On Wed, Sep 23, 2015 at 12:07 PM, Martin T <m4rtntns@gmail.com> wrote:
volume-based DDoS attacks should often result with following bandwidth graphs:
http://s12.postimg.org/gy3eps10t/volume_based_DDo_S_graph.png
This is a fabricated bps graph for 100GigE port facing an uplink provider. As seen on the image, outgoing traffic drops at the time when incoming traffic increases.
Are those assumptions correct? Are there any other reasons which cause outgoing traffic to drop if incoming traffic is very high or the other way around?
Hi Martin, I don't have much to add to what Roland said. The whole point of a volume-based denial of service attack is to overwhelm your target's infrastructure with fake traffic so that it is unable to handle real traffic. In a successful attack, the real traffic will drop off to almost nothing, having been crowded out. Depending on the details, this may or may not show up in a traffic graph. If the fake traffic induces return traffic, you'll see the return traffic spike as well. If the fake traffic all gets dropped somewhere within the infrastructure, you'll see return traffic plummet as you did in the graph you linked. Both cases can happen depending on the exact details of the attack. An aside - ack loss doesn't hurt TCP terribly much since the next ack also covers the previous one. TCP tends to stall when 2% to 5% of the payload packets are lost. Bear in mind that payload moves both ways. Even an http request contains a large request header. Regards, Bill Herrin -- William Herrin ................ herrin@dirtside.com bill@herrin.us Owner, Dirtside Systems ......... Web: <http://www.dirtside.com/>