[nycbug-talk] Some DoS benchmarking

alex at pilosoft.com alex
Sat Mar 19 13:24:12 EST 2005

On Sat, 19 Mar 2005, Isaac Levy wrote:

> Well, to throw my quick .02? into this one; while your switch may be a 
> bottleneck, I've found that reproducing true distributed network loads 
> on servers is nearly impossible- insomuch as it's extremely difficult 
> to repoduce the *type* of traffic that comes from say, a few thousand 
> machines.
Not really. See pktgen.

> Sick asynchronys entropy in packet latency, types of packet header 
> changes based on routing, etc..- it all becomes an insane number of 
> variables, which in most attacks, is more critical than the actual 
> bandwidth consumed by a ddos.
Whatever "Sick asynchronys entropy in packet latency" is supposed to mean
- it does not enter into CPU utilization or DDoS susceptability.

WRT "types of packet header changes based on routing" - you probably mean
"flow-based routing" as practiced by Linux (I don't know BSD forwarding
stack well enough to comment, but I believe it is similar). Yes, stock
kernels are designed to optimize for 'typical' traffic (which means,
number of flows established per second is 2 orders of magnitude lower than 
packets per second). That also means that performance is really a function 
of flows/second, and if hit with a ddos of 1 flow/packet (random src/dst), 
router (or host) will croak.

> That said, a single box slinging fat packets is far easier for any
> system to deal with than a few thousand boxes trickling out a few
> packets in semi-synchronized bursts.  I mean there's tons of ways to
> tweak out packets from a few boxes to come *closer* to all that
> distributed entropy and chaos, but in the end, it's still limited to the
> number of actual boxes and networks in the mix...
Not true. You can easily simulate proper ddos off a single box with

> > Thoughts?  Observations?  Hints on tuning polling (Hz value) if this 
> > were a real-world DDoS and I wanted to make sure I'm not wasting 
> > cycles processing garbage?
> Nah- I don't think you'll waste cycles- totally bound to learn some
> interesting stuff about performance/behavior, but I've just found for
> performance/etc... testing there's just nothing that compares to
> thousands of machines from around the world slamming things- production
> webserver traffic is the best place to learn, and the kiddies keep us
> busy with *plenty* of chances to learn :)

More information about the talk mailing list