Re: DDOS Simulation

[alvin nanog <nanogml () Mail DDoS-Mitigator net>]

hi roland

On 07/29/15 at 05:47am, Roland Dobbins wrote:
> On 29 Jul 2015, at 5:19, alvin nanog wrote:
>
> > as previously noted by others, legit corp will ask you for lots of
> > legal paperwork  for their "get out of jail card" for DDoS'ing your
> > servers
> > and all the other ISP's routers along the way that had to transport
> > those gigabyte/terabyte of useless ddos packets
>
> No company can provide a 'get out of jail card' for illegal activities,
> irrespective of how they arrange their paperwork.

oopps, maybe a "misunderstanding" ... it's an old "be careful euphomism(sp?)
and not meant as "literal get out of jail" ( from monopoly game too )
        - it's intended as make sure the corp lawyers are involved that
        is requesting the ddos simulation/testing ( aka pen testing )

        - managers/employee/contractors cannot say or sign anything
        that binds the company to what the managers said/request

        - only officers of the company can bind the company that they
        will not press charges for the "ddos (pen) tests"

        - po's are usually valid since the CFO is an officer of the company


> DDoS testing across the Internet is a Big No-No due to legal considerations,
> potential liabilities, potential for catastrophic error, etc.

yes, along with all the other isp's involved along the way between
"ddos testor" and corp-under-test.com

> Doing it across one's own network which one controls is certainly viable.

definitely and should be the place to start

put your ddos simulator hardware in parallel to your cisco/juniper uplink
to the isp and simulate for the next few decades :-)

> There are some companies which do that, and which take a belt-and-suspenders
> approach to ensure that simulated attack traffic doesn't leak, etc.

all computers are under 24x7x365 ddos attacks every minute and they already
provide the free "real world" and luckily low level DDoS attacks for free

you should figure out how to find those free ddos attacks and how to mitigate
the script kiddies already providing the free initial ddos simulation

there is no need to pay people to attack your servers ...

        - tcpdump and wireshark will tell you everything the attackers are 
        doing to your network right now that needs to be defended against

        # if you are a web server, it is currently under (free) DDoS attack
        tcpdump -n -l dst host www.example.com and ! dst port 80

        # if you are a mail server, it is currently under (free) DDoS attack
        tcpdump -n -l dst host mail.example.com and ! dst port 25

        - a small exercise to clean up the tcpdump output

if a mid-level wanna be attacker wants to target your servers, they're
just as equally easy to mitigate and prevent and probably sending you
100,000 "ddos packets" per second because they can ( bigger zombie network :-)
        - you should notice some slow responses from your servers

if you are being targeted by "masters of deception" you have no solution
other than get local law enforcement involved to track down the originating
attackers

all ddos mitigations is almost 100% guaranteed to fail a volumetric
DDoS attacks .... the DDoS attackrs probably have access to a bigger zombie
network than most major corp ... the attackers job is not to get caught and 
is not ez to be hiding if law enforcement wanted to catch them :-)

problem is the attackers have to be bothersome to somebody before
they start chasing down the attackers .. the rest of us has to fend 
for ourself

> Simulated DDoS attacks and testing of defenses should be part of any real
> development environment, along with scalability testing in general.  Sadly,
> this is rarely the case.

yup :-)

> The best way to learn how to defend something is to learn how to attack it.

exactly .... you cannot defend against something you don't understand 
or don't know about that attack vector

different folks defintely attack and/or test for different things
        - get different folks to do the testing

if i had to pick only one command for the ddos tests .... i'd simply 
flood the wire .. everything is now offline ( should be un-responsive )

        nping "send 100,000 packets/sec" x 65,000byte/packet  192.168.0.0/16

        nping can create all kinds of headaches since you can attack
        almost anything ... most prototcols, most src/dst ip# and ports 

by the same premise, if i had to pick ONE ddos mitigation strategy, i'd
tarpit all incoming TCP-based ddos attacks which should crash the
attacking zombie server under sustained tcp-based ddos attacks

> Organizations with substantial Internet properties should develop their own
> organic capabilities to perform such testing in a safe and responsible
> manner, as it will also enhance the skills needed to defend said properties.
> -----------------------------------
> Roland Dobbins <rdobbins () arbor net>

yup

magic pixie dust
alvin
- http://DDoS-Mitigator.net
- http://DDoS-Simulator.net