nanog mailing list archives
RE: anti-ddos test solutions ?
From: "Stefan Fouant" <sfouant () shortestpathfirst net>
Date: Wed, 17 Mar 2010 09:53:37 -0600
-----Original Message----- From: Guillaume FORTAINE [mailto:gfortaine () live com] Sent: Wednesday, March 17, 2010 7:02 AM To: nanog () nanog org Subject: Re: anti-ddos test solutions ? Dear jul, I would advise Breaking Point :
To those advising using BreakingPoint for DDoS simulation, I have to ask have you ever actually used it? I have spent considerable time using the BreakingPoint in my DDoS lab and I can tell you that I for one would absolutely and unequivocally NOT advocate using the BreakingPoint for DDoS testing. Sure it's a good box for testing firewalls, but the FPGAs on that box are extremely limited and I would be remiss if I didn't warn you before using this box as a DDoS simulation platform. Here are some of the limitations I've encountered when using the BreakingPoint BPS Elite: - No support for ICMP or ICMP flooding attacks - There are several methods to similate UDP and TCP floods - AppSim and ClientSim only allow you to generate UDP/TCP floods using fixed ports. Another component called Routing Robot lets you use randomize source/destination ports, but is limited to only 64 hosts per interface. In my experience most DDoS attacks are far and away above 64 source hosts. - No ability to fragment packets or modify other items within the packets, such as bits in the IP Options portion of the IP header. - No ability to manipulate DSCP bits with fine grained control - No ability to parse microflows - for example, when running a test, one can look at the Applications tab and see a visible display of how much DNS traffic is received vs. HTTP traffic, however there is no ability to parse the individual microflows within the DNS traffic, for example to identify the malicious DNS traffic vs. the good DNS traffic - Large amount of issues with the Web based GUI, which will cause the end-user considerable frustration when you have to continually reopen the application due to hangs, etc. This is just a small sample of the issues I've encountered. All I'm saying is don't say I didn't warn you. This is *NOT* the box for DDoS testing. Stefan Fouant, CISSP, JNCIE-M/T www.shortestpathfirst.net GPG Key ID: 0xB5E3803D
Current thread:
- Re: anti-ddos test solutions ?, (continued)
- Re: anti-ddos test solutions ? bit gossip (Mar 17)
- Re: anti-ddos test solutions ? Nathan Ward (Mar 17)
- Re: anti-ddos test solutions ? Charles N Wyble (Mar 17)
- Re: anti-ddos test solutions ? Charles N Wyble (Mar 17)
- RE: anti-ddos test solutions ? Stefan Fouant (Mar 17)
- Re: anti-ddos test solutions ? kowsik (Mar 17)
- RE: anti-ddos test solutions ? Drew Weaver (Mar 18)
- Re: anti-ddos test solutions ? Dave Edelman (Mar 18)
- Re: anti-ddos test solutions ? Nathan Ward (Mar 17)
- Re: anti-ddos test solutions ? bit gossip (Mar 17)
- RE: anti-ddos test solutions ? Stefan Fouant (Mar 17)
- RE: anti-ddos test solutions ? Barry Raveendran Greene (Mar 17)
- RE: anti-ddos test solutions ? Brandon Kim (Mar 17)
- Re: anti-ddos test solutions ? Matthew Kaufman (Mar 17)
- RE: anti-ddos test solutions ? Drew Weaver (Mar 17)
- Re: anti-ddos test solutions ? Valdis . Kletnieks (Mar 17)
- Re: anti-ddos test solutions ? Brielle Bruns (Mar 17)
- RE: anti-ddos test solutions ? Stefan Fouant (Mar 17)