Hi All, We are looking into a few different DDOS solutions for a client. We need a LEGITIMATE company that can simulate some DDOS attacks (the generic + specific to the clients business). Anyone have any recommendations? Regards, Dovid
Looking for similar here. -Dan On Mon, Jul 27, 2015 at 8:32 AM, Dovid Bender <dovid@telecurve.com> wrote:
Hi All,
We are looking into a few different DDOS solutions for a client. We need a LEGITIMATE company that can simulate some DDOS attacks (the generic + specific to the clients business). Anyone have any recommendations?
Regards,
Dovid
Hello David et Dan, Are you going to perform the DDOS solution yourself, or you are looking for a company to provide a solution for you. Some companies perform an attack simulation for you before buying the product
From: drohan@gmail.com Date: Mon, 27 Jul 2015 09:31:21 -0700 Subject: Re: DDOS Simulation To: dovid@telecurve.com CC: nanog@nanog.org
Looking for similar here.
-Dan
On Mon, Jul 27, 2015 at 8:32 AM, Dovid Bender <dovid@telecurve.com> wrote:
Hi All,
We are looking into a few different DDOS solutions for a client. We need a LEGITIMATE company that can simulate some DDOS attacks (the generic + specific to the clients business). Anyone have any recommendations?
Regards,
Dovid
I've seen people push close to 10Gbps line rate with 1 byte packets on an Intel card with PF_RING.
On 28 Jul 2015, at 1:40 am, lobna gouda <lobna_gouda@hotmail.com> wrote:
Hello David et Dan, Are you going to perform the DDOS solution yourself, or you are looking for a company to provide a solution for you. Some companies perform an attack simulation for you before buying the product
From: drohan@gmail.com Date: Mon, 27 Jul 2015 09:31:21 -0700 Subject: Re: DDOS Simulation To: dovid@telecurve.com CC: nanog@nanog.org
Looking for similar here.
-Dan
On Mon, Jul 27, 2015 at 8:32 AM, Dovid Bender <dovid@telecurve.com> wrote:
Hi All,
We are looking into a few different DDOS solutions for a client. We need a LEGITIMATE company that can simulate some DDOS attacks (the generic + specific to the clients business). Anyone have any recommendations?
Regards,
Dovid
Yep, it's definitely possible. I have done this with netmap/PF_RING/DPDK and SnabbSwitch. On Tue, Jul 28, 2015 at 1:06 AM, Ammar Zuberi <ammar@fastreturn.net> wrote:
I've seen people push close to 10Gbps line rate with 1 byte packets on an Intel card with PF_RING.
On 28 Jul 2015, at 1:40 am, lobna gouda <lobna_gouda@hotmail.com> wrote:
Hello David et Dan, Are you going to perform the DDOS solution yourself, or you are looking for a company to provide a solution for you. Some companies perform an attack simulation for you before buying the product
From: drohan@gmail.com Date: Mon, 27 Jul 2015 09:31:21 -0700 Subject: Re: DDOS Simulation To: dovid@telecurve.com CC: nanog@nanog.org
Looking for similar here.
-Dan
On Mon, Jul 27, 2015 at 8:32 AM, Dovid Bender <dovid@telecurve.com> wrote:
Hi All,
We are looking into a few different DDOS solutions for a client. We need a LEGITIMATE company that can simulate some DDOS attacks (the generic + specific to the clients business). Anyone have any recommendations?
Regards,
Dovid
-- Sincerely yours, Pavel Odintsov
We are looking for a company that can launch a DDOS attack against the solutions we are testing. I don't want a proof of concept from the company that will be offering DDOS protection since they can simulate an easy attack and then mitigate. I want whom ever we go with to be able to handle what ever is thrown at them. On Mon, Jul 27, 2015 at 5:40 PM, lobna gouda <lobna_gouda@hotmail.com> wrote:
Hello David et Dan,
Are you going to perform the DDOS solution yourself, or you are looking for a company to provide a solution for you. Some companies perform an attack simulation for you before buying the product
From: drohan@gmail.com Date: Mon, 27 Jul 2015 09:31:21 -0700 Subject: Re: DDOS Simulation To: dovid@telecurve.com CC: nanog@nanog.org
Looking for similar here.
-Dan
On Mon, Jul 27, 2015 at 8:32 AM, Dovid Bender <dovid@telecurve.com>
wrote:
Hi All,
We are looking into a few different DDOS solutions for a client. We
need a
LEGITIMATE company that can simulate some DDOS attacks (the generic + specific to the clients business). Anyone have any recommendations?
