Penetration Testing mailing list archives

RE: DoS/DDoS Attack

From: "FXCM - Brandon Palmer" <bpalmer () fxcm com>
Date: Sat, 15 Jan 2005 12:47:28 -0500

Having seen / been through a few DDoS attacks, some comments:

- The main attacks have been targeting port 80, ie web sites.
- "small" attacks are 500MB/s-> 800MB/s.
- "large" attacks are multiple GB/s.
- Synfloods come from random source IPs, that are obviously forged.
- The only viable way to "stop" a DDOS attack is to have upstream providers null-route the target IP address (also
obviously cutting off access to the real product offering as well).
- Most hardware that offers DDOS prevention only does a ok job at it. Most hardware (Cat6500s, F5, etc) isn't really
designed (usually CPU resource problems) to handle the PPS rate that most DDoSs generate. We've tried all sorts of
options like syn proxying in hardware, but nothing has been successful except for the TopLayer 5500s that have been
mentioned on the list (no experience w/ the 100s).

The best defense I've found to date for mitigating attacks is:

- have a public facing packet scrubber (like the TopLayers) that can understand synflood, keep the state table for
millions+ possible source IPs and have enough CPU/network power to handle the Mb/s / PPS rates.

- You need to have more bandwidth than the attacker. This can become VERY expensive (know how much it costs to have
5GB/s of public bandwidth?). There are some companies that offer "cleaning" services where traffic first passes
through them, and then on to you after being cleaned (the customer never sees your IP space, and hence can't target
it). Prolexic or Akamai are a couple examples..

Feel free to contact me off list for more information.

- Brandon

_____________________________________________________________________________________________________________________________
FXCM, L.L.C.® assumes no responsibility for errors, inaccuracies or omissions in these materials. FXCM, L.L.C.® does
not warrant the accuracy or completeness of the information, text, graphics, links or other items contained within
these materials. FXCM, L.L.C.® shall not be liable for any special, indirect, incidental, or consequential damages,
including without limitation losses, lost revenues, or lost profits that may result from these materials. All
information contained in this e-mail is strictly confidential and is only intended for use by the recipient.

Current thread:

RE: DoS/DDoS Attack Wallisch, Philip (Jan 14)
- Re: DoS/DDoS Attack Kevin Willock (IGSN Security) (Jan 14)
- <Possible follow-ups>
- RE: DoS/DDoS Attack Josh Walkson (Jan 15)
- RE: DoS/DDoS Attack Gregory D. McPhee (Jan 15)
  - RE: DoS/DDoS Attack rzaluski (Jan 17)
- RE: DoS/DDoS Attack FXCM - Brandon Palmer (Jan 17)