DDOS Simulation
alvin nanog
nanogml at Mail.DDoS-Mitigator.net
Mon Jul 27 20:25:06 UTC 2015
hi dovid
On 07/27/15 at 11:32am, Dovid Bender wrote:
> We are looking into a few different DDOS solutions for a client. We need a
> LEGITIMATE company that can simulate some DDOS attacks (the generic +
> specific to the clients business). Anyone have any recommendations?
i've compiled a fairly comprehensive list is here:
- http://ddos-mitigator.net/Competitors
simulating ddos attacks are fairly easy to do, except one does
have to be careful of process and proceedure and the all important
"get out of jail for free" card ( let your local ISP techie's know too )
http://DDoS-Simulator.net/Demo
( wrapper gui around *perf/nc/nmap/*ping command options )
ddos mitigation is not a "single thing-a-ma-jig", and should
be multi-layered, different solutions solving different DDoS issues
http://ddos-solutions.net/Mitigation/#Howto
- how are they attacking
- who is attacking ( script kiddie vs master of deception )
- what are they attacking
- when are they attacking
- why are they attacking
- ...
# ---------------------------------------------
# what kind of simulations are you trying to do ??
# ---------------------------------------------
- volumetric attacks say 10gigabit vs 200gigabit attacks is trivial
- ping flood, udp flood, arp flood, tcp flood, etc, etc
local appliances with 10/100 gigabit NIC cards should be able to
generate close to 100 gigabit/sec of ddos attacks
- udp and icmp attacks are harder to mitigate, since those packets
need to be stopped at the ISP .... if it came down the wire to
the local offices, it already used the bandwidth, cpu, memory,
time, people, etc, etc
- tcp-based ddos attacks are trivial ( imho ) to defend against with
iptables + tarpits
if each tcp connection takes 2K bytes, the DDoS attacker
that is intent on sending large quantity of tcp-based packets
would incur a counter ddos attack using up its own kernel
memory
100,000 tcp packet/sec * 2K byte --> 200M /sec of kernel memory
?? with tcp timeout of 2 minutes implies they'd need 24TB of
?? kernel memory to sustain a 100,000 tcp packet/sec attack
# live demo of tarpit incoming ddos attacks
http://ddos-mitigator.net/cgi-bin/IPtables-GUI.pl
http://target-practice.net/cgi-bin/IPtables-GUI.pl
# command line options is 100x faster and easier than html
# to automatically add new incoming ddos attackers
iptables-gui -doadd -addauto
# to automatically remove inactive ddos attackers
iptables-gui -dodel -deluto
ssh based solutions are nice but only works on port 22
http based solutions are nice but only works on port 80
there are 65,533 other ports to defend against DDoS attacks
which is defensible with tarpit
- it is trivial to generate attacks against apache or web browser
- it is trivial to generate attacks against sendmail or mail reader
- netcat/socat/nc, hping*, nping, etc, etc
- something that you can define source and destination IP#
- something that you can define source and destination port#
- it is harder to generate the various malformed tcp headers
- gui to help set tcp header flags and options for nmap/hping
- http://ddos-simulator.net/Demo/
- spam, virii and worms seems to be in its own category
- another important question for your clients is if they are under
any govermental regulations which will limit their choices of solutions
- hippa, pci, sox, etc
inhouse ddos solutions should not have any governmental compliance
issues
cloud based ddos solutions and their facilities would have to
comply with the various govermental issues
both inhouse and cloud based solutions solve some problems
another 32+ point comparison for inhouse vs cloud based solutions
- http://ddos-mitigator.net/InHouse-vs-Cloud
thanx
alvin
- http://ddos-mitigator.net
- http://ddos-simulator.net
More information about the NANOG
mailing list