Can your network infrastructure with FloodGuard block/mitigate about 500 Mbps DDoS attack?
I'm having problem with such attack and my current provier can only nullroute IP. This is first time we are being attacked during years and it seems that only way to "fix" it is to block it few times, so whoever is attacking will calm down
Full Version: 500 Mbps DDoS attack
This would have a major impact on SM's network performance, so I doubt they'd use floodguard to mitigate it.
Who the hell do you have to upset to get a 500mbps ddos attack ?
You have to remember that there are TONS of criminals out there that will just pick someone at random and Ddoss them straight off the internet. And, sad to say, it may be illegal, but no law enforcement will do anything about it. This is a known fact, I know from experience.
So if FloodGuard won't be used in such an instance, or even for a 100mps attack, then we better get a refund for months paid for it
So if FloodGuard won't be used in such an instance, or even for a 100mps attack, then we better get a refund for months paid for it
What I mean is, in the case of a 500mbit attack, sure, FloodGuard would try to block it, but it'd probably be useless; an attack that large is going to have a major impact on ServerMatrix's network, let alone your server.
The good news is, if an attack was large enough to cause problems for SM's network, you can BET they'd do something about it.
The good news is, if an attack was large enough to cause problems for SM's network, you can BET they'd do something about it.
QUOTE (johnz)
Can your network infrastructure with FloodGuard block/mitigate about 500 Mbps DDoS attack?
I would like to know the answer to this as well.
Seriously, if you get hit by something that big, would you really expect your server to be protected?
500 Mbit of garbage is pretty heavy, even for SM.
500 Mbit of garbage is pretty heavy, even for SM.
This does seems scary. A 500mbps flood is differently one which is pretty well organized and it probably cannot be just from one source.
I believe flood guard is sort of like the veil of incorporation, it will give you that protection that your personal assets would not be touched but it does not mean that you should test the law or bait it. It can only protect you so far and you still need to take the necessary precaution.
Personally I see flood attacks as somewhat like being struck by lightning. It is bad luck if it happens to you once but if it comes to you everywhere you go, it might not be a luck issue after all, it might be you.
I believe flood guard is sort of like the veil of incorporation, it will give you that protection that your personal assets would not be touched but it does not mean that you should test the law or bait it. It can only protect you so far and you still need to take the necessary precaution.
Personally I see flood attacks as somewhat like being struck by lightning. It is bad luck if it happens to you once but if it comes to you everywhere you go, it might not be a luck issue after all, it might be you.
500 Mbps and big? It is actually relatively small for DoS attack. As 100 Mbit ports for servers are standard, anything below that is easy to filter with software firewall at server, which means that they are not a threat.
And no, they are not "bad luck", but often extortion schemes or competition trying to kill your business.
Can anybody from staff answer my question?
And no, they are not "bad luck", but often extortion schemes or competition trying to kill your business.
Can anybody from staff answer my question?
500mbit is big. It's half of a very expensive gigabit pipe, and 7% of SM's overall current network bandwidth. It's not a mere blip like a small 10mbit attack.
QUOTE (Guspaz)
500mbit is big. It's half of a very expensive gigabit pipe, and 7% of SM's overall current network bandwidth. It's not a mere blip like a small 10mbit attack.
Agreed. It would take only 14 servers to be attacked with such "small" floods in order for SM to go down entirely. (assuming of course that the attacks are spread over all of their upstream providers). I wonder how many servers SM has right now and how many of them are under attack on average.
On the other hand, it would take only about 5 cracked servers on 100mbit/s links to generate 500mbit/s. However, the providers of those servers will probably be detecting some "abnormal activity" sooner or later.
Regards,
Serhat
I know about 2 months ago that ThePlanet took a 600mbps flood and didn't have a problem at all (except for maybe the person it was aimed at). The Juniper core routers they have really kick ass. They were taking the attack without breaking a sweat. I think if you get flood guard, it wont be a problem. They didn't even get a ticket opened because of the dos. It was just mrtg graphs that gave it away.
I ordered my flood guard yesterday.
Lets hope there is no need for it, but its good it's there
Lets hope there is no need for it, but its good it's there
QUOTE (Hogie)
The Juniper core routers they have really kick ass.
Juniper routers are known to be superior to Cisco ones... it's reassuring that SM goes with those.
