Arbor Networks DoS defense product

Telus has gone first, and announced it is using Arbor's
products across its backbone network.
http://www.eweek.com/article/0,3658,s=720&a=26867,00.asp

People have been trying the products for a while. Does
Arbor Networks really have an answer to DoS, or does it
still need a little longer in the oven.

Have any large networks gathered statistics on how much
traffic DDoS/DoS/DRDoS attacks consume on an average day?

The attacks I have been able to detect represent around
10-15% of my traffic on an on-going basis.

I'm curious about the business case for investing in DoS
defense mechanisms. DoS traffic is boosting service provider
revenues through increased customer bandwidth usage. So the
investment in defense mechanisms like Arbor would have to
replace or increase that revenue. Will these issues inhibit
wide-spread implementation of DoS defenses?

Pete.

The attacks I have been able to detect represent around
10-15% of my traffic on an on-going basis.

I'm curious about the business case for investing in DoS
defense mechanisms. DoS traffic is boosting service provider
revenues through increased customer bandwidth usage. So the

If and when
(a) customers don't get exemption for attack traffic
(b) the DoS traffic occurs more than 5% (or 1 - your percentile level) of
the month per customer circuit
(c) the DoS increases bytes transferred like large ICMP packet flood; this
is not the case for all DoS traffic, which can be a bunch of small packets
that actually decreases traffic

investment in defense mechanisms like Arbor would have to
replace or increase that revenue. Will these issues inhibit
wide-spread implementation of DoS defenses?

I think a network that profits from client suffering doesn't keep its
contracts for much time.

Rubens Kuhl Jr.

These might apply to noticeable DoS attacks that occur as
specific events. But how much (D)DoS traffic goes unnoticed
by the average customer because it's too tough to detect or
defend against? The 10% I've measured on my network is
primarily reflected DDoS (reflected off my customers, to
off-net targets), which is not trivial to detect or defend
against.

Pete.

It all depends on the networks involved. I'd venture to say that most
people not associated with university networks see significantly less DoS,
more like 1% of overall traffic for service providers and probably closer
to 0% for end users who aren't IRCing.

At any rate, you are also in the very special case of being the one used
to do the attacks rather than the one being attacked. Again, you really
have to have university networks involved to see those numbers.

In non DDoS cases, particularly your classic bandwidth floods, the source
feels the attack as badly as the victim. That is less the case today, with
targetted attacks (your network MAY fall over routing 100kpps, but it is
far more likely to fall over if those 100kpps are directed at your
routers) and DDoS reducing the amount of power that any given source must
use. Remember that the original point of DDoS was to prevent the sources
from noticing (and thus shutting down the compromised machines) by using
10 networks at 10% instead of 1 at 100%.

Today, you often see targetted high pps low bandwidth attacks which
actually bring down traffic (these *are* supposed to be denial of service
attacks after all :P) instead of raising it.

But as for your case... Attacks directed at you and attacks directed from
you are sometimes the same thing and sometimes different, and I think most
people see money to be made in the former. Personally I would rather have
to deal with the latter, because there is something I can easily do about
it. For the sake of the rest of us, PLEASE go fix your network so that we
don't have to deal with your attacks. I'm still recommending rate limiting
your outbound RSTs either on the webservers themselves (which a good OS
should do), or on the routers. :slight_smile:

Hi, folks.

Ah, you know when you mention DDoS too frequently I'm bound to post. :slight_smile:

] specific events. But how much (D)DoS traffic goes unnoticed
] by the average customer because it's too tough to detect or
] defend against? The 10% I've measured on my network is

Valid concern. I tracked five groups of miscreants, each with a botnet,
and recorded well over 100 DDoS attacks in a single 24 hour period.
These were the attacks that were obvious, e.g. the attack was coordinated
or discussed in channel, with the results often pasted into the channel
as well (IRC ping timeouts, traceroutes, pings, HTTP gets, etc.). How
many privately discussed attacks did I not log?

In the underground DoS is ubiquitous and quite frequent. The miscreant
without a botnet or DoSnet is generally in the active pursuit of one or
both. In fact, if you see a sudden upsurge in scans for a particular
port (Sub7, FTP, NetBIOS shares), this is often the result of a botnet
or DoSnet harvest.

Many of the DoS tools and bots are specifically written to generate
seemingly legitimate traffic. These tools do not spoof the source IP.
Some will generate a surfeit of sockets to a web server; this won't
appear as anomolous traffic, particularly if there is no flow analysis
on the network. It isn't clear to me how the various anti-DDoS tools
(Captus, Arbor, Riverhead, et al.) will deal with a surfeit of
legitimate traffic, though Mazu may have some chance of fingerprinting
this traffic (it is essentially an anomoly detector). N.B.: I've not
tested any of these devices.

Many edge networks do not run any sort of flow collection and analysis
tool. They have no idea what is hitting their site, but they know it
is causing woe. They call their ISP and expect them to deduce the
naughty flows. Some ISPs are incapable of analyzing the flows as well.
It's a real mixed bag.

I would argue that there are other things that can be done at the edge
to mitigate the present effect of DoS (measured or unmeasured). Anti-
spoofing does help. In one study I conducted of an oft-DoS'd site,
60% of the naughty packets had _obvious_ bogon source addresses. The
percentage of spoofing was difficult to deduce, though it may have been
quite a bit higher than 60%. Why send such packets through an anti-DDoS
device? It's a waste of cycles. Ah, but you've heard this from me
before, so I'll spare you the rave. :slight_smile:

What percentage of all Internet traffic is DoS? Unclear. Until the
data is gathered, it can not be analyzed, and the data is rarely
collected.

Thanks,
Rob.

