Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: DoS/DDoS Attack

from [FXCM - Brandon Palmer] Network Security [Permanent Link]
Subject: RE: DoS/DDoS Attack
Date: Sat, 15 Jan 2005 12:47:28 -0500 
Having seen / been through a few DDoS attacks,  some comments:
 
- The main attacks have been targeting port 80,  ie web sites.
- "small" attacks are 500MB/s-> 800MB/s.
- "large" attacks are multiple GB/s.
- Synfloods come from random source IPs,  that are obviously forged.
- The only viable way to "stop" a DDOS attack is to have upstream providers 
null-route the target IP address (also obviously cutting off access to the real 
product offering as well).
- Most hardware that offers DDOS prevention only does a ok job at it.  Most 
hardware (Cat6500s,  F5,  etc) isn't really designed (usually CPU resource 
problems) to handle the PPS rate that most DDoSs generate.  We've tried all 
sorts of options like syn proxying in hardware,  but nothing has been 
successful except for the TopLayer 5500s that have been mentioned on the list 
(no experience w/ the 100s).
 
The best defense I've found to date for mitigating attacks is:
 
- have a public facing packet scrubber (like the TopLayers) that can understand 
synflood,  keep the state table for millions+ possible source IPs and have 
enough CPU/network power to handle the Mb/s / PPS rates.
 
- You need to have more bandwidth than the attacker.  This can become VERY 
expensive (know how much it costs to have 5GB/s of public bandwidth?).  There 
are some companies that offer "cleaning" services where traffic first passes 
through them,  and then on to you after being cleaned (the customer never sees 
your IP space,  and hence can't target it).  Prolexic or Akamai are a couple 
examples..
 
 
Feel free to contact me off list for more information.
 
- Brandon
 

_____________________________________________________________________________________________________________________________
FXCM, L.L.C.® assumes no responsibility for errors, inaccuracies or omissions 
in these materials. FXCM, L.L.C.® does not warrant the accuracy or completeness 
of the information, text, graphics, links or other items contained within these 
materials. FXCM, L.L.C.® shall not be liable for any special, indirect, 
incidental, or consequential damages, including without limitation losses, lost 
revenues, or lost profits that may result from these materials. All information 
contained in this e-mail is strictly confidential and is only intended for use 
by the recipient.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: question regarding w3who.dll bug, H D Moore
Next by Date:  Re: DoS/DDoS Attack, Erik A. Onnen
Previous by Thread:  RE: DoS/DDoS Attack, rzaluski
Next by Thread:  priviledge escalation techniques, Dan Rogers
Indexes:  [Date] [Thread] [Top] [All Lists]