Regards,
Serhat
Yeah. The way they have the network setup is really nice. They actually use to use Cisco's as their core routers, but upgraded to the Junipers and moved the Ciscos to be the vlan routers. This allows them to process much more pps than with the Cisco's at the core.
SM has enough bandwidth that they might be able to take care of it, but unless you're paying some *serious* cash, I doubt you'd be a customer for long being hammered with 500 Mbps.
We would use FloodGuard to start our Incident Response process, and we would use several other tools as well.
FloodGuard mitigates DoS by using the routers to drop the traffic. If your network can route 500MB, FloodGuard can deny 500MB for you.
Any large DoS attack quicly turns into an incomming bandwidth vs. router capacity competition. If the attacker is able to bring on more traffic than the router (or host) can process, the DoS becomes effective, and network performance suffers. That's why I keep stressing the fact that there is no civilian network - anywhere - that is "DoS proof". The best that you can do is make it very difficult to "DoS" your customers.
More than likely we'd acl something this big at our edge routers (to get our customers back up), and escalate the DoS attack to our upstream providers and to Law Enforcement.
FloodGuard mitigates DoS by using the routers to drop the traffic. If your network can route 500MB, FloodGuard can deny 500MB for you.
Any large DoS attack quicly turns into an incomming bandwidth vs. router capacity competition. If the attacker is able to bring on more traffic than the router (or host) can process, the DoS becomes effective, and network performance suffers. That's why I keep stressing the fact that there is no civilian network - anywhere - that is "DoS proof". The best that you can do is make it very difficult to "DoS" your customers.
More than likely we'd acl something this big at our edge routers (to get our customers back up), and escalate the DoS attack to our upstream providers and to Law Enforcement.
Good to know, Craig. You should post more often here 
Craig,
Without trying to get you to reveal any secrets, how vigorously do you pursue these types of issues with law enforcement?
It would be nice if attackers knew to think twice about attacking a server hosted at The Planet.
Without trying to get you to reveal any secrets, how vigorously do you pursue these types of issues with law enforcement?
It would be nice if attackers knew to think twice about attacking a server hosted at The Planet.
never heard of Juniper routers..
How do they compare with price and installation from cisco?
How do they compare with price and installation from cisco?
I'll defer to Will, our VP of Network Engineering for an answer on this.
From a security point of view, they are MUCH more robust.
Maybe I can talk Will into giving a Juniper overview.
..........Will ? .......
From a security point of view, they are MUCH more robust.
Maybe I can talk Will into giving a Juniper overview.
..........Will ? .......
Very vigorously.
There were some previous posts which inferred that Law Enforcement does not commonly pursue a simple DoS attack against a single customer.
That's not entirely correct. Although Computer Incident Response Teams (a la Computer Crimes division) are overburdoned, the FBI (and the newly formed Homeland Security - Information Asset Protection Office) makes an assessment based on business impact and financial loss. A single hacked server is pretty low priority for them, unless other crimes are involved in the hack.
A major DoS attack, on the other hand, impacts hundreds or thousands of customers and creates a HUGE financial loss for all parties involved. That kind of attack gets immediate attention.
(Read this as: The bigger the crime, the quicker the action)
I've been running security teams for more than just a few years now, and I must say that when the incident is big enough -- the Law Enforcement support and cooperation can be nothing short of amazing. Tax dollars, well spent.
There were some previous posts which inferred that Law Enforcement does not commonly pursue a simple DoS attack against a single customer.
That's not entirely correct. Although Computer Incident Response Teams (a la Computer Crimes division) are overburdoned, the FBI (and the newly formed Homeland Security - Information Asset Protection Office) makes an assessment based on business impact and financial loss. A single hacked server is pretty low priority for them, unless other crimes are involved in the hack.
A major DoS attack, on the other hand, impacts hundreds or thousands of customers and creates a HUGE financial loss for all parties involved. That kind of attack gets immediate attention.
(Read this as: The bigger the crime, the quicker the action)
I've been running security teams for more than just a few years now, and I must say that when the incident is big enough -- the Law Enforcement support and cooperation can be nothing short of amazing. Tax dollars, well spent.
Hrmmm... I won't get too detailed but here's the basics...
