Re: correlation between ingress and egress traffic in case of volume-based DDoS

[William Herrin <bill () herrin us>]

On Wed, Sep 23, 2015 at 12:07 PM, Martin T <m4rtntns () gmail com> wrote:
> volume-based DDoS attacks should often result with following bandwidth graphs:
>
> http://s12.postimg.org/gy3eps10t/volume_based_DDo_S_graph.png
>
> This is a fabricated bps graph for 100GigE port facing an uplink
> provider. As seen on the image, outgoing traffic drops at the time
> when incoming traffic increases.
>
> Are those assumptions correct? Are there any other reasons which cause
> outgoing traffic to drop if incoming traffic is very high or the other
> way around?

Hi Martin,

I don't have much to add to what Roland said.

The whole point of a volume-based denial of service attack is to
overwhelm your target's infrastructure with fake traffic so that it is
unable to handle real traffic. In a successful attack, the real
traffic will drop off to almost nothing, having been crowded out.

Depending on the details, this may or may not show up in a traffic
graph. If the fake traffic induces return traffic, you'll see the
return traffic spike as well. If the fake traffic all gets dropped
somewhere within the infrastructure, you'll see return traffic plummet
as you did in the graph you linked. Both cases can happen depending on
the exact details of the attack.

An aside - ack loss doesn't hurt TCP terribly much since the next ack
also covers the previous one. TCP tends to stall when 2% to 5% of the
payload packets are lost. Bear in mind that payload moves both ways.
Even an http request contains a large request header.

Regards,
Bill Herrin


-- 
William Herrin ................ herrin () dirtside com  bill () herrin us
Owner, Dirtside Systems ......... Web: <http://www.dirtside.com/>