This post caught my attention. I actually had a call from a customer asking me if I was aware of any internet outages or large scale attacks happening. We pulled data from one of his links. You can clearly see the increase in streaming. The dotted red line shows a typical day on this particular link. Note the times are in Eastern Daylight Saving Time (EDT).

Typical Day


U.S. Open Championship Day
It is easy to see how a service provider might think they are under a DDoS attack. It is important that solutions that detect DDoS attack use behavioural metrics to remove false positives. This is a perfect use case example. Often security vendors that can not differentiate between surges of popular sites or peer to peer files from a DDoS attack will tell you that it can’t be done. This is simply not true. There are products that do this effectively. By combining metrics from different points on a network, using protocol analysis, and other vectors, real DDos attacks can be properly identified from these types of unexpected increases in bandwidth.

If you ever wonder about the ability of a vendor that claims they can detect and block DDoS attacks, this is a great test case.