Hi All,
We are looking into a few different DDOS solutions for a client. We need a
LEGITIMATE company that can simulate some DDOS attacks (the generic +
specific to the clients business). Anyone have any recommendations?
Regards,
Dovid
Looking for similar here.
-Dan
hi dovid
We are looking into a few different DDOS solutions for a client. We need a
LEGITIMATE company that can simulate some DDOS attacks (the generic +
specific to the clients business). Anyone have any recommendations?
i've compiled a fairly comprehensive list is here:
- http://ddos-mitigator.net/Competitors
simulating ddos attacks are fairly easy to do, except one does
have to be careful of process and proceedure and the all important
"get out of jail for free" card ( let your local ISP techie's know too )
http://DDoS-Simulator.net/Demo
( wrapper gui around *perf/nc/nmap/*ping command options )
ddos mitigation is not a "single thing-a-ma-jig", and should
be multi-layered, different solutions solving different DDoS issues
http://ddos-solutions.net/Mitigation/#Howto
- how are they attacking
- who is attacking ( script kiddie vs master of deception )
- what are they attacking
- when are they attacking
- why are they attacking
- ...
# ---------------------------------------------
# what kind of simulations are you trying to do ??
# ---------------------------------------------
- volumetric attacks say 10gigabit vs 200gigabit attacks is trivial
- ping flood, udp flood, arp flood, tcp flood, etc, etc
local appliances with 10/100 gigabit NIC cards should be able to
generate close to 100 gigabit/sec of ddos attacks
- udp and icmp attacks are harder to mitigate, since those packets
need to be stopped at the ISP .... if it came down the wire to
the local offices, it already used the bandwidth, cpu, memory,
time, people, etc, etc
- tcp-based ddos attacks are trivial ( imho ) to defend against with
iptables + tarpits
if each tcp connection takes 2K bytes, the DDoS attacker
that is intent on sending large quantity of tcp-based packets
would incur a counter ddos attack using up its own kernel
memory
100,000 tcp packet/sec * 2K byte --> 200M /sec of kernel memory
?? with tcp timeout of 2 minutes implies they'd need 24TB of
?? kernel memory to sustain a 100,000 tcp packet/sec attack
# live demo of tarpit incoming ddos attacks
http://ddos-mitigator.net/cgi-bin/IPtables-GUI.pl
http://target-practice.net/cgi-bin/IPtables-GUI.pl
# command line options is 100x faster and easier than html
# to automatically add new incoming ddos attackers
iptables-gui -doadd -addauto
# to automatically remove inactive ddos attackers
iptables-gui -dodel -deluto
ssh based solutions are nice but only works on port 22
http based solutions are nice but only works on port 80
there are 65,533 other ports to defend against DDoS attacks
which is defensible with tarpit
- it is trivial to generate attacks against apache or web browser
- it is trivial to generate attacks against sendmail or mail reader
- netcat/socat/nc, hping*, nping, etc, etc
- something that you can define source and destination IP#
- something that you can define source and destination port#
- it is harder to generate the various malformed tcp headers
- gui to help set tcp header flags and options for nmap/hping
- http://ddos-simulator.net/Demo/
- spam, virii and worms seems to be in its own category
- another important question for your clients is if they are under
any govermental regulations which will limit their choices of solutions
- hippa, pci, sox, etc
inhouse ddos solutions should not have any governmental compliance
issues
cloud based ddos solutions and their facilities would have to
comply with the various govermental issues
both inhouse and cloud based solutions solve some problems
another 32+ point comparison for inhouse vs cloud based solutions
- http://ddos-mitigator.net/InHouse-vs-Cloud
thanx
alvin
- http://ddos-mitigator.net
- http://ddos-simulator.net
Hello!
I would like to recommend MoonGen for generating very high speed
attacks (I have generated up to 56 mpps/40GE with it).
There are another open project: quezstresser.com
OK, I'll bite - what hardware were you using to inject that many packets?
Hello!
It's poor man's traffic generator 
My test lab is i7 2600 with 2 port Intel X520 10GE and Intel Xeon E5
2604 witj 2 port Intel X520 10GE.
hi pavel
It's poor man's traffic generator
that's the best kind 
as long as it gets the job done and you get to control what it does
My test lab is i7 2600 with 2 port Intel X520 10GE and Intel Xeon E5
2604 witj 2 port Intel X520 10GE.
nice cpu hw
trick questions for those thinking of generating ddos traffic for testing
- ?? how much memory was needed to run the traffic generator
i assume around 1GB of memory for 1gigE interface and i still
can purposely run out of memory while some apps are running
at 10gigE pci card,
you'd probably want at least 12GB - 16GB of memory
- some "poor mans apps" to generate traffic ... start w/ nping or hping
# generate 1,000 Mbit/sec of junk .. floodig is trivial ...
ping -i 0.001 -s 2000 victimIP#
nping --data-length 2000 --rate 1000 victimIP#
socat
iperf ...
Hello David et Dan,
Are you going to perform the DDOS solution yourself, or you are looking for a company to provide a solution for you. Some companies perform an attack simulation for you before buying the product
I've seen people push close to 10Gbps line rate with 1 byte packets on an Intel card with PF_RING.
Hello!
My machines have 16GB of memory but traffic generator uses about ~1GB
of memory for 10GE link.
Yep, it's definitely possible. I have done this with
netmap/PF_RING/DPDK and SnabbSwitch.
Hi Dovid,
I recommend checking out NimbusDDOS. http://www.nimbusddos.com/
I know that they have done exactly this for several notable customers,
and also provide insights into impacts (they don't just blindly run the
attacks for you, they provide intelligence behind what's happening to
help you make sense of what is going on.)