Regards,
Dovid
Seeing as the 'traditional' ways to launch big DDoS attacks are illegal, and you're after a 'legit' company to offer this... Yeah, I don't think you'll get too far. You'll either have to roll your own testsuite on a lan environment, or ... On 29/7/2015 3:31 AM, Dovid Bender wrote:
We are looking for a company that can launch a DDOS attack against the solutions we are testing. I don't want a proof of concept from the company that will be offering DDOS protection since they can simulate an easy attack and then mitigate. I want whom ever we go with to be able to handle what ever is thrown at them.
On Mon, Jul 27, 2015 at 5:40 PM, lobna gouda <lobna_gouda@hotmail.com> wrote:
Hello David et Dan,
Are you going to perform the DDOS solution yourself, or you are looking for a company to provide a solution for you. Some companies perform an attack simulation for you before buying the product
From: drohan@gmail.com Date: Mon, 27 Jul 2015 09:31:21 -0700 Subject: Re: DDOS Simulation To: dovid@telecurve.com CC: nanog@nanog.org Looking for similar here.
-Dan
On Mon, Jul 27, 2015 at 8:32 AM, Dovid Bender <dovid@telecurve.com> wrote:
Hi All,
We are looking into a few different DDOS solutions for a client. We need a LEGITIMATE company that can simulate some DDOS attacks (the generic + specific to the clients business). Anyone have any recommendations?
Regards,
Dovid
hi dovid On 07/28/15 at 02:31pm, Dovid Bender wrote:
We are looking for a company that can launch a DDOS attack against the solutions we are testing. I don't want a proof of concept from the company that will be offering DDOS protection since they can simulate an easy attack and then mitigate. I want whom ever we go with to be able to handle what ever is thrown at them.
most all ddos simulator folks all sell their own version of a ddos mitigator appliance or ddos cloud services ... both has good and bad ddos mitigation features depending on the type of DDoS attacks you are defending against http://DDoS-Mitigator.net/Competitors - largest folks ( aka probably legit ) are probably akamai/prolexic, arbor networks, fortinet, incapsula, radware, etc as previously noted by others, legit corp will ask you for lots of legal paperwork for their "get out of jail card" for DDoS'ing your servers and all the other ISP's routers along the way that had to transport those gigabyte/terabyte of useless ddos packets imho, most ddos simulator folks will want to know what are you wanting to simulate .... there are easily, say 100,000 attack vectors ... - attack all your IP# - attack all ports on each IP# - various arp flood - various icmp flood - various udp flood - various tcp flood ( trivial to defend ) - attack specific vulnerabilities already found n not patched - there are proably thousands of apps that can be used to launch various DDoS attacks ... - volumetric icmp DDoS attacks and volumetric udp DDoS attacks will most likely take you offline ... almost nothing you can do to stop it, prevent it, block it, etc... your ISP has to do that for you or your ISP's larger peer has to get in there too you will want the ph# of the security guru at the ISP to help you resolve the issue i doubt any ddos mitigation will help you and more importantly, you probably will not want to pay $$$ to the ddos cloud scrubber to be removing xTB of udp or icmp DDoS attacks - if you're thinking of ddos attacks as "anything that is thrown at them" against webservers, mail servers, and ssh servers, that is only 3 ports out of 65,535 possible attacks there is "no such thing as anything that can be thrown at them" defending web servers, mail servers and ssh servers can be "script kiddie" trivially defended ... as long as it is properly patched and maintained and built to be defensible before you ask others to DDoS your servers, have you already patched apache/sendmail/ssh/openssl, kernels, etc, etc ddos attackers will be looking for your weakest link, usually login/pwd from outside wifi access points and home offices, hotel ethernet, etc there is almost zero benefit for volumetric 10TB or 20 TB of DDoS attacks we read about in the papers against large corp. the only defense is to build your own geographically separate colo in each major customer countries in asia, europe, usa, south america, etc usually the purpose of DDoS attacks is to take your servers offline or steal/copy/sniff info or hide in your network or launch other attacks these are easier ( script kiddie ) DDoS attacks and less likely to be noticed by your ISP of incoming "attacks" - sniff login/passwd from outside ( wifi, home office, etc ) - install keyboard sniffers - install other trojans ( virii, worm, etc ) endless list of attacks to simulate pixie dust alvin - http://DDoS-Simulator.net
On Mon, Jul 27, 2015 at 5:40 PM, lobna gouda <lobna_gouda@hotmail.com> wrote:
Hello David et Dan,
Are you going to perform the DDOS solution yourself, or you are looking for a company to provide a solution for you. Some companies perform an attack simulation for you before buying the product
On 29 Jul 2015, at 5:19, alvin nanog wrote:
as previously noted by others, legit corp will ask you for lots of legal paperwork for their "get out of jail card" for DDoS'ing your servers and all the other ISP's routers along the way that had to transport those gigabyte/terabyte of useless ddos packets
No company can provide a 'get out of jail card' for illegal activities, irrespective of how they arrange their paperwork. DDoS testing across the Internet is a Big No-No due to legal considerations, potential liabilities, potential for catastrophic error, etc. Doing it across one's own network which one controls is certainly viable. There are some companies which do that, and which take a belt-and-suspenders approach to ensure that simulated attack traffic doesn't leak, etc. Simulated DDoS attacks and testing of defenses should be part of any real development environment, along with scalability testing in general. Sadly, this is rarely the case. The best way to learn how to defend something is to learn how to attack it. Organizations with substantial Internet properties should develop their own organic capabilities to perform such testing in a safe and responsible manner, as it will also enhance the skills needed to defend said properties. ----------------------------------- Roland Dobbins <rdobbins@arbor.net>
hi roland On 07/29/15 at 05:47am, Roland Dobbins wrote:
On 29 Jul 2015, at 5:19, alvin nanog wrote:
as previously noted by others, legit corp will ask you for lots of legal paperwork for their "get out of jail card" for DDoS'ing your servers and all the other ISP's routers along the way that had to transport those gigabyte/terabyte of useless ddos packets
No company can provide a 'get out of jail card' for illegal activities, irrespective of how they arrange their paperwork.
