nanog mailing list archives
Re: DDOS Simulation
From: alvin nanog <nanogml () Mail DDoS-Mitigator net>
Date: Wed, 29 Jul 2015 12:38:18 -0700
hi roland On 07/29/15 at 05:47am, Roland Dobbins wrote:
On 29 Jul 2015, at 5:19, alvin nanog wrote:as previously noted by others, legit corp will ask you for lots of legal paperwork for their "get out of jail card" for DDoS'ing your servers and all the other ISP's routers along the way that had to transport those gigabyte/terabyte of useless ddos packetsNo company can provide a 'get out of jail card' for illegal activities, irrespective of how they arrange their paperwork.
oopps, maybe a "misunderstanding" ... it's an old "be careful euphomism(sp?) and not meant as "literal get out of jail" ( from monopoly game too ) - it's intended as make sure the corp lawyers are involved that is requesting the ddos simulation/testing ( aka pen testing ) - managers/employee/contractors cannot say or sign anything that binds the company to what the managers said/request - only officers of the company can bind the company that they will not press charges for the "ddos (pen) tests" - po's are usually valid since the CFO is an officer of the company
DDoS testing across the Internet is a Big No-No due to legal considerations, potential liabilities, potential for catastrophic error, etc.
yes, along with all the other isp's involved along the way between "ddos testor" and corp-under-test.com
Doing it across one's own network which one controls is certainly viable.
definitely and should be the place to start put your ddos simulator hardware in parallel to your cisco/juniper uplink to the isp and simulate for the next few decades :-)
There are some companies which do that, and which take a belt-and-suspenders approach to ensure that simulated attack traffic doesn't leak, etc.
all computers are under 24x7x365 ddos attacks every minute and they already provide the free "real world" and luckily low level DDoS attacks for free you should figure out how to find those free ddos attacks and how to mitigate the script kiddies already providing the free initial ddos simulation there is no need to pay people to attack your servers ... - tcpdump and wireshark will tell you everything the attackers are doing to your network right now that needs to be defended against # if you are a web server, it is currently under (free) DDoS attack tcpdump -n -l dst host www.example.com and ! dst port 80 # if you are a mail server, it is currently under (free) DDoS attack tcpdump -n -l dst host mail.example.com and ! dst port 25 - a small exercise to clean up the tcpdump output if a mid-level wanna be attacker wants to target your servers, they're just as equally easy to mitigate and prevent and probably sending you 100,000 "ddos packets" per second because they can ( bigger zombie network :-) - you should notice some slow responses from your servers if you are being targeted by "masters of deception" you have no solution other than get local law enforcement involved to track down the originating attackers all ddos mitigations is almost 100% guaranteed to fail a volumetric DDoS attacks .... the DDoS attackrs probably have access to a bigger zombie network than most major corp ... the attackers job is not to get caught and is not ez to be hiding if law enforcement wanted to catch them :-) problem is the attackers have to be bothersome to somebody before they start chasing down the attackers .. the rest of us has to fend for ourself
Simulated DDoS attacks and testing of defenses should be part of any real development environment, along with scalability testing in general. Sadly, this is rarely the case.
yup :-)
The best way to learn how to defend something is to learn how to attack it.
exactly .... you cannot defend against something you don't understand or don't know about that attack vector different folks defintely attack and/or test for different things - get different folks to do the testing if i had to pick only one command for the ddos tests .... i'd simply flood the wire .. everything is now offline ( should be un-responsive ) nping "send 100,000 packets/sec" x 65,000byte/packet 192.168.0.0/16 nping can create all kinds of headaches since you can attack almost anything ... most prototcols, most src/dst ip# and ports by the same premise, if i had to pick ONE ddos mitigation strategy, i'd tarpit all incoming TCP-based ddos attacks which should crash the attacking zombie server under sustained tcp-based ddos attacks
Organizations with substantial Internet properties should develop their own organic capabilities to perform such testing in a safe and responsible manner, as it will also enhance the skills needed to defend said properties. ----------------------------------- Roland Dobbins <rdobbins () arbor net>
yup magic pixie dust alvin - http://DDoS-Mitigator.net - http://DDoS-Simulator.net
Current thread:
- DDOS Simulation Dovid Bender (Jul 27)
- Re: DDOS Simulation Daniel Rohan (Jul 27)
- RE: DDOS Simulation lobna gouda (Jul 27)
- Re: DDOS Simulation Ammar Zuberi (Jul 27)
- Re: DDOS Simulation Pavel Odintsov (Jul 28)
- Re: DDOS Simulation Dovid Bender (Jul 28)
- Re: DDOS Simulation Paul S. (Jul 28)
- Re: DDOS Simulation alvin nanog (Jul 28)
- Re: DDOS Simulation Roland Dobbins (Jul 28)
- Re: DDOS Simulation alvin nanog (Jul 29)
- Re: DDOS Simulation Roland Dobbins (Jul 29)
- Re: DDOS Simulation alvin nanog (Jul 30)
- RE: DDOS Simulation lobna gouda (Jul 27)
- Re: DDOS Simulation Valdis . Kletnieks (Jul 30)
- Re: DDOS Simulation Daniel Rohan (Jul 27)
- Re: DDOS Simulation Pavel Odintsov (Jul 27)
- Re: DDOS Simulation Valdis . Kletnieks (Jul 27)
- Re: DDOS Simulation Pavel Odintsov (Jul 27)
- Re: DDOS Simulation alvin nanog (Jul 27)
- Re: DDOS Simulation Pavel Odintsov (Jul 28)