Cisco routers are built on a "distributed" model. Years ago, they moved the packet processing off the RSP (route processor) and onto the linecards via the VIP daughtercards. This was on the original 75XX series routers. At the time, this improved things significantly and all people were happy. When Cisco rolled out their 12000GSR routers, they extended this architecture (albeit with faster linecards and beefier route processors). The problem with this model is that when you started applying policy to the interfaces (access-lists, MPLS tag assertion, rate-limiting, etc), the functions weren't supported in hardware, and so the old problem of packets getting sent to the route-processor reared their ugly heads. The net result was that a DOS attack of size could still bring a router to it's knees.
Juniper recognized these faults, and built their routers a little different. They dumped the distributed model and went back to a centralized model (all packets hit a central processor). They did distribute some of the functions though (the route processor does nothing but update routing tables and control the chassis, where the SSB handles all the packet forwarding). They also developed a set of specialized ASIC's to handle all the packet forwarding and processing at wire speed. This is called the IP-II processor (Juniper term). They also have stood hard and firm about not rolling out new functions in the router unless it can be done in silicon and at wire speed. While they don't get all the newest features first, they pump huge amounts of packets through without even breaking a sweat. Because of the ASIC's, filtering, policing, etc, are all handled at wire speed and there is no performance hit when you enable one of these functions.
Cisco has revamped a number of their linecards for the GSR series by building in ASIC's to handle ACLs, rate-limiting, MPLS, etc. The hard part is matching functions with linecard engine numbers with Cisco's. You can buy an Engine1 card that won't do netflow sampling, or an Engine0 card that won't allow you to impose MPLS tags. Juniper's aren't burdened with this problem.
So - short story = Juniper networks routers suited our needs better than Cisco did (at least in the core of the network). We still use Cisco routers at the edge (for customer-facing functions), but Juniper will drive our core as long as I work here unless Cisco comes out with something totally new (the rumored HFR might change my mind) that blows the Juniper platform away.
Cisco routers are built on a "distributed" model. Years ago, they moved the packet processing off the RSP (route processor) and onto the linecards via the VIP daughtercards. This was on the original 75XX series routers. At the time, this improved things significantly and all people were happy. When Cisco rolled out their 12000GSR routers, they extended this architecture (albeit with faster linecards and beefier route processors). The problem with this model is that when you started applying policy to the interfaces (access-lists, MPLS tag assertion, rate-limiting, etc), the functions weren't supported in hardware, and so the old problem of packets getting sent to the route-processor reared their ugly heads. The net result was that a DOS attack of size could still bring a router to it's knees.
Juniper recognized these faults, and built their routers a little different. They dumped the distributed model and went back to a centralized model (all packets hit a central processor). They did distribute some of the functions though (the route processor does nothing but update routing tables and control the chassis, where the SSB handles all the packet forwarding). They also developed a set of specialized ASIC's to handle all the packet forwarding and processing at wire speed. This is called the IP-II processor (Juniper term). They also have stood hard and firm about not rolling out new functions in the router unless it can be done in silicon and at wire speed. While they don't get all the newest features first, they pump huge amounts of packets through without even breaking a sweat. Because of the ASIC's, filtering, policing, etc, are all handled at wire speed and there is no performance hit when you enable one of these functions.
Cisco has revamped a number of their linecards for the GSR series by building in ASIC's to handle ACLs, rate-limiting, MPLS, etc. The hard part is matching functions with linecard engine numbers with Cisco's. You can buy an Engine1 card that won't do netflow sampling, or an Engine0 card that won't allow you to impose MPLS tags. Juniper's aren't burdened with this problem.
So - short story = Juniper networks routers suited our needs better than Cisco did (at least in the core of the network). We still use Cisco routers at the edge (for customer-facing functions), but Juniper will drive our core as long as I work here unless Cisco comes out with something totally new (the rumored HFR might change my mind) that blows the Juniper platform away.
Great post, very informing.....
by any chance are you a Network engineer?
(i only ask because im debating wether i should change from computer engineering to network engineering)
and keep up the info flow...
by any chance are you a Network engineer?
(i only ask because im debating wether i should change from computer engineering to network engineering)
and keep up the info flow...
QUOTE (zero0ne)
by any chance are you a Network engineer?
