nanog mailing list archives
Re: correlation between ingress and egress traffic in case of volume-based DDoS
From: William Herrin <bill () herrin us>
Date: Wed, 23 Sep 2015 15:56:32 -0400
On Wed, Sep 23, 2015 at 12:07 PM, Martin T <m4rtntns () gmail com> wrote:
volume-based DDoS attacks should often result with following bandwidth graphs: http://s12.postimg.org/gy3eps10t/volume_based_DDo_S_graph.png This is a fabricated bps graph for 100GigE port facing an uplink provider. As seen on the image, outgoing traffic drops at the time when incoming traffic increases. Are those assumptions correct? Are there any other reasons which cause outgoing traffic to drop if incoming traffic is very high or the other way around?
Hi Martin, I don't have much to add to what Roland said. The whole point of a volume-based denial of service attack is to overwhelm your target's infrastructure with fake traffic so that it is unable to handle real traffic. In a successful attack, the real traffic will drop off to almost nothing, having been crowded out. Depending on the details, this may or may not show up in a traffic graph. If the fake traffic induces return traffic, you'll see the return traffic spike as well. If the fake traffic all gets dropped somewhere within the infrastructure, you'll see return traffic plummet as you did in the graph you linked. Both cases can happen depending on the exact details of the attack. An aside - ack loss doesn't hurt TCP terribly much since the next ack also covers the previous one. TCP tends to stall when 2% to 5% of the payload packets are lost. Bear in mind that payload moves both ways. Even an http request contains a large request header. Regards, Bill Herrin -- William Herrin ................ herrin () dirtside com bill () herrin us Owner, Dirtside Systems ......... Web: <http://www.dirtside.com/>
Current thread:
- correlation between ingress and egress traffic in case of volume-based DDoS Martin T (Sep 23)
- Re: correlation between ingress and egress traffic in case of volume-based DDoS Roland Dobbins (Sep 23)
- Re: correlation between ingress and egress traffic in case of volume-based DDoS William Herrin (Sep 23)
- Re: correlation between ingress and egress traffic in case of volume-based DDoS alvin nanog (Sep 23)