Re: DDOS Simulation

[alvin nanog <nanogml () Mail DDoS-Mitigator net>]

hi roland

- yup... agreed on most all of your points ...

- good referral to prev ddos discussions

- i'm just saying ..
        if one cannot defend and know that their ddos mitigation
        is working on the low level free script kiddie ddos attacks,
        they should not worry about scaling to gigabit/s, 1terabit/sec
        or even 100 terabit/s ddos attacks ... 

        one has to start somewhere and grow their ddos mitigation and 
        ddos attacks knowledge ... i happen to need to know how to
        defend my customers in between the free script kiddies and the 
        types of attacks that make the papers/new

        start with free (thousands) of ddos attack tools and (hundreds)
        of free ddos mitigaton tools

- i'm fairly certain i can fill any pipe with jibberish data
  where ddos mitigation might not work as expected .... but when the cops 
  come knocking, the ddos attackers are in deeep kah kah, thus requiring
  prior legal paperwork of all those directly and indirectly involved 

have fun
alvin

On 07/30/15 at 03:05am, Roland Dobbins wrote:
> On 30 Jul 2015, at 2:38, alvin nanog wrote:
>
> > there is no need to pay people to attack your servers ...
>
> Unless you don't have the expertise to do it yourself.  Again, I advocate an
> organic defense capability and an organic testing capability, but there are
> many organizations which unfortunately don't have these, and they must start
> somewhere.
>
> >     - tcpdump and wireshark will tell you everything the attackers are
> >     doing to your network right now that needs to be defended against
>
> On small, single-homed networks, sure.  On networks of any size, this
> doesn't scale.
>
> Flow telemetry scales.
>
> > if a mid-level wanna be attacker wants to target your servers, they're
> > just as equally easy to mitigate and prevent and probably sending you
> > 100,000 "ddos packets" per second because they can ( bigger zombie network
> > :-)
>
> 100kpps is nothing.  Of course, so many servers/services are so brittle,
> fragile, and non-scalable that most DDoS attacks are overkill by orders of
> magnitude.
>
> > if you are being targeted by "masters of deception" you have no solution
> > other than get local law enforcement involved to track down the
> > originating
> > attackers
>
> I'm not sure who or what 'masters of deception' are in this context, but
> attribution has nothing to do with DDoS defense.
>
> Defending against serious attackers with lots of resources is taking place
> every minute of every hour of every day.  There are many techniques and
> tools available, most of which have been discussed multiple times on this
> list over the years.  Here's one such example:
>
> <http://mailman.nanog.org/pipermail/nanog/2010-January/016747.html>
>
> > all ddos mitigations is almost 100% guaranteed to fail a volumetric
> > DDoS attacks ....
>
> This is incorrect.
>
> > the DDoS attackrs probably have access to a bigger zombie
> > network than most major corp ...
>
> This is true, in many cases - and is also not an issue for
> properly-provisioned, coordinated DDoS defense mechanisms and methodologies.
>
> > the attackers job is not to get caught and
> > is not ez to be hiding if law enforcement wanted to catch them :-)
>
> Again, attribution is a completely separate issue.
>
> >     nping "send 100,000 packets/sec" x 65,000byte/packet  192.168.0.0/16
>
> FYI, 'line-rate' for 64-byte packets at 10gb/sec is ~14.8mpps.
>
> > by the same premise, if i had to pick ONE ddos mitigation strategy, i'd
> > tarpit all incoming TCP-based ddos attacks which should crash the
> > attacking zombie server under sustained tcp-based ddos attacks
>
> There is no one tactic (this is not a strategy) which can be picked, as any
> kind of traffic can be used for DDoS attacks.  With regards to TCP-based
> attacks, it's a subset of those which are connection-oriented and are thus
> susceptible to tarpitting-type techniques.
>
> -----------------------------------
> Roland Dobbins <rdobbins () arbor net>