How to Launch a 65Gbps DDoS, and How to Stop One – CloudFlare blog

Lots in insight for Enterprise people to consider when defending your network against DDoS attacks.

At CloudFlare, an attack needs to get over about 5Gbps to set off alarms with our ops team. Even then, our automated network defenses usually stop attacks without the need of any manual intervention. When an attack gets up in the tens of Gigabits of data per second, our ops team starts monitoring the attack: applying filters and shifting traffic to ensure the attacked customer’s site stays online and none of the rest of our network is affected.

Uh, most enterprises have a 1Gbps Internet and think that’s pretty good.

Since renting a large botnet can be expensive and unwieldy, attackers typically look for additional ways to amplify the size of their attacks. The attack on Saturday used one such amplification technique called DNS reflection. To understand how these work, you need to understand a bit about how DNS works.

Dammit, I’m a networking guy. Who cares about DNS ? Oh, we do. Right.

At each of our facilities we take additional steps to protect ourselves. We know, for example, that we haven’t sent any DNS inquiries out from our network. We can therefore safely filter the responses from DNS resolvers: dropping the response packets from the open resolvers at our routers or, in some cases, even upstream at one of our bandwidth providers. The result is that these types of attacks are relatively easily mitigated.

Nice. Interesting. If you are an Enterprise guy, you can’t win the DDoS fight, you need external services.

via How to Launch a 65Gbps DDoS, and How to Stop One – CloudFlare blog.

  • Peter Carstairs

    I especially liked the use of Voltron.

    There was a talk at Defcon in 2011 by Sam Bowne and co-speaker Matt Prince “Three Generations of DoS Attacks (with Audience Participation, as Victims)” they touched on some of these topic then too.