No, this DDoS was from different IPs in 40-50 countries, so it was performed by zombies. As far as I can tell it was performed with Agressor2.0 botnet, successor of DirtyJump3.0. This botnet is constructed to let even 3 y.o. attacker to make serious imact. Each bot not only performs 'http-flood', but also tries to SYN-flood ssh, and all other open ports. And by opening lot's of connections it makes any Cisco ASA completely unusable, as these devices are tracking tcp connections and there are limits, for example Cisco ASA 5510 don't allow for more then 130k connections (so we can say it supports ~100-200 bots).
This is why haproxy seems to be the best choice - it allows to control all aspects of communication - swiss army knife. 2011/7/27 Craig <cr...@haquarter.de> > Hi, > > > We've tested from the outside. In fact that was a real attack. Botnet > > consisted of ~10-12k bots each opening 1000 connections/second. > > This kind of DDoS seems popular lately. Did it originate from a specific > AS, did you try to nullroute? I'm curious because mostly when I see > botnet attacks, they are not widely spread throughout the internet but > mostly come from <10 AS. > > Nice to see that AWS performed here, thanks for sharing. :) > > - Craig > >