Have any large networks gathered statistics on how much
traffic DDoS/DoS/DRDoS attacks consume on an average day?

The attacks I have been able to detect represent around
10-15% of my traffic on an on-going basis.

I'm curious about the business case for investing in DoS
defense mechanisms. DoS traffic is boosting service provider
revenues through increased customer bandwidth usage.

I disagree. If many of your customers have flat-rate as opposed to
burstable connectivity, such as a full point-to-point T1 or a dedicated 10
meg switch port to host a colo box, the revenue you derive from those
customers doesn't change regardless of how much/how little traffic your
network carries for them. If your customers have burstable connectivity,
their bill only goes up if you have mechanisms in place to do those
calculations - I'll hazard a guess that many providers don't.

I would argue that in many cases a service provider loses revenue due to
DoS traffic - network performance/availability can be impacted as your
network absorbs a DoS attack and your NOC/network engineers/security
people have to spend cycles analyzing (calling vendors, upstreams, etc)
and dampening the attack. Both of these impact windows have costs
associated with them.

I haven't done any formal ROI calculations on Arbor or any of the other DoS
defense products out there. However, from my viewpoint, I'd be willing to
bet that if/once my NOC/network engineers/security people are properly
trained on how to handle a DoS attack, anything that allows me to shrink
those impact windows, e.g. reduce my costs related with dealing with an
attack, is a good thing.

So the investment in defense mechanisms like Arbor would have to
replace or increase that revenue. Will these issues inhibit
wide-spread implementation of DoS defenses?

That depends on how those products are priced, how well they're marketed,
and of course, how effective they are in helping to stop DoS attacks.

jms

Some presentations made at recent NANOGs discussed the
continuous noise generated by DDoS attacks, though I can't
find any numbers showing how much bandwidth the noise uses.

With the number of always-on broadband residential and
small-business customers, are education networks still the
(only) haven of hackers they used to be? Even enterprises
seem to be pretty active DDoS participants; there were/are a
lot of corporations generating CodeRed probes, and a
surprising number of residential machines.

Are there any service providers running IDS/NIDS on their
backbones and monitoring for DDoS attacks, to provide some
impirical data on the scope of DDoS traffic?

Pete.

Hi, Pete.

] With the number of always-on broadband residential and
] small-business customers, are education networks still the

The broadband ranges are now quite popular with the miscreants. Several
of the bots I've recovered conduct targeted scans of the broadband
prefixes. While scanning the entire IPv4 address space - including the
bogons - does yield a lot of hax0red hosts, it also produces a lot of
noise. FYI, the miscreants also _avoid_ certain netblocks in which,
they believe, honeypots and other things reside.

When scanning for easily hacked routers, the miscreants target the
ranges they believe contain "mad fast routers," e.g. routers with > T1
connectivity.

In the case of both hosts and routers, it is increasingly common for
the miscreants to test the bandwidth capabilities of the device. The
sluggish are left unused by many crews (or traded in the very active
underground economy).

Thanks,
Rob.

What leads them to believe this?

It could be very useful as deterrence to know their criteria.

-Dan

Hi, Dan.

] What leads them to believe this?

Well folks aren't exactly subtle about their honeypots. Read any of
the popular security lists for examples of "Hi! My honeypot was hit
last night with blah and blah, here is the sniffer trace..." The
underground shares and trades information as well, so some of the
miscreants learn from experience or each other which networks respond
to attacks, scans, hacking, etc.

] It could be very useful as deterrence to know their criteria.

For the low fee of a cool t-shirt or a bit of gear for my lab I'd be
happy to spread rumours about the mad fast honeypot residing within
your prefixes. :slight_smile:

Thanks,
Rob.

disinformation as a means to raise the level of uncertainty for the
attacker, it's classic military tactic. what other military tactics can
be used to make life more dangerous for attackers?

i've been tossing around an idea for a "land mine network". randomly
distributed honeypots around the internet. when X landmines are hit from
the same source, that source gets entered into a BGP blackhole feed which
anyone can subscribe to. put landmines in popularly targeted networks,
maybe even make them randomly move about. there are all sorts of wonderful
tactics that could be put to use.

scanning would quickly become self defeating as attackers would only
manage to cut themselves off from the net.

-Dan

Hi, Dan.

] scanning would quickly become self defeating as attackers would only
] manage to cut themselves off from the net.

To some degree, yes. Most of the miscreants are clueful enough not to
scan from their home machines. The end result is a lot of hacked hosts
are black holed. On one hand you could say "serves 'em right for being
hacked!" On the other hand, you could wonder why it is that the
non-geek broadband users must be system, network, and firewall
administrators.

Thanks,
Rob.

] scanning would quickly become self defeating as attackers would only
] manage to cut themselves off from the net.
To some degree, yes. Most of the miscreants are clueful enough not to
scan from their home machines.

I disagree. They have to start somewhere. Most miscreants first attack
offshore hosts, then use those to attack domestic victims.

The end result is a lot of hacked hosts are black holed.

And this is a bad thing?

On one hand you could say "serves 'em right for being hacked!" On the
other hand, you could wonder why it is that the non-geek broadband users
must be system, network, and firewall administrators.

They don't. This is purely a response to rogue networks/blackhats and
apathetic/irresponsible/toothless NOCs.

-Dan

Hi Rob

## On 2002-05-15 16:01 -0500 Rob Thomas typed:

On the other hand, you could wonder why it is that the
non-geek broadband users must be system, network, and firewall
administrators.

You might prefer to wonder when home users will start using an OS that
doesn't have security holes you can drive a truck through and the default
config would at least be semi-secure ...

If the home(or at least broadband) users would demand such an OS
they *might* just get it ... :wink:

Thanks,
Rob.

Regards,
  Rafi