Contact me off list if you want me to set up an intro.
Ryan
We are looking for a company that can launch a DDOS attack against the
solutions we are testing. I don't want a proof of concept from the company
that will be offering DDOS protection since they can simulate an easy
attack and then mitigate. I want whom ever we go with to be able to handle
what ever is thrown at them.
Seeing as the 'traditional' ways to launch big DDoS attacks are illegal, and you're after a 'legit' company to offer this...
Yeah, I don't think you'll get too far.
You'll either have to roll your own testsuite on a lan environment, or ...
hi dovid
We are looking for a company that can launch a DDOS attack against the
solutions we are testing. I don't want a proof of concept from the company
that will be offering DDOS protection since they can simulate an easy
attack and then mitigate. I want whom ever we go with to be able to handle
what ever is thrown at them.
most all ddos simulator folks all sell their own version of a ddos mitigator
appliance or ddos cloud services ... both has good and bad ddos mitigation
features depending on the type of DDoS attacks you are defending against
http://DDoS-Mitigator.net/Competitors
- largest folks ( aka probably legit ) are probably akamai/prolexic,
arbor networks, fortinet, incapsula, radware, etc
as previously noted by others, legit corp will ask you for lots of
legal paperwork for their "get out of jail card" for DDoS'ing your servers
and all the other ISP's routers along the way that had to transport
those gigabyte/terabyte of useless ddos packets
imho, most ddos simulator folks will want to know what are you wanting
to simulate .... there are easily, say 100,000 attack vectors ...
- attack all your IP#
- attack all ports on each IP#
- various arp flood
- various icmp flood
- various udp flood
- various tcp flood ( trivial to defend )
- attack specific vulnerabilities already found n not patched
- there are proably thousands of apps that can be used
to launch various DDoS attacks ...
- volumetric icmp DDoS attacks and volumetric udp DDoS attacks will
most likely take you offline ... almost nothing you can do to
stop it, prevent it, block it, etc... your ISP has to do that for you
or your ISP's larger peer has to get in there too
you will want the ph# of the security guru at the ISP
to help you resolve the issue
i doubt any ddos mitigation will help you and more importantly,
you probably will not want to pay $$$ to the ddos cloud scrubber
to be removing xTB of udp or icmp DDoS attacks
- if you're thinking of ddos attacks as "anything that is thrown at them"
against webservers, mail servers, and ssh servers, that is only 3 ports
out of 65,535 possible attacks
there is "no such thing as anything that can be thrown at them"
defending web servers, mail servers and ssh servers can
be "script kiddie" trivially defended ... as long as it is
properly patched and maintained and built to be defensible
before you ask others to DDoS your servers, have you
already patched apache/sendmail/ssh/openssl, kernels, etc, etc
ddos attackers will be looking for your weakest link,
usually login/pwd from outside wifi access points and
home offices, hotel ethernet, etc
there is almost zero benefit for volumetric 10TB or 20 TB of
DDoS attacks we read about in the papers against large corp. the only
defense is to build your own geographically separate colo in each
major customer countries in asia, europe, usa, south america, etc
usually the purpose of DDoS attacks is to take your servers offline or
steal/copy/sniff info or hide in your network or launch other attacks
these are easier ( script kiddie ) DDoS attacks and less likely to
be noticed by your ISP of incoming "attacks"
- sniff login/passwd from outside ( wifi, home office, etc )
- install keyboard sniffers
- install other trojans ( virii, worm, etc )
endless list of attacks to simulate
pixie dust
alvin
- http://DDoS-Simulator.net
No company can provide a 'get out of jail card' for illegal activities, irrespective of how they arrange their paperwork.
DDoS testing across the Internet is a Big No-No due to legal considerations, potential liabilities, potential for catastrophic error, etc.
Doing it across one's own network which one controls is certainly viable. There are some companies which do that, and which take a belt-and-suspenders approach to ensure that simulated attack traffic doesn't leak, etc.
Simulated DDoS attacks and testing of defenses should be part of any real development environment, along with scalability testing in general. Sadly, this is rarely the case.
The best way to learn how to defend something is to learn how to attack it. Organizations with substantial Internet properties should develop their own organic capabilities to perform such testing in a safe and responsible manner, as it will also enhance the skills needed to defend said properties.
If anyone offers to "test" your DDoS devices across a network that you do
not 100% own, you are risking legal issues.
If they offer to test it across your own network, make sure you have in
writing from you upper management that they understand the risk and approve
it.
If you choose to do it anyway then you are taking a LARGE risk.
Testing should be in your lab and even then you should understand 100% what
is happing to avoid leaking attack traffic into the internet.
-jim
in a previous job (we did ddos mitigation) customer asked all the time for simulation, and typically live across the internet. for all the reasons noted, we didn’t do it, but instead would do a lab/POC with pcaps replayed from previous attacks we had mitigated to show the customer how our platform worked, how we handled incident response, etc.
agree with all comments about NOT doing it over the internet, that way lies madness.
-b
Two more options:
- http://www.redwolfsecurity.com/#!ddos_testing/cqd6 (not vouching for
them, just raising awareness of the options)
- Spin up a bunch of VMs at various cloud providers and launch your own
attacks against yourself. Note that you should only do this with the
permission of the cloud provider(s) as you may hit bottlenecks or trigger
automated defenses within their networks.
Damian
If the customer has headroom on a 10G link, what's the harm with running a 1G volumetric DDoS across the Internet? Or if it's application layer, anytime against prescribed lab devices?
Frank