oopps, maybe a "misunderstanding" ... it's an old "be careful euphomism(sp?) and not meant as "literal get out of jail" ( from monopoly game too ) - it's intended as make sure the corp lawyers are involved that is requesting the ddos simulation/testing ( aka pen testing ) - managers/employee/contractors cannot say or sign anything that binds the company to what the managers said/request - only officers of the company can bind the company that they will not press charges for the "ddos (pen) tests" - po's are usually valid since the CFO is an officer of the company
DDoS testing across the Internet is a Big No-No due to legal considerations, potential liabilities, potential for catastrophic error, etc.
yes, along with all the other isp's involved along the way between "ddos testor" and corp-under-test.com
Doing it across one's own network which one controls is certainly viable.
definitely and should be the place to start put your ddos simulator hardware in parallel to your cisco/juniper uplink to the isp and simulate for the next few decades :-)
There are some companies which do that, and which take a belt-and-suspenders approach to ensure that simulated attack traffic doesn't leak, etc.
all computers are under 24x7x365 ddos attacks every minute and they already provide the free "real world" and luckily low level DDoS attacks for free you should figure out how to find those free ddos attacks and how to mitigate the script kiddies already providing the free initial ddos simulation there is no need to pay people to attack your servers ... - tcpdump and wireshark will tell you everything the attackers are doing to your network right now that needs to be defended against # if you are a web server, it is currently under (free) DDoS attack tcpdump -n -l dst host www.example.com and ! dst port 80 # if you are a mail server, it is currently under (free) DDoS attack tcpdump -n -l dst host mail.example.com and ! dst port 25 - a small exercise to clean up the tcpdump output if a mid-level wanna be attacker wants to target your servers, they're just as equally easy to mitigate and prevent and probably sending you 100,000 "ddos packets" per second because they can ( bigger zombie network :-) - you should notice some slow responses from your servers if you are being targeted by "masters of deception" you have no solution other than get local law enforcement involved to track down the originating attackers all ddos mitigations is almost 100% guaranteed to fail a volumetric DDoS attacks .... the DDoS attackrs probably have access to a bigger zombie network than most major corp ... the attackers job is not to get caught and is not ez to be hiding if law enforcement wanted to catch them :-) problem is the attackers have to be bothersome to somebody before they start chasing down the attackers .. the rest of us has to fend for ourself
Simulated DDoS attacks and testing of defenses should be part of any real development environment, along with scalability testing in general. Sadly, this is rarely the case.
yup :-)
The best way to learn how to defend something is to learn how to attack it.
exactly .... you cannot defend against something you don't understand or don't know about that attack vector different folks defintely attack and/or test for different things - get different folks to do the testing if i had to pick only one command for the ddos tests .... i'd simply flood the wire .. everything is now offline ( should be un-responsive ) nping "send 100,000 packets/sec" x 65,000byte/packet 192.168.0.0/16 nping can create all kinds of headaches since you can attack almost anything ... most prototcols, most src/dst ip# and ports by the same premise, if i had to pick ONE ddos mitigation strategy, i'd tarpit all incoming TCP-based ddos attacks which should crash the attacking zombie server under sustained tcp-based ddos attacks
Organizations with substantial Internet properties should develop their own organic capabilities to perform such testing in a safe and responsible manner, as it will also enhance the skills needed to defend said properties. ----------------------------------- Roland Dobbins <rdobbins@arbor.net>
yup magic pixie dust alvin - http://DDoS-Mitigator.net - http://DDoS-Simulator.net
On 30 Jul 2015, at 2:38, alvin nanog wrote:
there is no need to pay people to attack your servers ...
Unless you don't have the expertise to do it yourself. Again, I advocate an organic defense capability and an organic testing capability, but there are many organizations which unfortunately don't have these, and they must start somewhere.
