hi roland On 07/29/15 at 05:47am, Roland Dobbins wrote:
On 29 Jul 2015, at 5:19, alvin nanog wrote:
as previously noted by others, legit corp will ask you for lots of legal paperwork for their "get out of jail card" for DDoS'ing your servers and all the other ISP's routers along the way that had to transport those gigabyte/terabyte of useless ddos packets
No company can provide a 'get out of jail card' for illegal activities, irrespective of how they arrange their paperwork.
oopps, maybe a "misunderstanding" ... it's an old "be careful euphomism(sp?) and not meant as "literal get out of jail" ( from monopoly game too ) - it's intended as make sure the corp lawyers are involved that is requesting the ddos simulation/testing ( aka pen testing ) - managers/employee/contractors cannot say or sign anything that binds the company to what the managers said/request - only officers of the company can bind the company that they will not press charges for the "ddos (pen) tests" - po's are usually valid since the CFO is an officer of the company
DDoS testing across the Internet is a Big No-No due to legal considerations, potential liabilities, potential for catastrophic error, etc.
yes, along with all the other isp's involved along the way between "ddos testor" and corp-under-test.com
Doing it across one's own network which one controls is certainly viable.
definitely and should be the place to start put your ddos simulator hardware in parallel to your cisco/juniper uplink to the isp and simulate for the next few decades :-)
There are some companies which do that, and which take a belt-and-suspenders approach to ensure that simulated attack traffic doesn't leak, etc.
all computers are under 24x7x365 ddos attacks every minute and they already provide the free "real world" and luckily low level DDoS attacks for free you should figure out how to find those free ddos attacks and how to mitigate the script kiddies already providing the free initial ddos simulation there is no need to pay people to attack your servers ... - tcpdump and wireshark will tell you everything the attackers are doing to your network right now that needs to be defended against # if you are a web server, it is currently under (free) DDoS attack tcpdump -n -l dst host www.example.com and ! dst port 80 # if you are a mail server, it is currently under (free) DDoS attack tcpdump -n -l dst host mail.example.com and ! dst port 25 - a small exercise to clean up the tcpdump output if a mid-level wanna be attacker wants to target your servers, they're just as equally easy to mitigate and prevent and probably sending you 100,000 "ddos packets" per second because they can ( bigger zombie network :-) - you should notice some slow responses from your servers if you are being targeted by "masters of deception" you have no solution other than get local law enforcement involved to track down the originating attackers all ddos mitigations is almost 100% guaranteed to fail a volumetric DDoS attacks .... the DDoS attackrs probably have access to a bigger zombie network than most major corp ... the attackers job is not to get caught and is not ez to be hiding if law enforcement wanted to catch them :-) problem is the attackers have to be bothersome to somebody before they start chasing down the attackers .. the rest of us has to fend for ourself
Simulated DDoS attacks and testing of defenses should be part of any real development environment, along with scalability testing in general. Sadly, this is rarely the case.
yup :-)
The best way to learn how to defend something is to learn how to attack it.
exactly .... you cannot defend against something you don't understand or don't know about that attack vector different folks defintely attack and/or test for different things - get different folks to do the testing if i had to pick only one command for the ddos tests .... i'd simply flood the wire .. everything is now offline ( should be un-responsive ) nping "send 100,000 packets/sec" x 65,000byte/packet 192.168.0.0/16 nping can create all kinds of headaches since you can attack almost anything ... most prototcols, most src/dst ip# and ports by the same premise, if i had to pick ONE ddos mitigation strategy, i'd tarpit all incoming TCP-based ddos attacks which should crash the attacking zombie server under sustained tcp-based ddos attacks
Organizations with substantial Internet properties should develop their own organic capabilities to perform such testing in a safe and responsible manner, as it will also enhance the skills needed to defend said properties. ----------------------------------- Roland Dobbins <rdobbins@arbor.net>
yup magic pixie dust alvin - http://DDoS-Mitigator.net - http://DDoS-Simulator.net