ddos attacks

Thu Dec 19 20:51:19 UTC 2013

On Thu, Dec 19, 2013 at 10:30 PM, dennis at justipit.com
<dennis at justipit.com>wrote:

> Just about every security, network and ADC vendor out there is claiming
> anti-dos capabilities.  Be careful when going that route and do your own
> validation.  I suggest looking at Radware and Arbor (both leaders in the
> market). To successfully mitigate an attack the ideal solutions will weed
> out the attack and allow legitimate traffic to continue.  Many of the
> solutions in the commercial market are not much more than rate limiters and
> are not very forgiving.  Just as important realize while spoofed udp floods
> are popular they are oftened only the first vector, if successfully
> mitigated attackers quickly adjust and follow with more complex vectors
> such as application attacks toward http, ssl, dns query floods, etc..
> Remember their goal is to bring you down, , divert your attention while
> they steal your data or perhaps transfer funds.  They will go to far
> lengths to achieve their end result.  As you can imagine it's much harder
> to identify the attack characteristics or for that matter the attacker in
> these more complex cases.  In summary, I'm a firm believer in a hybrid
> approach with combination of infrastructure acls, rtbh, qos, URPF, tcp
> stack hardening, local anti-ddos appliances for application attacks and
> network floods under link capacity to allow you to stay up while deciding
> to shift routes into cloud band ability to swing up stream to cloud
> scrubbing center (in house or third party).
>

I know a bit about Radware, and what they do is to learn a traffic pattern
from where traffic usually comes and when in case of exceeding a certain
threshold, they start dropping traffic from new sources never seen before
and then drop some seen before traffic. This works if you are a company
with a very localized visitor base (like banking site for certain national
or local bank, e-shop and so on) but it kind of doesn't scale that much
when it comes to we have people all over the place and we get DDoS-ed with
legitimate requests that only consume server resources.

What providers do in some regions is to blackhole your subnet if you reach
a certain number of packets per second. It sucks, but hey, they also have
infrastructure to protect.

Eugeniu