- tcpdump and wireshark will tell you everything the attackers are doing to your network right now that needs to be defended against
On small, single-homed networks, sure. On networks of any size, this doesn't scale. Flow telemetry scales.
if a mid-level wanna be attacker wants to target your servers, they're just as equally easy to mitigate and prevent and probably sending you 100,000 "ddos packets" per second because they can ( bigger zombie network :-)
100kpps is nothing. Of course, so many servers/services are so brittle, fragile, and non-scalable that most DDoS attacks are overkill by orders of magnitude.
if you are being targeted by "masters of deception" you have no solution other than get local law enforcement involved to track down the originating attackers
I'm not sure who or what 'masters of deception' are in this context, but attribution has nothing to do with DDoS defense. Defending against serious attackers with lots of resources is taking place every minute of every hour of every day. There are many techniques and tools available, most of which have been discussed multiple times on this list over the years. Here's one such example: <http://mailman.nanog.org/pipermail/nanog/2010-January/016747.html>
all ddos mitigations is almost 100% guaranteed to fail a volumetric DDoS attacks ....
This is incorrect.
the DDoS attackrs probably have access to a bigger zombie network than most major corp ...
This is true, in many cases - and is also not an issue for properly-provisioned, coordinated DDoS defense mechanisms and methodologies.
the attackers job is not to get caught and is not ez to be hiding if law enforcement wanted to catch them :-)
Again, attribution is a completely separate issue.
nping "send 100,000 packets/sec" x 65,000byte/packet 192.168.0.0/16
FYI, 'line-rate' for 64-byte packets at 10gb/sec is ~14.8mpps.
by the same premise, if i had to pick ONE ddos mitigation strategy, i'd tarpit all incoming TCP-based ddos attacks which should crash the attacking zombie server under sustained tcp-based ddos attacks
There is no one tactic (this is not a strategy) which can be picked, as any kind of traffic can be used for DDoS attacks. With regards to TCP-based attacks, it's a subset of those which are connection-oriented and are thus susceptible to tarpitting-type techniques. ----------------------------------- Roland Dobbins <rdobbins@arbor.net>
hi roland - yup... agreed on most all of your points ... - good referral to prev ddos discussions - i'm just saying .. if one cannot defend and know that their ddos mitigation is working on the low level free script kiddie ddos attacks, they should not worry about scaling to gigabit/s, 1terabit/sec or even 100 terabit/s ddos attacks ... one has to start somewhere and grow their ddos mitigation and ddos attacks knowledge ... i happen to need to know how to defend my customers in between the free script kiddies and the types of attacks that make the papers/new start with free (thousands) of ddos attack tools and (hundreds) of free ddos mitigaton tools - i'm fairly certain i can fill any pipe with jibberish data where ddos mitigation might not work as expected .... but when the cops come knocking, the ddos attackers are in deeep kah kah, thus requiring prior legal paperwork of all those directly and indirectly involved have fun alvin On 07/30/15 at 03:05am, Roland Dobbins wrote:
On 30 Jul 2015, at 2:38, alvin nanog wrote:
there is no need to pay people to attack your servers ...
Unless you don't have the expertise to do it yourself. Again, I advocate an organic defense capability and an organic testing capability, but there are many organizations which unfortunately don't have these, and they must start somewhere.
- tcpdump and wireshark will tell you everything the attackers are doing to your network right now that needs to be defended against
On small, single-homed networks, sure. On networks of any size, this doesn't scale.
Flow telemetry scales.
if a mid-level wanna be attacker wants to target your servers, they're just as equally easy to mitigate and prevent and probably sending you 100,000 "ddos packets" per second because they can ( bigger zombie network :-)
100kpps is nothing. Of course, so many servers/services are so brittle, fragile, and non-scalable that most DDoS attacks are overkill by orders of magnitude.
if you are being targeted by "masters of deception" you have no solution other than get local law enforcement involved to track down the originating attackers
I'm not sure who or what 'masters of deception' are in this context, but attribution has nothing to do with DDoS defense.
Defending against serious attackers with lots of resources is taking place every minute of every hour of every day. There are many techniques and tools available, most of which have been discussed multiple times on this list over the years. Here's one such example:
<http://mailman.nanog.org/pipermail/nanog/2010-January/016747.html>
all ddos mitigations is almost 100% guaranteed to fail a volumetric DDoS attacks ....
This is incorrect.
the DDoS attackrs probably have access to a bigger zombie network than most major corp ...
