Telus has gone first, and announced it is using Arbor's products across its backbone network. http://www.eweek.com/article/0,3658,s=720&a=26867,00.asp People have been trying the products for a while. Does Arbor Networks really have an answer to DoS, or does it still need a little longer in the oven.
On Wed, 15 May 2002, Sean Donelan wrote:
Telus has gone first, and announced it is using Arbor's products across its backbone network. http://www.eweek.com/article/0,3658,s=720&a=26867,00.asp
People have been trying the products for a while. Does Arbor Networks really have an answer to DoS, or does it still need a little longer in the oven.
Have any large networks gathered statistics on how much traffic DDoS/DoS/DRDoS attacks consume on an average day? The attacks I have been able to detect represent around 10-15% of my traffic on an on-going basis. I'm curious about the business case for investing in DoS defense mechanisms. DoS traffic is boosting service provider revenues through increased customer bandwidth usage. So the investment in defense mechanisms like Arbor would have to replace or increase that revenue. Will these issues inhibit wide-spread implementation of DoS defenses? Pete.
| The attacks I have been able to detect represent around | 10-15% of my traffic on an on-going basis. | | I'm curious about the business case for investing in DoS | defense mechanisms. DoS traffic is boosting service provider | revenues through increased customer bandwidth usage. So the If and when (a) customers don't get exemption for attack traffic (b) the DoS traffic occurs more than 5% (or 1 - your percentile level) of the month per customer circuit (c) the DoS increases bytes transferred like large ICMP packet flood; this is not the case for all DoS traffic, which can be a bunch of small packets that actually decreases traffic | investment in defense mechanisms like Arbor would have to | replace or increase that revenue. Will these issues inhibit | wide-spread implementation of DoS defenses? I think a network that profits from client suffering doesn't keep its contracts for much time. Rubens Kuhl Jr.
On Wed, 15 May 2002, Rubens Kuhl Jr. wrote:
If and when (a) customers don't get exemption for attack traffic (b) the DoS traffic occurs more than 5% (or 1 - your percentile level) of the month per customer circuit (c) the DoS increases bytes transferred like large ICMP packet flood; this is not the case for all DoS traffic, which can be a bunch of small packets that actually decreases traffic
These might apply to noticeable DoS attacks that occur as specific events. But how much (D)DoS traffic goes unnoticed by the average customer because it's too tough to detect or defend against? The 10% I've measured on my network is primarily reflected DDoS (reflected off my customers, to off-net targets), which is not trivial to detect or defend against. Pete.
On Wed, May 15, 2002 at 12:14:35AM -0600, Pete Kruckenberg wrote:
These might apply to noticeable DoS attacks that occur as specific events. But how much (D)DoS traffic goes unnoticed by the average customer because it's too tough to detect or defend against? The 10% I've measured on my network is primarily reflected DDoS (reflected off my customers, to off-net targets), which is not trivial to detect or defend against.
It all depends on the networks involved. I'd venture to say that most people not associated with university networks see significantly less DoS, more like 1% of overall traffic for service providers and probably closer to 0% for end users who aren't IRCing. At any rate, you are also in the very special case of being the one used to do the attacks rather than the one being attacked. Again, you really have to have university networks involved to see those numbers. In non DDoS cases, particularly your classic bandwidth floods, the source feels the attack as badly as the victim. That is less the case today, with targetted attacks (your network MAY fall over routing 100kpps, but it is far more likely to fall over if those 100kpps are directed at your routers) and DDoS reducing the amount of power that any given source must use. Remember that the original point of DDoS was to prevent the sources from noticing (and thus shutting down the compromised machines) by using 10 networks at 10% instead of 1 at 100%. Today, you often see targetted high pps low bandwidth attacks which actually bring down traffic (these *are* supposed to be denial of service attacks after all :P) instead of raising it. But as for your case... Attacks directed at you and attacks directed from you are sometimes the same thing and sometimes different, and I think most people see money to be made in the former. Personally I would rather have to deal with the latter, because there is something I can easily do about it. For the sake of the rest of us, PLEASE go fix your network so that we don't have to deal with your attacks. I'm still recommending rate limiting your outbound RSTs either on the webservers themselves (which a good OS should do), or on the routers. :) -- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
On Wed, 15 May 2002, Richard A Steenbergen wrote:
It all depends on the networks involved. I'd venture to say that most people not associated with university networks see significantly less DoS, more like 1% of overall traffic for service providers and probably closer to 0% for end users who aren't IRCing.
