UDP clamped on service provider links
Hi, Is it true that UDP is often subjected to stiffer rate limits than TCP? Is there a reason why this is often done so? Is this because UDP is stateless and any script kiddie could launch a DOS attack with a UDP stream? Given the state of affairs these days how difficult is it going to be for somebody to launch a DOS attack with some other protocol? Glen
DDOS Simulation
Hi All, We are looking into a few different DDOS solutions for a client. We need a LEGITIMATE company that can simulate some DDOS attacks (the generic + specific to the clients business). Anyone have any recommendations? Regards, Dovid
Re: UDP clamped on service provider links
On Mon, Jul 27, 2015 at 10:12 AM, Glen Kent glen.k...@gmail.com wrote: Hi, Is it true that UDP is often subjected to stiffer rate limits than TCP? Is I hear tell that some folk are engaging in this practice... You might have seen this hear little ditty: http://tools.ietf.org/html/draft-byrne-opsec-udp-advisory-00 you may have also put your ear to the tracks and seen a bunch of kids using these 'you-dee-pee en-tee-pee' packets to fill up the tubes across the lands... Sometimes they use not just 'en-tee-pee', but also that old hoary bastard 'dee-en-ess' for their no good traffic backup propositions. there a reason why this is often done so? Is this because UDP is stateless and any script kiddie could launch a DOS attack with a UDP stream? I understand, and I'm new hear so bear with me, that there are you-dee-pee services out there in the hinterlands which will say a whole lot more to you than you said to them... like your worst nightmare when it comes to smalltalk. Given the state of affairs these days how difficult is it going to be for somebody to launch a DOS attack with some other protocol? not very hard at all... but here's your lipstick and there's the pig... :)
Re: Yandex DNS with Sophos antivirus blocking TrendMicro services
25.07.2015, 19:21, Murat Kaipov mkai...@outlook.com: Hello Guys. For 2 day I experience an issue with using my trendmicro software. For some reason web check didn't worked. I try to investigate this issue and found that yandex dns services blocking all trendmicro sites. I use yandex secure dns (dns.yandex.ru servers 77.88.8.8 and 77.88.8.2) for my home environment, which using Sophos antivirus for threat detection. If I change my dns server for another like google dns or some dns servers of my home ISP all works fine. Please if there some guys from yandex, Sophos or trendmicro help to resolve this issue. I'm very happy with my TrendMicro antivirus system and happy with yandex secure dns, but even Sophos or yandex blocking TrendMicro sites I and all peoples who use TrendMicro products and yandex dns can't use it anymore. It will be more efficient, if you report this issue here: https://feedback2.yandex.ru/dns/ -- wbr, Oleg. Anarchy is about taking complete responsibility for yourself. Alan Moore.
Re: DDOS Simulation
Looking for similar here. -Dan On Mon, Jul 27, 2015 at 8:32 AM, Dovid Bender do...@telecurve.com wrote: Hi All, We are looking into a few different DDOS solutions for a client. We need a LEGITIMATE company that can simulate some DDOS attacks (the generic + specific to the clients business). Anyone have any recommendations? Regards, Dovid
Re: UDP clamped on service provider links
It depends on the network. is really the only answer. It's the kind of thing that happens quietly and often can be transient in nature (e.g. temporary big stick filters to deal with an active attack). As far as the reason it happens to UDP: UDP is a challenge because it's easy to leverage for reflection attacks where the source IP is spoofed to be the target. The major targets are small services that are typically left open on host systems. The big ones being NTP, DNS, and more recently SSDP (universal plug and play left open on consumer routers). Once in a while you see some really old protocols open like CHARGEN, but these are less common. The ones like NTP and DNS are popular because a small request can trigger a large response (e.g. amplification attack) if services are not appropriately locked down on the host. A while back a big one a lot of people were caught off guard by was the NTP MONLIST function which resulted in up to a 500:1 amplification. Hopefully