This is true, in many cases - and is also not an issue for properly-provisioned, coordinated DDoS defense mechanisms and methodologies.
the attackers job is not to get caught and is not ez to be hiding if law enforcement wanted to catch them :-)
Again, attribution is a completely separate issue.
nping "send 100,000 packets/sec" x 65,000byte/packet 192.168.0.0/16
FYI, 'line-rate' for 64-byte packets at 10gb/sec is ~14.8mpps.
by the same premise, if i had to pick ONE ddos mitigation strategy, i'd tarpit all incoming TCP-based ddos attacks which should crash the attacking zombie server under sustained tcp-based ddos attacks
There is no one tactic (this is not a strategy) which can be picked, as any kind of traffic can be used for DDoS attacks. With regards to TCP-based attacks, it's a subset of those which are connection-oriented and are thus susceptible to tarpitting-type techniques.
----------------------------------- Roland Dobbins <rdobbins@arbor.net>
On Wed, 29 Jul 2015 12:38:18 -0700, alvin nanog said:
On 07/29/15 at 05:47am, Roland Dobbins wrote:
On 29 Jul 2015, at 5:19, alvin nanog wrote:
and all the other ISP's routers along the way that had to transport those gigabyte/terabyte of useless ddos packets
No company can provide a 'get out of jail card' for illegal activities, irrespective of how they arrange their paperwork.
oopps, maybe a "misunderstanding" ... it's an old "be careful euphomism(sp?) and not meant as "literal get out of jail" ( from monopoly game too )
You may indeed need a "get out of jail" card if one of those "all the other ISPs along the way" decides to make an issue of it. The company you're working with can only promise that *they* won't press charges. What their upstream decides to do is out of their control.
if i had to pick only one command for the ddos tests .... i'd simply flood the wire .. everything is now offline ( should be un-responsive )
nping "send 100,000 packets/sec" x 65,000byte/packet 192.168.0.0/16
That will only send out packets as fast as your single pipe can send, which will probably *not* make everything unresponsive. Hint - only (roughly) one out of every 65,635 packets will be pointed at the host at 198.168.5.16, for example - and I would *hope* that said host can handle an added 65K packet every 0.6 seconds or so... Oh, and line speed for a 10G connection is 155K 64K packets per second, so your command won't even fill *one* computer's pipe.
hi dovid On 07/27/15 at 11:32am, Dovid Bender wrote:
We are looking into a few different DDOS solutions for a client. We need a LEGITIMATE company that can simulate some DDOS attacks (the generic + specific to the clients business). Anyone have any recommendations?
i've compiled a fairly comprehensive list is here: - http://ddos-mitigator.net/Competitors simulating ddos attacks are fairly easy to do, except one does have to be careful of process and proceedure and the all important "get out of jail for free" card ( let your local ISP techie's know too ) http://DDoS-Simulator.net/Demo ( wrapper gui around *perf/nc/nmap/*ping command options ) ddos mitigation is not a "single thing-a-ma-jig", and should be multi-layered, different solutions solving different DDoS issues http://ddos-solutions.net/Mitigation/#Howto - how are they attacking - who is attacking ( script kiddie vs master of deception ) - what are they attacking - when are they attacking - why are they attacking - ... # --------------------------------------------- # what kind of simulations are you trying to do ?? # --------------------------------------------- - volumetric attacks say 10gigabit vs 200gigabit attacks is trivial - ping flood, udp flood, arp flood, tcp flood, etc, etc local appliances with 10/100 gigabit NIC cards should be able to generate close to 100 gigabit/sec of ddos attacks - udp and icmp attacks are harder to mitigate, since those packets need to be stopped at the ISP .... if it came down the wire to the local offices, it already used the bandwidth, cpu, memory, time, people, etc, etc - tcp-based ddos attacks are trivial ( imho ) to defend against with iptables + tarpits if each tcp connection takes 2K bytes, the DDoS attacker that is intent on sending large quantity of tcp-based packets would incur a counter ddos attack using up its own kernel memory 100,000 tcp packet/sec * 2K byte --> 200M /sec of kernel memory ?? with tcp timeout of 2 minutes implies they'd need 24TB of ?? kernel memory to sustain a 100,000 tcp packet/sec attack # live demo of tarpit incoming ddos attacks http://ddos-mitigator.net/cgi-bin/IPtables-GUI.pl http://target-practice.net/cgi-bin/IPtables-GUI.pl # command line options is 100x faster and easier than html # to automatically add new incoming ddos attackers iptables-gui -doadd -addauto # to automatically remove inactive ddos attackers iptables-gui -dodel -deluto ssh based solutions are nice but only works on port 22 http based solutions are nice but only works on port 80 there are 65,533 other ports to defend against DDoS attacks which is defensible with tarpit - it is trivial to generate attacks against apache or web browser - it is trivial to generate attacks against sendmail or mail reader - netcat/socat/nc, hping*, nping, etc, etc - something that you can define source and destination IP# - something that you can define source and destination port# - it is harder to generate the various malformed tcp headers - gui to help set tcp header flags and options for nmap/hping - http://ddos-simulator.net/Demo/ - spam, virii and worms seems to be in its own category - another important question for your clients is if they are under any govermental regulations which will limit their choices of solutions - hippa, pci, sox, etc inhouse ddos solutions should not have any governmental compliance issues cloud based ddos solutions and their facilities would have to comply with the various govermental issues both inhouse and cloud based solutions solve some problems another 32+ point comparison for inhouse vs cloud based solutions - http://ddos-mitigator.net/InHouse-vs-Cloud thanx alvin - http://ddos-mitigator.net - http://ddos-simulator.net
Hello! I would like to recommend MoonGen for generating very high speed attacks (I have generated up to 56 mpps/40GE with it). There are another open project: quezstresser.com On Mon, Jul 27, 2015 at 11:25 PM, alvin nanog <nanogml@mail.ddos-mitigator.net> wrote:
hi dovid
On 07/27/15 at 11:32am, Dovid Bender wrote:
We are looking into a few different DDOS solutions for a client. We need a LEGITIMATE company that can simulate some DDOS attacks (the generic + specific to the clients business). Anyone have any recommendations?
