in advance!
My network uses all public addresses
all routers are mikrotik
Just because a client can only receive and send 10Mbs doesn’t mean more than that cannot be sent to him at a time. What happens is your router takes in all of that traffic on it’s gigabit interface and runs into a queue of 10Mbps for that client, that queue can only hold 10Mbps, and so the router will drop anything over that. But the attacker(s) can still be sending all the traffic that they want (because they don’t necessarily care what they are sending or getting back), and your equipment needs to process it and deal with it.
As for steps that you can take, monitoring is one of the most basic things to setup along with thresholds for out of normal stats, like CPU, TX and RX on given interfaces/devices, and so on. Also appropriate firewall rules. I don’t usually deal with the ISP side of things so I really can’t speak specifically to the things to keep in mind or do past that.
From what is being described, the DoS is originating from your customer? (he turned off the effected device and it stopped). I’ve not kept up to date with all the current DoS methodologies, but most often they use some form of amplification (the old example was to ping a broadcast address causing a router to duplicate the ping to every host). It could be that his 10mbps of traffic could be amplified to create much more traffic. See this recent example http://arstechnica.com/security/2013/03/spamhaus-ddos-grows-to-internet-threatening-size/
This is the exact reason I prefer MT over UBNT for the CPE - you can much better control what, and how much, the customer sends on to your network and limit their impact from a virus infection or similar.