[Noisebridge-discuss] DDoS defense testing?

Sebastian Werner blackwing at blackwing.de
Thu Jun 17 04:53:11 UTC 2010


Hey,

a usual way as larger ISPs or carriers tend to knock a DDoS of is:

a) Drop those (usually fixed-size UDP) packets for that certain
destination at the ingress path of all border routers (= the IX or
peering routers) via distributed filters.
or
b) Filter at the egress router to the customer (=you)
or
c) Drawing a more specific BGP prefix announcement to blackhole that
traffic (= distributed filter results in complete unreachability of the
site)

So as you pointed out correctly, it is typically not the cluster that
actually takes the services to be overloaded, but something on the way
that gets congested.

Actually one wants solution a) to be established - which needs
sophisticated communication (and agreements) with your upstream carrier.
additionally the carrier needs to have some distributed structure to
deploy those filters fast and reliable.

The b) solutions takes on the idea that the lines of a carrier do not
get flooded by the aggregated traffic of the botnet - with, as u pointed
out might be not true...

Solution c) is the knock-of version if it all does not stop that stuff
from being sent... last resort.

So in order to test if it is working, I would suggest to get some
kernel-packet-generator hosts in some random networks that try to flood
your machine - either with just junk or with useful requests for the
service your server is taking. And then: just check for the
possibilities what to do.

Defending at your network usually is hard - cause your bandwidth is not
enough. So stick to a) if possible.

I dont know if that is an answer... But it might help?

Cheers

Sebastian


Kristian Erik Hermansen schrieb:
> Moin Moin,
> 
> Other than renting out an illegitimate botnet, can anyone suggest some
> ways to test how well an infrastructure is able to defend against
> specific DDoS attacks?  Commonly it is discovered that some device in
> path of the target is unable to process certain payloads or heavy
> traffic, rather than the target itself.  If anyone has suggestions, it
> would be greatly appreciated.
> 
> Cheers,




More information about the Noisebridge-discuss mailing list