i've compiled a fairly comprehensive list is here:
- http://ddos-mitigator.net/Competitors
simulating ddos attacks are fairly easy to do, except one does have to be careful of process and proceedure and the all important "get out of jail for free" card ( let your local ISP techie's know too )
http://DDoS-Simulator.net/Demo ( wrapper gui around *perf/nc/nmap/*ping command options )
ddos mitigation is not a "single thing-a-ma-jig", and should be multi-layered, different solutions solving different DDoS issues
http://ddos-solutions.net/Mitigation/#Howto - how are they attacking - who is attacking ( script kiddie vs master of deception ) - what are they attacking - when are they attacking - why are they attacking - ...
# --------------------------------------------- # what kind of simulations are you trying to do ?? # --------------------------------------------- - volumetric attacks say 10gigabit vs 200gigabit attacks is trivial - ping flood, udp flood, arp flood, tcp flood, etc, etc
local appliances with 10/100 gigabit NIC cards should be able to generate close to 100 gigabit/sec of ddos attacks
- udp and icmp attacks are harder to mitigate, since those packets need to be stopped at the ISP .... if it came down the wire to the local offices, it already used the bandwidth, cpu, memory, time, people, etc, etc
- tcp-based ddos attacks are trivial ( imho ) to defend against with iptables + tarpits if each tcp connection takes 2K bytes, the DDoS attacker that is intent on sending large quantity of tcp-based packets would incur a counter ddos attack using up its own kernel memory
100,000 tcp packet/sec * 2K byte --> 200M /sec of kernel memory
?? with tcp timeout of 2 minutes implies they'd need 24TB of ?? kernel memory to sustain a 100,000 tcp packet/sec attack
# live demo of tarpit incoming ddos attacks http://ddos-mitigator.net/cgi-bin/IPtables-GUI.pl http://target-practice.net/cgi-bin/IPtables-GUI.pl
# command line options is 100x faster and easier than html
# to automatically add new incoming ddos attackers iptables-gui -doadd -addauto
# to automatically remove inactive ddos attackers iptables-gui -dodel -deluto
ssh based solutions are nice but only works on port 22 http based solutions are nice but only works on port 80
there are 65,533 other ports to defend against DDoS attacks which is defensible with tarpit
- it is trivial to generate attacks against apache or web browser - it is trivial to generate attacks against sendmail or mail reader
- netcat/socat/nc, hping*, nping, etc, etc - something that you can define source and destination IP# - something that you can define source and destination port#
- it is harder to generate the various malformed tcp headers
- gui to help set tcp header flags and options for nmap/hping - http://ddos-simulator.net/Demo/
- spam, virii and worms seems to be in its own category
- another important question for your clients is if they are under any govermental regulations which will limit their choices of solutions - hippa, pci, sox, etc
inhouse ddos solutions should not have any governmental compliance issues
cloud based ddos solutions and their facilities would have to comply with the various govermental issues
both inhouse and cloud based solutions solve some problems
another 32+ point comparison for inhouse vs cloud based solutions - http://ddos-mitigator.net/InHouse-vs-Cloud
thanx alvin - http://ddos-mitigator.net - http://ddos-simulator.net
-- Sincerely yours, Pavel Odintsov
Hello! It's poor man's traffic generator :) My test lab is i7 2600 with 2 port Intel X520 10GE and Intel Xeon E5 2604 witj 2 port Intel X520 10GE. On Mon, Jul 27, 2015 at 11:59 PM, <Valdis.Kletnieks@vt.edu> wrote:
On Mon, 27 Jul 2015 23:32:56 +0300, Pavel Odintsov said:
I would like to recommend MoonGen for generating very high speed attacks (I have generated up to 56 mpps/40GE with it).
OK, I'll bite - what hardware were you using to inject that many packets?
