A "box" to fight multi-gig DDoS attacks is just a bad way to go about it. Ask Tipping Point what their box can do when there is 50,000 SSL TCP sessions (real TCP sessions) with real HTTP headers in there. If their hardware performed as well as marketing engines that TopLayer, Tipping Point, and Cisco have, then everyone in the security industry would all have to go find a new job.
Along with IPS in general, I think a lot of the devices out there have some pretty good rate-limiting and SYN flood mitigation, however, they all seemed to miscalculate the sheer amount of processing power it takes to do deep packet inspections and protocol verification. Prolexic's network is currently representing about 10 Terahertz of processing ability just for the DPI, so hoping a single FPGA based hardware device will do the trick may be a bad idea. Also, most devices can not handle out-of-state TCP based attacks (see: Riverhead), so keep your eyes out on that too.
Prolexic often gets new customers when the TopLayer, Tipping Point, and Riverhead gear fails, so I don't see how anyone could be comfortable with just a single unit to save the day when there are people out there that will take down DNS servers, router serial interfaces, carriers, do long lived TCP sessions to slow down web servers, HTTP connection floods, and anything else they can think of to just hurt the network (75k machines all doing random searche quries on a cgi, etc.)
Further, a box does not have much of a turn-around time, so just call Tipping Point at 2 AM on sunday when the network failed and nobody has any clue with what is going on. Then wait for their one good programmer to fix the FPGA issue and a week later cross their fingers that whatever they did can stop the botnet that is causing someone's business to fail.
I may just be a little beat up from all the traffic we deal with, but it's a little isane to say things like, "we have box X, its magic will fix everything."
The story is kinda odd to read when you lived it. Glad you enjoyed it, we have had a lot more attacks since the one in the story.
I don't think we can every take away the bots (it would be nice), because we are seeing P2P bots that run encrypted communications between each other. The attacker guy just tosses his instructions into the P2P stream and they distribute over the entire network - creating a nearly headless command less network that can (once started) operate decentralized. These easy IRC bots are almost a thing of the past now. The point being, as the code base for bot networks grows they will get more complicated and more difficult to shut down.
If a blackhat geek can download source code and knows how to hack it up, he/she can do anything they want. Then it's down to just finding open machines to install their goods on. Policing the Terabits-per-second of backbone traffic for odd-ball P2P traffic like that is a bad idea.
Prolexic also gets attacks now that may not have any botnet, some Ixia (packet generator) connected in Asia-Pac blasting 600 Mbps of generated packets does the same as a 10-20k botnet. We believe to have been attacked by something similar to that at least twice.
The main problem is, there are just bad people out there and you need to create security policy that protects your business. If your revenue stream comes from your online business, then you should protect your online business and not hope your ISP will do that for you.
Slashdot Mirror
Along with IPS in general, I think a lot of the devices out there have some pretty good rate-limiting and SYN flood mitigation, however, they all seemed to miscalculate the sheer amount of processing power it takes to do deep packet inspections and protocol verification. Prolexic's network is currently representing about 10 Terahertz of processing ability just for the DPI, so hoping a single FPGA based hardware device will do the trick may be a bad idea. Also, most devices can not handle out-of-state TCP based attacks (see: Riverhead), so keep your eyes out on that too.
Prolexic often gets new customers when the TopLayer, Tipping Point, and Riverhead gear fails, so I don't see how anyone could be comfortable with just a single unit to save the day when there are people out there that will take down DNS servers, router serial interfaces, carriers, do long lived TCP sessions to slow down web servers, HTTP connection floods, and anything else they can think of to just hurt the network (75k machines all doing random searche quries on a cgi, etc.)
Further, a box does not have much of a turn-around time, so just call Tipping Point at 2 AM on sunday when the network failed and nobody has any clue with what is going on. Then wait for their one good programmer to fix the FPGA issue and a week later cross their fingers that whatever they did can stop the botnet that is causing someone's business to fail.
I may just be a little beat up from all the traffic we deal with, but it's a little isane to say things like, "we have box X, its magic will fix everything."
-Barrett
I don't think we can every take away the bots (it would be nice), because we are seeing P2P bots that run encrypted communications between each other. The attacker guy just tosses his instructions into the P2P stream and they distribute over the entire network - creating a nearly headless command less network that can (once started) operate decentralized. These easy IRC bots are almost a thing of the past now. The point being, as the code base for bot networks grows they will get more complicated and more difficult to shut down.
If a blackhat geek can download source code and knows how to hack it up, he/she can do anything they want. Then it's down to just finding open machines to install their goods on. Policing the Terabits-per-second of backbone traffic for odd-ball P2P traffic like that is a bad idea.
Prolexic also gets attacks now that may not have any botnet, some Ixia (packet generator) connected in Asia-Pac blasting 600 Mbps of generated packets does the same as a 10-20k botnet. We believe to have been attacked by something similar to that at least twice.
The main problem is, there are just bad people out there and you need to create security policy that protects your business. If your revenue stream comes from your online business, then you should protect your online business and not hope your ISP will do that for you.
-Barrett