How to Launch a 65Gbps DDoS, and How to Stop One – CloudFlare blog

Lots in insight for Enterprise people to consider when defending your network against DDoS attacks.

At CloudFlare, an attack needs to get over about 5Gbps to set off alarms with our ops team. Even then, our automated network defenses usually stop attacks without the need of any manual intervention. When an attack gets up in the tens of Gigabits of data per second, our ops team starts monitoring the attack: applying filters and shifting traffic to ensure the attacked customer’s site stays online and none of the rest of our network is affected.

Uh, most enterprises have a 1Gbps Internet and think that’s pretty good.

Since renting a large botnet can be expensive and unwieldy, attackers typically look for additional ways to amplify the size of their attacks. The attack on Saturday used one such amplification technique called DNS reflection. To understand how these work, you need to understand a bit about how DNS works.

Dammit, I’m a networking guy. Who cares about DNS ? Oh, we do. Right.

At each of our facilities we take additional steps to protect ourselves. We know, for example, that we haven’t sent any DNS inquiries out from our network. We can therefore safely filter the responses from DNS resolvers: dropping the response packets from the open resolvers at our routers or, in some cases, even upstream at one of our bandwidth providers. The result is that these types of attacks are relatively easily mitigated.

Nice. Interesting. If you are an Enterprise guy, you can’t win the DDoS fight, you need external services.

via How to Launch a 65Gbps DDoS, and How to Stop One – CloudFlare blog.

About Greg Ferro

Greg Ferro is a Network Engineer/Architect, mostly focussed on Data Centre, Security Infrastructure, and recently Virtualization. He has over 20 years in IT, in wide range of employers working as a freelance consultant including Finance, Service Providers and Online Companies. He is CCIE#6920 and has a few ideas about the world, but not enough to really count.

He is a host on the Packet Pushers Podcast, blogger at and on Twitter @etherealmind and Google Plus

You can contact Greg via the site contact page.

  • Peter Carstairs

    I especially liked the use of Voltron.

    There was a talk at Defcon in 2011 by Sam Bowne and co-speaker Matt Prince “Three Generations of DoS Attacks (with Audience Participation, as Victims)” they touched on some of these topic then too.

Subscribe For Weekly Updates by Email

Get a Weekly Summary of Latest Articles and Posts to your Email Inbox Every Sunday

Thanks for signing up. Look for the email from MailChimp & make sure you confirm your email address. You may need to check your spam or gmail settings to be sure of receiving the email.

Note: You can unsubscribe at any time using the link at the bottom of every email.