Some presentations made at recent NANOGs discussed the continuous noise generated by DDoS attacks, though I can't find any numbers showing how much bandwidth the noise uses. With the number of always-on broadband residential and small-business customers, are education networks still the (only) haven of hackers they used to be? Even enterprises seem to be pretty active DDoS participants; there were/are a lot of corporations generating CodeRed probes, and a surprising number of residential machines. Are there any service providers running IDS/NIDS on their backbones and monitoring for DDoS attacks, to provide some impirical data on the scope of DDoS traffic? Pete.
Hi, Pete. ] With the number of always-on broadband residential and ] small-business customers, are education networks still the The broadband ranges are now quite popular with the miscreants. Several of the bots I've recovered conduct targeted scans of the broadband prefixes. While scanning the entire IPv4 address space - including the bogons - does yield a lot of hax0red hosts, it also produces a lot of noise. FYI, the miscreants also _avoid_ certain netblocks in which, they believe, honeypots and other things reside. When scanning for easily hacked routers, the miscreants target the ranges they believe contain "mad fast routers," e.g. routers with > T1 connectivity. In the case of both hosts and routers, it is increasingly common for the miscreants to test the bandwidth capabilities of the device. The sluggish are left unused by many crews (or traded in the very active underground economy). Thanks, Rob. -- Rob Thomas http://www.cymru.com/~robt ASSERT(coffee != empty);
On Wed, 15 May 2002, Rob Thomas wrote:
FYI, the miscreants also _avoid_ certain netblocks in which, they believe, honeypots and other things reside.
What leads them to believe this? It could be very useful as deterrence to know their criteria. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
Hi, Dan. ] What leads them to believe this? Well folks aren't exactly subtle about their honeypots. Read any of the popular security lists for examples of "Hi! My honeypot was hit last night with blah and blah, here is the sniffer trace..." The underground shares and trades information as well, so some of the miscreants learn from experience or each other which networks respond to attacks, scans, hacking, etc. ] It could be very useful as deterrence to know their criteria. For the low fee of a cool t-shirt or a bit of gear for my lab I'd be happy to spread rumours about the mad fast honeypot residing within your prefixes. :) Thanks, Rob. -- Rob Thomas http://www.cymru.com/~robt ASSERT(coffee != empty);
On Wed, 15 May 2002, Rob Thomas wrote:
] It could be very useful as deterrence to know their criteria. For the low fee of a cool t-shirt or a bit of gear for my lab I'd be happy to spread rumours about the mad fast honeypot residing within your prefixes. :)
disinformation as a means to raise the level of uncertainty for the attacker, it's classic military tactic. what other military tactics can be used to make life more dangerous for attackers? i've been tossing around an idea for a "land mine network". randomly distributed honeypots around the internet. when X landmines are hit from the same source, that source gets entered into a BGP blackhole feed which anyone can subscribe to. put landmines in popularly targeted networks, maybe even make them randomly move about. there are all sorts of wonderful tactics that could be put to use. scanning would quickly become self defeating as attackers would only manage to cut themselves off from the net. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
Hi, Dan. ] scanning would quickly become self defeating as attackers would only ] manage to cut themselves off from the net. To some degree, yes. Most of the miscreants are clueful enough not to scan from their home machines. The end result is a lot of hacked hosts are black holed. On one hand you could say "serves 'em right for being hacked!" On the other hand, you could wonder why it is that the non-geek broadband users must be system, network, and firewall administrators. Thanks, Rob. -- Rob Thomas http://www.cymru.com/~robt ASSERT(coffee != empty);
On Wed, 15 May 2002, Rob Thomas wrote:
] scanning would quickly become self defeating as attackers would only ] manage to cut themselves off from the net. To some degree, yes. Most of the miscreants are clueful enough not to scan from their home machines.
I disagree. They have to start somewhere. Most miscreants first attack offshore hosts, then use those to attack domestic victims.
The end result is a lot of hacked hosts are black holed.
And this is a bad thing?
On one hand you could say "serves 'em right for being hacked!" On the other hand, you could wonder why it is that the non-geek broadband users must be system, network, and firewall administrators.