rate limiting UDP traffic is something that doesn't happen often, and when people do rate-limit it they ideally limit the scope to known problem protocols (like NTP and DNS) and base limits such that normal use shouldn't be a problem. That said I'm sure there are some who just rate-limit everything (likely arguing that UDP is mostly peer-to-peer anyway). It's a bad practice no doubt. TCP is still vulnerable to some level of reflection, but these are generally easy to mitigate, and because the setup and teardown for TCP is so small, not very effective for denial of service. There isn't much that happens traffic-wise until the source address has confirmed a connection which is what avoids spoofing being as big of a problem with TCP as it is for UDP. Similarly ICMP is generally not a problem because ICMP responses are small by design. On Mon, Jul 27, 2015 at 10:12 AM, Glen Kent glen.k...@gmail.com wrote: Hi, Is it true that UDP is often subjected to stiffer rate limits than TCP? Is there a reason why this is often done so? Is this because UDP is stateless and any script kiddie could launch a DOS attack with a UDP stream? Given the state of affairs these days how difficult is it going to be for somebody to launch a DOS attack with some other protocol? Glen -- Ray Patrick Soucy Network Engineer University of Maine System T: 207-561-3526 F: 207-561-3531 MaineREN, Maine's Research and Education Network www.maineren.net
Re: DDOS Simulation
Hello! It's poor man's traffic generator :) My test lab is i7 2600 with 2 port Intel X520 10GE and Intel Xeon E5 2604 witj 2 port Intel X520 10GE. On Mon, Jul 27, 2015 at 11:59 PM, valdis.kletni...@vt.edu wrote: On Mon, 27 Jul 2015 23:32:56 +0300, Pavel Odintsov said: I would like to recommend MoonGen for generating very high speed attacks (I have generated up to 56 mpps/40GE with it). OK, I'll bite - what hardware were you using to inject that many packets? -- Sincerely yours, Pavel Odintsov
RE: DDOS Simulation
Hello David et Dan, Are you going to perform the DDOS solution yourself, or you are looking for a company to provide a solution for you. Some companies perform an attack simulation for you before buying the product From: dro...@gmail.com Date: Mon, 27 Jul 2015 09:31:21 -0700 Subject: Re: DDOS Simulation To: do...@telecurve.com CC: nanog@nanog.org Looking for similar here. -Dan On Mon, Jul 27, 2015 at 8:32 AM, Dovid Bender do...@telecurve.com wrote: Hi All, We are looking into a few different DDOS solutions for a client. We need a LEGITIMATE company that can simulate some DDOS attacks (the generic + specific to the clients business). Anyone have any recommendations? Regards, Dovid
Re: DDOS Simulation
hi dovid On 07/27/15 at 11:32am, Dovid Bender wrote: We are looking into a few different DDOS solutions for a client. We need a LEGITIMATE company that can simulate some DDOS attacks (the generic + specific to the clients business). Anyone have any recommendations? i've compiled a fairly comprehensive list is here: - http://ddos-mitigator.net/Competitors simulating ddos attacks are fairly easy to do, except one does have to be careful of process and proceedure and the all important get out of jail for free card ( let your local ISP techie's know too ) http://DDoS-Simulator.net/Demo ( wrapper gui around *perf/nc/nmap/*ping command options ) ddos mitigation is not a single thing-a-ma-jig, and should be multi-layered, different solutions solving different DDoS issues http://ddos-solutions.net/Mitigation/#Howto - how are they attacking - who is attacking ( script kiddie vs master of deception ) - what are they attacking - when are they attacking - why are they attacking - ... # - # what kind of simulations are you trying to do ?? # - - volumetric attacks say 10gigabit vs 200gigabit attacks is trivial - ping flood, udp flood, arp flood, tcp flood, etc, etc local appliances with 10/100 gigabit NIC cards should be able to generate close to 100 gigabit/sec of ddos attacks - udp and icmp attacks are harder to mitigate, since those packets need to be stopped at the ISP if it came down the wire to the local offices, it already used the bandwidth, cpu, memory, time, people, etc, etc - tcp-based ddos attacks are trivial ( imho ) to defend against with iptables + tarpits if each tcp connection takes 2K bytes, the DDoS attacker