The Dirty Work You Never See

A common problem across the Internet today is malicious activity. Things like: DDoS Attacks, botnets, IP hijacking, viruses, spyware, worms, and phishing make up just some of the things that we deal with on a daily basis.

From a Networking perspective one of the common things that we deal with is DDoS attacks. Basically, this is that act of someone’s website being targeted with the intent of taking it offline. DDoS attacks can come in many forms and vary in effectiveness, including: SYN floods, ICMP/UDP floods, amplification or reflective attacks, and bulk data to just name a few.

In my years here at Rackspace there has been a great deal of change in the methods and mentalities used to perform attacks, from spoofing IP’s and bulk data to try and just max out someone’s connectivity, to much more precise attacks against applications. Because of this, the detection of attacks can become a lot more complicated, where you are no longer just looking for large spikes in traffic, receiving threshold alerts with SNMP, or traffic anomalies via Netflow. Attacks today can be very small in size, slipping under the radar of some systems, and still be affective at crippling a website.

Rackspace’s internal systems provide alerting to over 200 anomalous events per week that require investigation. These events are detected both inbound and outbound of the Rackspace network. This gives Rackspace the ability to proactively detect and alert customers of events like: DDoS attacks, and compromised servers.

In addition to these internal alerts, Rackspace also participates in several industry security groups to receive additional notifications of anomalous and potentially malicious activity, and the coordination and communication of some DDoS activity. The combination of these tools and resources greatly improve the ability to detect and mitigate compromised servers and malicious activity within the Rackspace network in a very timely manner. We pay great attention to running a safe and clean network for customers, and being a very Internet “friendly” hosting company.


  1. Unfortunately, such a simple solution isn’t always possible. The biggest problems with that are: 1) Botnets with thousands of zombie hosts, detecting and blocking this many IP’s without impacting performance or connectivity for other customers is near impossible. 2) Many times the source IP’s of the attack are spoofed, and blocking the spoofed IP’s wouldn’t resolve the problem.


Please enter your comment!
Please enter your name here