RE: DoS/DDoS Attack

From: FXCM - Brandon Palmer (bpalmer@fxcm.com)
Date: Sat Jan 15 2005 - 12:47:28 EST

• Next message: Erik A. Onnen: "Re: DoS/DDoS Attack"
• Previous message: Faisal Khan: "RE: DoS/DDoS Attack"
• Maybe in reply to: Faisal Khan: "DoS/DDoS Attack"
• Next in thread: Demetrio Carrión: "Re: DoS/DDoS Attack"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Having seen / been through a few DDoS attacks, some comments:
 
- The main attacks have been targeting port 80, ie web sites.
- "small" attacks are 500MB/s-> 800MB/s.
- "large" attacks are multiple GB/s.
- Synfloods come from random source IPs, that are obviously forged.
- The only viable way to "stop" a DDOS attack is to have upstream providers null-route the target IP address (also obviously cutting off access to the real product offering as well).
- Most hardware that offers DDOS prevention only does a ok job at it. Most hardware (Cat6500s, F5, etc) isn't really designed (usually CPU resource problems) to handle the PPS rate that most DDoSs generate. We've tried all sorts of options like syn proxying in hardware, but nothing has been successful except for the TopLayer 5500s that have been mentioned on the list (no experience w/ the 100s).
 
The best defense I've found to date for mitigating attacks is:
 
- have a public facing packet scrubber (like the TopLayers) that can understand synflood, keep the state table for millions+ possible source IPs and have enough CPU/network power to handle the Mb/s / PPS rates.
 
- You need to have more bandwidth than the attacker. This can become VERY expensive (know how much it costs to have 5GB/s of public bandwidth?). There are some companies that offer "cleaning" services where traffic first passes through them, and then on to you after being cleaned (the customer never sees your IP space, and hence can't target it). Prolexic or Akamai are a couple examples..
 
 
Feel free to contact me off list for more information.
 
- Brandon
 

_____________________________________________________________________________________________________________________________
FXCM, L.L.C.® assumes no responsibility for errors, inaccuracies or omissions in these materials. FXCM, L.L.C.® does not warrant the accuracy or completeness of the information, text, graphics, links or other items contained within these materials. FXCM, L.L.C.® shall not be liable for any special, indirect, incidental, or consequential damages, including without limitation losses, lost revenues, or lost profits that may result from these materials. All information contained in this e-mail is strictly confidential and is only intended for use by the recipient.

• Next message: Erik A. Onnen: "Re: DoS/DDoS Attack"
• Previous message: Faisal Khan: "RE: DoS/DDoS Attack"
• Maybe in reply to: Faisal Khan: "DoS/DDoS Attack"
• Next in thread: Demetrio Carrión: "Re: DoS/DDoS Attack"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:13 EDT