Posted by lcrosby on Mon Nov 24, 2003
The Floodguard system works best when implemented in advance. When implemented prior to attacks, the sensors "learn" your normal traffic patterns and it helps detect DDOS or Syn Flood traffic. While we have many tools already in place to mitigate DDOS and Syn Flood on a global network basis, this level of protection assists you if you are the specific target of the attack. We will be adding a $5 per month option for a single IP (4 IP block...see below). When we route you a block of 4 IPs, only one is usable...one is assigned to the router, one is for broadcast and the other is your gateway. Hence 4 IP block = 1 usable IP, 8 IP block = 5 usable IPs, 16 IP block = 13 usable IPs, 32 IP block = 29 usable IPs, etc.... We priced the floodguard to protect all IPs in the range, not just the actual usable IP's. You will NOT be required to pay $250 if you come under attack, you will only need to pay $250 if you come under attack at a local host level and you wish to implement Floodguard after the fact. We have priced the product to allow all users to sign up in advance. Floodguard will be much more effective before the attack because it will have a baseline of your traffic patterns. After the attack, floodguard must "learn on the fly" so to speak. It is a very useful tool in mitigating DDOS and Syn Flood attacks and I highly recommend implementing it on all servers. I hope this helps and let us know if we can further define the offering.
Posted by crodenberg on Tue Nov 25, 2003 2:07 pm
Here is a link to a FloodGuard demo program:
http://www.netzentry.com/demos/index.php
We will be providing FloodGuard coverage (aka: "Protection Domains") in blocks of IP's as follows:
1 IP --------------------> $5.00/month
8 IP's ------------------> $10.00/month
16 IP's -----------------> $20.00/month
32 IP's -----------------> $40.00/month
64IP's ------------------> $75.00/month
128 IP's ----------------> $100.00/month
255 IP's ----------------> $200.00/month
"When we decide to get this from SM, do we have access to the control panel sort of thing, that you can see in their flash demos of how it works?
and if not, what happens if it blocks legitimate traffic, such as game server traffic?"
FloodGuard is part of our network infrastructure and is offered as a managed service for the benefit of our customers. No customer access to the system is allowed. The FloodGuard will never block legitimate traffic. This is not an Intrusion Detection system. We already have IDS deployed. This is a DoS / DDoS mitigating system. FloodGuard only watches for and responds to verified DoS / DDoS traffic. I know it will always be tempting to look for external causes when a server isn't working, but unless your running a "DoS Me" game, the FloodGuard will not be blocking your traffic. Please see FloodGuard's site and read the whitepaper for technical details on connection tracking, whitelisting and more.
"Will SM lift the ban on IRC now that FloodGuard is deployed?"
Not likely.
"Gee, now that I'm DoS proof, I think I'll challenge everyone I know to come DoS me. Maybe I'll even post some inflamatory messages on IRC. I work hard for my money, so I REALLY want to get my $10.00 worth."
You will lose.
DoS mitigated is not DoS / DDoS / DRDoS "proof". It is possible to send enough traffic to overcome the actuators and bring your server down. FloodGuard just makes it very difficult.
<repeat after me> "THERE IS NO INTERNET CONNECTED SYSTEM THAT IS IMMUNE TO THE EFFECTS OF DoS / DDoS."
Additionally, if it becomes known that you challenged the DoS, you may be financially liable for all of the bandwidth consumed during the attack. If you repeatedly invite DoS / DDoS into our network, you will be in violation of our Acceptable Use Policy and Terms of Service.
"I just installed a new software package on my server, and it's not working. I heard that FloodGuard might be blocking traffic to my server somehow"
Ummm.... No. FloodGuard doesn't work that way.
"Well, I was seeing 80,000 hits per day on my stats last week, and now I'm seeing less. I think FloodGuard is blocking people."
Again, No. FloodGuard doesn't work that way.
"But what if 100 people all connect to my server at the sime time. Will FloodGuard block them?"
Nope.
FloodGuard only blocks confirmed Dos / DDoS / DRDoS attacks. That's all.