-- Sincerely yours, Pavel Odintsov
hi pavel On 07/28/15 at 12:02am, Pavel Odintsov wrote:
It's poor man's traffic generator :)
that's the best kind :-) as long as it gets the job done and you get to control what it does
My test lab is i7 2600 with 2 port Intel X520 10GE and Intel Xeon E5 2604 witj 2 port Intel X520 10GE.
nice cpu hw trick questions for those thinking of generating ddos traffic for testing - ?? how much memory was needed to run the traffic generator i assume around 1GB of memory for 1gigE interface and i still can purposely run out of memory while some apps are running at 10gigE pci card, you'd probably want at least 12GB - 16GB of memory - some "poor mans apps" to generate traffic ... start w/ nping or hping # generate 1,000 Mbit/sec of junk .. floodig is trivial ... ping -i 0.001 -s 2000 victimIP# nping --data-length 2000 --rate 1000 victimIP# socat iperf ... # # generate udp or icmp or arp or tcp traffic # # add options to generate large-sized packets # add options to generate 10Gbit/sec ( number of packet/sec ) # # play around with tcp headers # add options to send MTU=1501 byte but NOT set DF # add options to send ACK but no request # # add options to spoof source and desitination address and ports # # if the host machine become un-available, you've got a problem # for host in gw dns ntp http smtp for protocol in arp icmp udp tcp nping --protocol [ options ] host.example.com # hping is nice too done done # for bonus arp fun ... attacker# arpspoof gateway victim attacker# arpspoof victim gateway # prevent mitm with: use hard coded arp "/etc/ethers" for linux use OpenSSL certs to flag a warning when "attacker" inserted itself in between gateway and un-aware victim pixie dust alvin - DDoS-Mitigator.net
On Mon, Jul 27, 2015 at 11:59 PM, <Valdis.Kletnieks@vt.edu> wrote:
On Mon, 27 Jul 2015 23:32:56 +0300, Pavel Odintsov said:
I would like to recommend MoonGen for generating very high speed attacks (I have generated up to 56 mpps/40GE with it).
OK, I'll bite - what hardware were you using to inject that many packets?
Hello! My machines have 16GB of memory but traffic generator uses about ~1GB of memory for 10GE link. On Tue, Jul 28, 2015 at 12:36 AM, alvin nanog <nanogml@mail.ddos-mitigator.net> wrote:
hi pavel
On 07/28/15 at 12:02am, Pavel Odintsov wrote:
It's poor man's traffic generator :)
that's the best kind :-) as long as it gets the job done and you get to control what it does
My test lab is i7 2600 with 2 port Intel X520 10GE and Intel Xeon E5 2604 witj 2 port Intel X520 10GE.
nice cpu hw
trick questions for those thinking of generating ddos traffic for testing
- ?? how much memory was needed to run the traffic generator
i assume around 1GB of memory for 1gigE interface and i still can purposely run out of memory while some apps are running
at 10gigE pci card, you'd probably want at least 12GB - 16GB of memory
- some "poor mans apps" to generate traffic ... start w/ nping or hping
# generate 1,000 Mbit/sec of junk .. floodig is trivial ... ping -i 0.001 -s 2000 victimIP# nping --data-length 2000 --rate 1000 victimIP# socat iperf ... # # generate udp or icmp or arp or tcp traffic # # add options to generate large-sized packets # add options to generate 10Gbit/sec ( number of packet/sec ) # # play around with tcp headers # add options to send MTU=1501 byte but NOT set DF # add options to send ACK but no request # # add options to spoof source and desitination address and ports
# # if the host machine become un-available, you've got a problem # for host in gw dns ntp http smtp for protocol in arp icmp udp tcp nping --protocol [ options ] host.example.com # hping is nice too done done
# for bonus arp fun ... attacker# arpspoof gateway victim attacker# arpspoof victim gateway
# prevent mitm with: use hard coded arp "/etc/ethers" for linux
use OpenSSL certs to flag a warning when "attacker" inserted itself in between gateway and un-aware victim
pixie dust alvin - DDoS-Mitigator.net
On Mon, Jul 27, 2015 at 11:59 PM, <Valdis.Kletnieks@vt.edu> wrote:
On Mon, 27 Jul 2015 23:32:56 +0300, Pavel Odintsov said:
I would like to recommend MoonGen for generating very high speed attacks (I have generated up to 56 mpps/40GE with it).
OK, I'll bite - what hardware were you using to inject that many packets?
-- Sincerely yours, Pavel Odintsov
Hi Dovid, I recommend checking out NimbusDDOS. http://www.nimbusddos.com/ I know that they have done exactly this for several notable customers, and also provide insights into impacts (they don't just blindly run the attacks for you, they provide intelligence behind what's happening to help you make sense of what is going on.) Contact me off list if you want me to set up an intro. Ryan On Mon, Jul 27, 2015, at 11:32 AM, Dovid Bender wrote:
Hi All,
We are looking into a few different DDOS solutions for a client. We need a LEGITIMATE company that can simulate some DDOS attacks (the generic + specific to the clients business). Anyone have any recommendations?