They don't. This is purely a response to rogue networks/blackhats and apathetic/irresponsible/toothless NOCs. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
Hi Rob ## On 2002-05-15 16:01 -0500 Rob Thomas typed: RT> On the other hand, you could wonder why it is that the RT> non-geek broadband users must be system, network, and firewall RT> administrators. You might prefer to wonder when home users will start using an OS that doesn't have security holes you can drive a truck through and the default config would at least be semi-secure ... If the home(or at least broadband) users would demand such an OS they *might* just get it ... ;-) RT> RT> Thanks, RT> Rob. Regards, Rafi RT> -- RT> Rob Thomas RT> http://www.cymru.com/~robt RT> ASSERT(coffee != empty); RT> RT> RT>
Hi, folks. Ah, you know when you mention DDoS too frequently I'm bound to post. :) ] specific events. But how much (D)DoS traffic goes unnoticed ] by the average customer because it's too tough to detect or ] defend against? The 10% I've measured on my network is Valid concern. I tracked five groups of miscreants, each with a botnet, and recorded well over 100 DDoS attacks in a single 24 hour period. These were the attacks that were obvious, e.g. the attack was coordinated or discussed in channel, with the results often pasted into the channel as well (IRC ping timeouts, traceroutes, pings, HTTP gets, etc.). How many privately discussed attacks did I not log? In the underground DoS is ubiquitous and quite frequent. The miscreant without a botnet or DoSnet is generally in the active pursuit of one or both. In fact, if you see a sudden upsurge in scans for a particular port (Sub7, FTP, NetBIOS shares), this is often the result of a botnet or DoSnet harvest. Many of the DoS tools and bots are specifically written to generate seemingly legitimate traffic. These tools do not spoof the source IP. Some will generate a surfeit of sockets to a web server; this won't appear as anomolous traffic, particularly if there is no flow analysis on the network. It isn't clear to me how the various anti-DDoS tools (Captus, Arbor, Riverhead, et al.) will deal with a surfeit of legitimate traffic, though Mazu may have some chance of fingerprinting this traffic (it is essentially an anomoly detector). N.B.: I've not tested any of these devices. Many edge networks do not run any sort of flow collection and analysis tool. They have no idea what is hitting their site, but they know it is causing woe. They call their ISP and expect them to deduce the naughty flows. Some ISPs are incapable of analyzing the flows as well. It's a real mixed bag. I would argue that there are other things that can be done at the edge to mitigate the present effect of DoS (measured or unmeasured). Anti- spoofing does help. In one study I conducted of an oft-DoS'd site, 60% of the naughty packets had _obvious_ bogon source addresses. The percentage of spoofing was difficult to deduce, though it may have been quite a bit higher than 60%. Why send such packets through an anti-DDoS device? It's a waste of cycles. Ah, but you've heard this from me before, so I'll spare you the rave. :) What percentage of all Internet traffic is DoS? Unclear. Until the data is gathered, it can not be analyzed, and the data is rarely collected. Thanks, Rob. -- Rob Thomas http://www.cymru.com/~robt ASSERT(coffee != empty);
On Tue, 14 May 2002, Pete Kruckenberg wrote:
Have any large networks gathered statistics on how much traffic DDoS/DoS/DRDoS attacks consume on an average day?
The attacks I have been able to detect represent around 10-15% of my traffic on an on-going basis.
I'm curious about the business case for investing in DoS defense mechanisms. DoS traffic is boosting service provider revenues through increased customer bandwidth usage.
I disagree. If many of your customers have flat-rate as opposed to burstable connectivity, such as a full point-to-point T1 or a dedicated 10 meg switch port to host a colo box, the revenue you derive from those customers doesn't change regardless of how much/how little traffic your network carries for them. If your customers have burstable connectivity, their bill only goes up if you have mechanisms in place to do those calculations - I'll hazard a guess that many providers don't. I would argue that in many cases a service provider loses revenue due to DoS traffic - network performance/availability can be impacted as your network absorbs a DoS attack and your NOC/network engineers/security people have to spend cycles analyzing (calling vendors, upstreams, etc) and dampening the attack. Both of these impact windows have costs associated with them. I haven't done any formal ROI calculations on Arbor or any of the other DoS defense products out there. However, from my viewpoint, I'd be willing to bet that if/once my NOC/network engineers/security people are properly trained on how to handle a DoS attack, anything that allows me to shrink those impact windows, e.g. reduce my costs related with dealing with an attack, is a good thing.
So the investment in defense mechanisms like Arbor would have to replace or increase that revenue. Will these issues inhibit wide-spread implementation of DoS defenses?
That depends on how those products are priced, how well they're marketed, and of course, how effective they are in helping to stop DoS attacks. jms
participants (8)
-
Dan Hollis
-
Pete Kruckenberg
-
Rafi Sadowsky
-
Richard A Steenbergen
-
Rob Thomas
-
Rubens Kuhl Jr.
-
Sean Donelan
-
Streiner, Justin