that is intent on sending large quantity of tcp-based packets would incur a counter ddos attack using up its own kernel memory 100,000 tcp packet/sec * 2K byte -- 200M /sec of kernel memory ?? with tcp timeout of 2 minutes implies they'd need 24TB of ?? kernel memory to sustain a 100,000 tcp packet/sec attack # live demo of tarpit incoming ddos attacks http://ddos-mitigator.net/cgi-bin/IPtables-GUI.pl http://target-practice.net/cgi-bin/IPtables-GUI.pl # command line options is 100x faster and easier than html # to automatically add new incoming ddos attackers iptables-gui -doadd -addauto # to automatically remove inactive ddos attackers iptables-gui -dodel -deluto ssh based solutions are nice but only works on port 22 http based solutions are nice but only works on port 80 there are 65,533 other ports to defend against DDoS attacks which is defensible with tarpit - it is trivial to generate attacks against apache or web browser - it is trivial to generate attacks against sendmail or mail reader - netcat/socat/nc, hping*, nping, etc, etc - something that you can define source and destination IP# - something that you can define source and destination port# - it is harder to generate the various malformed tcp headers - gui to help set tcp header flags and options for nmap/hping - http://ddos-simulator.net/Demo/ - spam, virii and worms seems to be in its own category - another important question for your clients is if they are under any govermental regulations which will limit their choices of solutions - hippa, pci, sox, etc inhouse ddos solutions should not have any governmental compliance issues cloud based ddos solutions and their facilities would have to comply with the various govermental issues both inhouse and cloud based solutions solve some problems another 32+ point comparison for inhouse vs cloud based solutions - http://ddos-mitigator.net/InHouse-vs-Cloud thanx alvin - http://ddos-mitigator.net - http://ddos-simulator.net
Re: DDOS Simulation
On Mon, 27 Jul 2015 23:32:56 +0300, Pavel Odintsov said: I would like to recommend MoonGen for generating very high speed attacks (I have generated up to 56 mpps/40GE with it). OK, I'll bite - what hardware were you using to inject that many packets? pgpj7W2wD3nVq.pgp Description: PGP signature
Re: DDOS Simulation
hi pavel On 07/28/15 at 12:02am, Pavel Odintsov wrote: It's poor man's traffic generator :) that's the best kind :-) as long as it gets the job done and you get to control what it does My test lab is i7 2600 with 2 port Intel X520 10GE and Intel Xeon E5 2604 witj 2 port Intel X520 10GE. nice cpu hw trick questions for those thinking of generating ddos traffic for testing - ?? how much memory was needed to run the traffic generator i assume around 1GB of memory for 1gigE interface and i still can purposely run out of memory while some apps are running at 10gigE pci card, you'd probably want at least 12GB - 16GB of memory - some poor mans apps to generate traffic ... start w/ nping or hping # generate 1,000 Mbit/sec of junk .. floodig is trivial ... ping -i 0.001 -s 2000 victimIP# nping --data-length 2000 --rate 1000 victimIP# socat iperf ... # # generate udp or icmp or arp or tcp traffic # # add options to generate large-sized packets # add options to generate 10Gbit/sec ( number of packet/sec ) # # play around with tcp headers # add options to send MTU=1501 byte but NOT set DF # add options to send ACK but no request # # add options to spoof source and desitination address and ports # # if the host machine become un-available, you've got a problem # for host in gw dns ntp http smtp for protocol in arp icmp udp tcp nping --protocol [ options ] host.example.com # hping is nice too done done # for bonus arp fun ... attacker# arpspoof gateway victim attacker# arpspoof victim gateway # prevent mitm with: use hard coded arp /etc/ethers for linux use OpenSSL certs to flag a warning when attacker inserted itself in between gateway and un-aware victim pixie dust alvin - DDoS-Mitigator.net On Mon, Jul 27, 2015 at 11:59 PM, valdis.kletni...@vt.edu wrote: On Mon, 27 Jul 2015 23:32:56 +0300, Pavel Odintsov said: I would like to recommend MoonGen for generating very high speed attacks (I have generated up to 56 mpps/40GE with it). OK, I'll bite - what hardware were you using to inject that many packets?