Regards,
Dovid
If anyone offers to "test" your DDoS devices across a network that you do not 100% own, you are risking legal issues. If they offer to test it across your own network, make sure you have in writing from you upper management that they understand the risk and approve it. If you choose to do it anyway then you are taking a LARGE risk. Testing should be in your lab and even then you should understand 100% what is happing to avoid leaking attack traffic into the internet. -jim On Tue, Jul 28, 2015 at 2:24 PM, Ryan Pugatch <rpug@lp0.org> wrote:
Hi Dovid,
I recommend checking out NimbusDDOS. http://www.nimbusddos.com/
I know that they have done exactly this for several notable customers, and also provide insights into impacts (they don't just blindly run the attacks for you, they provide intelligence behind what's happening to help you make sense of what is going on.)
Contact me off list if you want me to set up an intro.
Ryan
On Mon, Jul 27, 2015, at 11:32 AM, Dovid Bender wrote:
Hi All,
We are looking into a few different DDOS solutions for a client. We need a LEGITIMATE company that can simulate some DDOS attacks (the generic + specific to the clients business). Anyone have any recommendations?
Regards,
Dovid
On Jul 28, 2015, at 9:05 PM, jim deleskie <deleskie@gmail.com> wrote:
If anyone offers to "test" your DDoS devices across a network that you do not 100% own, you are risking legal issues.
If they offer to test it across your own network, make sure you have in writing from you upper management that they understand the risk and approve it.
If you choose to do it anyway then you are taking a LARGE risk.
Testing should be in your lab and even then you should understand 100% what is happing to avoid leaking attack traffic into the internet.
in a previous job (we did ddos mitigation) customer asked all the time for simulation, and typically live across the internet. for all the reasons noted, we didn’t do it, but instead would do a lab/POC with pcaps replayed from previous attacks we had mitigated to show the customer how our platform worked, how we handled incident response, etc. agree with all comments about NOT doing it over the internet, that way lies madness. -b
If the customer has headroom on a 10G link, what's the harm with running a 1G volumetric DDoS across the Internet? Or if it's application layer, anytime against prescribed lab devices? Frank -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Brett Watson Sent: Tuesday, July 28, 2015 8:28 PM To: nanog@nanog.org Subject: Re: DDOS Simulation
On Jul 28, 2015, at 9:05 PM, jim deleskie <deleskie@gmail.com> wrote:
If anyone offers to "test" your DDoS devices across a network that you do not 100% own, you are risking legal issues.
If they offer to test it across your own network, make sure you have in writing from you upper management that they understand the risk and approve it.
If you choose to do it anyway then you are taking a LARGE risk.
Testing should be in your lab and even then you should understand 100% what is happing to avoid leaking attack traffic into the internet.
in a previous job (we did ddos mitigation) customer asked all the time for simulation, and typically live across the internet. for all the reasons noted, we didn’t do it, but instead would do a lab/POC with pcaps replayed from previous attacks we had mitigated to show the customer how our platform worked, how we handled incident response, etc. agree with all comments about NOT doing it over the internet, that way lies madness. -b
Two more options: - http://www.redwolfsecurity.com/#!ddos_testing/cqd6 (not vouching for them, just raising awareness of the options) - Spin up a bunch of VMs at various cloud providers and launch your own attacks against yourself. Note that you should only do this with the permission of the cloud provider(s) as you may hit bottlenecks or trigger automated defenses within their networks. Damian On Tue, Jul 28, 2015 at 10:24 AM, Ryan Pugatch <rpug@lp0.org> wrote:
Hi Dovid,
I recommend checking out NimbusDDOS. http://www.nimbusddos.com/
I know that they have done exactly this for several notable customers, and also provide insights into impacts (they don't just blindly run the attacks for you, they provide intelligence behind what's happening to help you make sense of what is going on.)
Contact me off list if you want me to set up an intro.
Ryan
On Mon, Jul 27, 2015, at 11:32 AM, Dovid Bender wrote:
Hi All,
We are looking into a few different DDOS solutions for a client. We need a LEGITIMATE company that can simulate some DDOS attacks (the generic + specific to the clients business). Anyone have any recommendations?
Regards,
Dovid
participants (14)
-
alvin nanog -
Ammar Zuberi -
Brett Watson -
Damian Menscher -
Daniel Rohan -
Dovid Bender -
frnkblk@iname.com -
jim deleskie -
lobna gouda -
Paul S. -
Pavel Odintsov -
Roland Dobbins -
Ryan Pugatch -
Valdis.Kletnieks@vt.edu