Umm... Yeah... It helps to be (a network engineer) when you are in charge of network engineering... :-)
I'll keep answering questions as they come...
i just wanted to be sure and i didnt know what you were in charge of 
but what college would you recomend for network engineering?
i currently go to University at Buffalo, but they dont have a network engineering program at all!
also, what do you personally think the job/market outlook for them are?
im quickly getting sick of java ( but i still love C++) as our lectures help us with nothing and our labs are on things we wouldve spent maybee 10 minutes on in class. Also working at LANsys at UB and seeing all the servers, networking etc, i feel that thats teh thing for me.
(my supervisor has also been teaching me about the 7 abstract layers for networking, and after i got over the whole abstract thing (thats a tough thing for my mind to comprehend sometimes) i really enjoyed learning about all of it)
and i didnt know what you were in charge of
but what college would you recomend for network engineering?
i currently go to University at Buffalo, but they dont have a network engineering program at all!
also, what do you personally think the job/market outlook for them are?
im quickly getting sick of java ( but i still love C++) as our lectures help us with nothing and our labs are on things we wouldve spent maybee 10 minutes on in class. Also working at LANsys at UB and seeing all the servers, networking etc, i feel that thats teh thing for me.
(my supervisor has also been teaching me about the 7 abstract layers for networking, and after i got over the whole abstract thing (thats a tough thing for my mind to comprehend sometimes) i really enjoyed learning about all of it)
Thats interesting, so lets say a 500MB DOS attack would eitiher slowdown or severly cripple SM, which in turns mean SM is losing tons of money. In turn SM will contact the FBI? I know over at EV1 (I mean them), they just simple pulled the plug instead of doing the right thing
Also, on a side note, military networks can be DOS'd, as witnessed by events in the last 2 years.
Also, on a side note, military networks can be DOS'd, as witnessed by events in the last 2 years.
QUOTE (Seth2)
I know over at EV1 (I mean them), they just simple pulled the plug instead of doing the right thing
My experience exactly, which is why I'm an ex-EV1 customer who moved to SM.
Regards,
Serhat
Yes, we would actually take care of it the right way. The only effective way to discourage serious network mis-adventures is to make it a painful event for the attacker.
QUOTE (crodenberg)
Yes, we would actually take care of it the right way. The only effective way to discourage serious network mis-adventures is to make it a painful event for the attacker.
Send in the midget ninja's to bring the pain closer to home.
Oh wait...wrong forums
Excellent explaination on the routers, even a software engineer like me understands now
Yeah.
Managed.com just null-routed one of our servers because of a 500mbps attack, the support team we're saying that we were DDoSing these random companies and stuff because they couldn't handle it.
In fact, one of the tech support guys was talking to my friend on aim and he was saying that they couldn't do much because they all work remotely from home. Nice Start.
First, they wanted me to sort it via belkin remote console, so I did.
Then came the DDoS blame.
Then they say it's going back up.
Just after we got an email requesting $25 for it to be put back online.
So we demanded a refund and funny enough was issued it even though they `dont give refunds`.
Thus, after reading this thread my custom is now going to sm
Managed.com just null-routed one of our servers because of a 500mbps attack, the support team we're saying that we were DDoSing these random companies and stuff because they couldn't handle it.
In fact, one of the tech support guys was talking to my friend on aim and he was saying that they couldn't do much because they all work remotely from home. Nice Start.
First, they wanted me to sort it via belkin remote console, so I did.
Then came the DDoS blame.
Then they say it's going back up.
Just after we got an email requesting $25 for it to be put back online.
So we demanded a refund and funny enough was issued it even though they `dont give refunds`.
Thus, after reading this thread my custom is now going to sm
QUOTE (eddy2099)
...it probably cannot be just from one source.
LOL! do you even know what the first D in DDoS stands for?
Dastardly?
Destructo?
Dandy?
Destructo?
Dandy?
QUOTE (phiber)
QUOTE (eddy2099)
...it probably cannot be just from one source.
LOL! do you even know what the first D in DDoS stands for?
Maybe D thread is two years old, give him a break?
[quote=MickC][b]Thus, after reading this two year old
The content of this thread may or may not still be valid, but I wouldn't base any of my business decisions on two year old information :shock:
The content of this thread may or may not still be valid, but I wouldn't base any of my business decisions on two year old information :shock:
Yeah, 500mbit DDoS...hell I do that in my sleep!
Explains why I don't wake up on time...still lagging from sorting all those fragmented packets!
Explains why I don't wake up on time...still lagging from sorting all those fragmented packets!
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.