hi martin On 09/23/15 at 07:07pm, Martin T wrote:
volume-based DDoS attacks should often result with following bandwidth graphs:
http://s12.postimg.org/gy3eps10t/volume_based_DDo_S_graph.png
This is a fabricated bps graph for 100GigE port facing an uplink
when you say "fabricated" ... what do you mean ?? - if its actual ( real ) .. than okay for the reasoning - if its "fabricated" ( sanitized, made up, theory ), than still okay for reasoning as roland says, there's dozens of reasons to explain the results one sees in graphs .... graphs are always subject to different interpretation depending on different circumstances
provider. As seen on the image, outgoing traffic drops at the time when incoming traffic increases. I could see following reasons for this:
1) large portion of traffic uses TCP protocol and in case of
in my case, the way i would simulate a tcp-based DDoS attack against a test victim, outgoing traffic should remain steady state per the normal tcp traffic ... and tarpit the ddos attacks from the victim under the volumetric tcp-based attacks setup the ingress filters for tarpits the attacking zombie should run out of kernel memory and crash if it tries to sustain huge amt of volumetric tcp-based ddos attacks without tarpits, all kinds of whacky network stuff will occur depending on how the tcp-based ddos attacks are lauached if its an icmp-based ddos attack, the outgoing traffic may be 10x or 100x more traffic than incoming icmp-based ddos attack if the server was not hardened to protect itself from icmp-based attacks if it was hardened, limit outgoing reply to incoming icmp-attacks, than it outgoing reply should be constant due to normal remaining traffic, but incoming icmp attacks can be 10x or 100x or 1000x normal similarly, if its an udp-based ddos attack, the outgoing traffic may be 10x or 100x more than the incoming traffic if dns,ntp,snmp, x11,nfs,etc was not hardened to protect itself from udp-based attacks if it was hardened, limit outgoing reply to incoming udp-attacks, than it outgoing reply should be constant due to normal remaining traffic, but incoming udp attacks can be 10x or 100x or 1000x normal if its an arp-based ddos attack, outgoing traffic may generate the same amt of traffic going out as whats coming in .. hopefully, you have bought good switches that don't fail-over into hub-mode launching those volumetric attacks takes a few minutes to figure out what options to use to create certain type of ddos attacks - nc, socat, iperf, etc - ping, nping, hping, etc - hundreds of other apps
congestion(even in one direction), ACK messages are lost and TCP congestion avoidance kicks in and as a result it will reduce the cwnd which in effect reduce the data TCP sender can send
syn-cookies doesnt kick in until all tcp stack is exhausted and syn-cookies tries to service all incoming tcp requests probably a bad thing to attempt to do while under tcp-based ddos attacks fiddling with send and receive buffers and delays and timeout would add more fun to the problem and resulting bandwidth graphs
2) certain router platforms share some hardware resources both with Tx and Rx traffic
Are those assumptions correct? Are there any other reasons which cause outgoing traffic to drop if incoming traffic is very high or the other way around?
in the subject, you used "ingress and egress" filters ... those rules would also definitively affect the resulting bandwidth graphs if you're in the cloud ... all these thingies still apply to the guest OS and especially the host OS magic pixie dust alvin # # DDoS-Mitigator.com # DDoS-Simulator.net #