Re: DDOS Simulation
Hello! I would like to recommend MoonGen for generating very high speed attacks (I have generated up to 56 mpps/40GE with it). There are another open project: quezstresser.com On Mon, Jul 27, 2015 at 11:25 PM, alvin nanog nano...@mail.ddos-mitigator.net wrote: hi dovid On 07/27/15 at 11:32am, Dovid Bender wrote: We are looking into a few different DDOS solutions for a client. We need a LEGITIMATE company that can simulate some DDOS attacks (the generic + specific to the clients business). Anyone have any recommendations? i've compiled a fairly comprehensive list is here: - http://ddos-mitigator.net/Competitors simulating ddos attacks are fairly easy to do, except one does have to be careful of process and proceedure and the all important get out of jail for free card ( let your local ISP techie's know too ) http://DDoS-Simulator.net/Demo ( wrapper gui around *perf/nc/nmap/*ping command options ) ddos mitigation is not a single thing-a-ma-jig, and should be multi-layered, different solutions solving different DDoS issues http://ddos-solutions.net/Mitigation/#Howto - how are they attacking - who is attacking ( script kiddie vs master of deception ) - what are they attacking - when are they attacking - why are they attacking - ... # - # what kind of simulations are you trying to do ?? # - - volumetric attacks say 10gigabit vs 200gigabit attacks is trivial - ping flood, udp flood, arp flood, tcp flood, etc, etc local appliances with 10/100 gigabit NIC cards should be able to generate close to 100 gigabit/sec of ddos attacks - udp and icmp attacks are harder to mitigate, since those packets need to be stopped at the ISP if it came down the wire to the local offices, it already used the bandwidth, cpu, memory, time, people, etc, etc - tcp-based ddos attacks are trivial ( imho ) to defend against with iptables + tarpits if each tcp connection takes 2K bytes, the DDoS attacker that is intent on sending large quantity of tcp-based packets would incur a counter ddos attack using up its own kernel memory 100,000 tcp packet/sec * 2K byte -- 200M /sec of kernel memory ?? with tcp timeout of 2 minutes implies they'd need 24TB of ?? kernel memory to sustain a 100,000 tcp packet/sec attack # live demo of tarpit incoming ddos attacks http://ddos-mitigator.net/cgi-bin/IPtables-GUI.pl http://target-practice.net/cgi-bin/IPtables-GUI.pl # command line options is 100x faster and easier than html # to automatically add new incoming ddos attackers iptables-gui -doadd -addauto # to automatically remove inactive ddos attackers iptables-gui -dodel -deluto ssh based solutions are nice but only works on port 22 http based solutions are nice but only works on port 80 there are 65,533 other ports to defend against DDoS attacks which is defensible with tarpit - it is trivial to generate attacks against apache or web browser - it is trivial to generate attacks against sendmail or mail reader - netcat/socat/nc, hping*, nping, etc, etc - something that you can define source and destination IP# - something that you can define source and destination port# - it is harder to generate the various malformed tcp headers - gui to help set tcp header flags and options for nmap/hping - http://ddos-simulator.net/Demo/ - spam, virii and worms seems to be in its own category - another important question for your clients is if they are under any govermental regulations which will limit their choices of solutions - hippa, pci, sox, etc inhouse ddos solutions should not have any governmental compliance issues cloud based ddos solutions and their facilities would have to comply with the various govermental issues both inhouse and cloud based solutions solve some problems another 32+ point comparison for inhouse vs cloud based solutions - http://ddos-mitigator.net/InHouse-vs-Cloud thanx alvin - http://ddos-mitigator.net - http://ddos-simulator.net -- Sincerely yours, Pavel Odintsov
Re: ATT wireless IPv6
Hi Jared I am curious on prefix size of routed block. Is that a /64 routed prefix? How well it works with Android tethering? On Thu, Jul 16, 2015 at 4:03 AM, Jared Mauch ja...@puck.nether.net wrote: On Jul 15, 2015, at 6:29 PM, Jake Khuon kh...@neebu.net wrote: On 15/07/15 04:54, Jared Mauch wrote: Does anyone know what the story is here? They have some transparent proxies for IPv4 traffic and I was wondering if they were to be IPv6 enabled soon or if IPv6 will reach the handset. Hmmm... I'm seeing my rmnet1 interface on my Galaxy S5 as having an address out of the 2600:380:46ae::/38 space which is allocated to ATT Mobility. I exchanged a few emails earlier today with someone and it seems to depend on your APN. If you have the VoLTE APN on your device you can get IPv6, including when tethering. The APN you want is nxtgenphone. If you have a device where you can not edit the APN settings (iPhone) you can not use the IPv6 enabled VoLTE APN. I suspect this will be enabled if they launch VoLTE on the iPhone. - Jared -- Anurag Bhatia anuragbhatia.com PGP Key Fingerprint: 3115 677D 2E94 B696 651B 870C C06D D524 245E 58E2
Re: DDOS Simulation
I've seen people push close to 10Gbps line rate with 1 byte packets on an Intel card with PF_RING. On 28 Jul 2015, at 1:40 am, lobna gouda lobna_go...@hotmail.com wrote: Hello David et Dan, Are you going to perform the DDOS solution yourself, or you are looking for a company to provide a solution for you. Some companies perform an attack simulation for you before buying the product From: dro...@gmail.com Date: Mon, 27 Jul 2015 09:31:21 -0700 Subject: Re: DDOS Simulation To: do...@telecurve.com CC: nanog@nanog.org Looking for similar here. -Dan On Mon, Jul 27, 2015 at 8:32 AM, Dovid Bender do...@telecurve.com wrote: Hi All, We are looking into a few different DDOS solutions for a client. We need a LEGITIMATE company that can simulate some DDOS attacks (the generic + specific to the clients business). Anyone have any recommendations? Regards, Dovid