how do onsite appliances protect against DDOS

Started by wintermute000, August 08, 2015, 05:58:45 AM

Previous topic - Next topic

wintermute000

I understand how cloudflare etc. mitigate DDOS - since the traffic comes to them first it gets scrubbed before hitting you and your transit link. I also understand RTBH BGP, no worries there.


What I do not understand is how onsite appliances do anything. Sure they can stop the traffic before your routers and load balancers and servers melt - but the traffic has already gone down your link so you've used that bandwidth already. Or am I missing something here? Or is the bandwidth usage only a secondary concern, the primary concern is connection counts grinding your LBs/servers to a halt?




deanwebb

The onsite DDOS mitigation is no longer concerned with bandwidth mitigation. It's there to keep the servers from melting. If some guy has launched a "nuke me, please" attack, then he doesn't need to know anything about the network other than his own IP address. He contacts the botnet via HTTPS, it then responds to that request in massive force. Because it looks like an established session, lots of gear will let it all on through. If the offsite bulk DDOS mitigator misses it, then the onsite is set to be more aggressive in traffic analysis to kill and drop that traffic before it pushes your equipment beyond its physical capabilities.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Reggle

DDOS pure flooding to fill the pipe is one thing. A serious SYN attack does not fill the uplink. I've seen over a milliom SYN packets incoming to one server in a minute, it may have taken 20 Mbps but I doubt it was more. A SYN packet is 62-66 bytes according to my Wireshark.
Also, one TCP connection to a webserver that constantly asks for HTTP GET will barely increase bandwidth usage, yet penetrates the firewall (just one state) and can take down a server perfectly.
Just a few examples.

wintermute000


SimonV

A very good overview of all the mitigation techniques is one I found in a Huawei Anti-DDoS presentation. It goes into some common attacks and how the appliances handle them.

http://www.data.proidea.org.pl/plnog/9edycja/materialy/prezentacje/wachelkapawel.pdf