"Well, Mabel Tuscadero form down at Kasperski's Deli told me that product X, Y or Z was MUCH better than FloodGuard."
Tell Mabel that she should stick to selling cold-cuts.
The Planet and Server Matrix are commited to providing you with the best products and managed services available.
"Does this mean that if I do not purchase FG and someone atacks my server I will have to pay 250$?"
Absolutely not.
It means that if you fall under a DoS / DDoS attack, have not purchaced FloodGuard protection ahead of time, and you now want to use the FloodGuard to mitigate the attack, you will be charged a $250.00 fee for Incident Response.
Incident Response consists of an "emergency" FloodGuard set-up, fast training of the FloodGuard device, isolation of the attack traffic, instant creation of your "protection domain", hand-coded discrimination filtering and finally - the mitigation of the attack on your servers.
The FloodGuard appliances really do work better and are more responsive when set-up in advance of an attack.
Hope that helps to answer some questions.
Posted by wcharnock on Sat Nov 29, 2003
The Floodguard system is comprised of detectors and actuators. The actuators sit in front of the customer routing infrastructure, and the detectors sit on the customer routing infrastructure. The detectors have a passive optical drop that watches all the packets on the network as they go by. The detectors only look at packets that are within their protection domain (ie - only packets destined for IP's of customers that have signed up for the protection). In order for your server to be protected, the detectors have to have your IP's included within this protection domain.
The actuators are the devices that actually will send filters to the routers to block any offending traffic.
There is no single piece of hardware per server in this - we simply add your IP's to the protection domain on each of the detectors and actuators.
The security team is not in the office during the holidays - they are only available for emergencies, which is why the tickets aren't being updated.
I hope this clears things up a bit for everyone.
Posted by crodenberg on Mon Dec 08, 2003
Here's the deal:
1. It takes a week, or slightly less, to train the FloodGuard enough for it to be a good tool.
2. The FloodGuard does not have to be attacked from a valid IP address to protect you. In fact, most attacks come from "spoofed" addresses. Source address spoofing is not a problem for the FloodGuard. Lack of a good "burn in" is.
3. When you get your updated ticket stating "Your IP's have been added to FloodGuard", count seven days from the date of that ticket. That's how long it takes for training, and for FloodGuard to change modes from "training" to "operation".
Flood Guard is a GREAT anti DoS tool, but it isn't magic pixie dust that gets sprinkled on your server and - Poof! - instant DoS protection. The training period (burn-in) is absolutely necessary.
Another customer also received a sustained 60MB DoS attack this weekend. The only reason the customer knew that the DoS attack happened, was that we created a ticket showing him his attack / protection from same.
If you start your protection training at 10MB, and move to a 100MB connection, an additional seven day training period will be required for the tool to work properly for you. I wish I could change that, but this is the way the technology works.
Short answer: You have to let it train for seven days.
Posted by crodenberg on Tue Dec 16, 2003
QUOTE
If my server is attacked during these seven days ... FloodGuard wouldn't "learn" the attacks as being normal, would it ?
No, the detection algorithm won't allow for that. FloodGuard would alarm, and come out of training mode.
QUOTE
I donno, I've been having major problems since Floodguard left it's training period for my IPs. Ive been getting MAJOR gobs of packets thrown at my server at once.
FloodGuard doesn't "hold on" to or cache packets.
On the issue of the specific 8 byte -DROPPED- packets, FloodGuard is absolutely dropping that. TCP micro-fragments are a typical DoS payload. Stacheldraht, Trash, Trash2, Doomsday, Jolt2 and many, many other DoS tools routinely use short, 8-40 byte TCP packets. It's a fast and easy way to bring down a Windows host -- even behind a firewall if the packets are properly constructed.
If you are routinely sending / receiving TCP microfragments that are 8-40 bytes long to run a game server, FloodGuard is not going to be a great tool for you. Neither is any other tool that detects DoS. If you can use UDP, or normal, full-hanshake TCP, you will be much better served. I'm not sure if that's an option on your game, though.
The dropped 8 byte TCP packets aren't due to a bug. These packets are dropped by design, as microfragmented TCP is a classic and effective DoS / DDoS payload.
