Arbor Networks DoS defense product

Rob Thomas robt at cymru.com
Wed May 15 13:36:43 UTC 2002


Hi, folks.

Ah, you know when you mention DDoS too frequently I'm bound to post.  :)

] specific events. But how much (D)DoS traffic goes unnoticed
] by the average customer because it's too tough to detect or
] defend against? The 10% I've measured on my network is

Valid concern.  I tracked five groups of miscreants, each with a botnet,
and recorded well over 100 DDoS attacks in a single 24 hour period.
These were the attacks that were obvious, e.g. the attack was coordinated
or discussed in channel, with the results often pasted into the channel
as well (IRC ping timeouts, traceroutes, pings, HTTP gets, etc.).  How
many privately discussed attacks did I not log?

In the underground DoS is ubiquitous and quite frequent.  The miscreant
without a botnet or DoSnet is generally in the active pursuit of one or
both.  In fact, if you see a sudden upsurge in scans for a particular
port (Sub7, FTP, NetBIOS shares), this is often the result of a botnet
or DoSnet harvest.

Many of the DoS tools and bots are specifically written to generate
seemingly legitimate traffic.  These tools do not spoof the source IP.
Some will generate a surfeit of sockets to a web server; this won't
appear as anomolous traffic, particularly if there is no flow analysis
on the network.  It isn't clear to me how the various anti-DDoS tools
(Captus, Arbor, Riverhead, et al.) will deal with a surfeit of
legitimate traffic, though Mazu may have some chance of fingerprinting
this traffic (it is essentially an anomoly detector).  N.B.:  I've not
tested any of these devices.

Many edge networks do not run any sort of flow collection and analysis
tool.  They have no idea what is hitting their site, but they know it
is causing woe.  They call their ISP and expect them to deduce the
naughty flows.  Some ISPs are incapable of analyzing the flows as well.
It's a real mixed bag.

I would argue that there are other things that can be done at the edge
to mitigate the present effect of DoS (measured or unmeasured).  Anti-
spoofing does help.  In one study I conducted of an oft-DoS'd site,
60% of the naughty packets had _obvious_ bogon source addresses.  The
percentage of spoofing was difficult to deduce, though it may have been
quite a bit higher than 60%.  Why send such packets through an anti-DDoS
device?  It's a waste of cycles.  Ah, but you've heard this from me
before, so I'll spare you the rave.  :)

What percentage of all Internet traffic is DoS?  Unclear.  Until the
data is gathered, it can not be analyzed, and the data is rarely
collected.

Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com/~robt
ASSERT(coffee != empty);





More information about the NANOG mailing list