correlation between ingress and egress traffic in case of volume-based DDoS

Roland Dobbins rdobbins at arbor.net
Wed Sep 23 16:33:10 UTC 2015


On 23 Sep 2015, at 23:07, Martin T wrote:

> Are there any other reasons which cause outgoing traffic to drop if 
> incoming traffic is very high

Lots.  It's very situationally-specific.

The attack traffic may not be crafted in such a way so as to elicit a 
response from the targeted host(s).

The relevant network links/paths could be filled, with attack traffic 
'crowding out' legitimate traffic.

The hosts could be pummeled with attack traffic and be so busy trying to 
deal with it at either the NIC level or the network stack level or the 
kernel level or the app/service level that it can't respond.

The relevant network infrastructure could be down due to the attack 
traffic, for various reasons (software-based platform overloaded, 
traffic punted to RP, etc.).

The hosts could be sitting behind a stateful firewall or load-balancer 
or 'IPS' which has gone down under the onslaught.

And so forth.

-----------------------------------
Roland Dobbins <rdobbins at arbor.net>



More information about the NANOG mailing list