[nycbug-talk] Some DoS benchmarking
alex at pilosoft.com
Sat Mar 19 13:24:12 EST 2005
On Sat, 19 Mar 2005, Isaac Levy wrote:
> Well, to throw my quick .02? into this one; while your switch may be a
> bottleneck, I've found that reproducing true distributed network loads
> on servers is nearly impossible- insomuch as it's extremely difficult
> to repoduce the *type* of traffic that comes from say, a few thousand
Not really. See pktgen.
> Sick asynchronys entropy in packet latency, types of packet header
> changes based on routing, etc..- it all becomes an insane number of
> variables, which in most attacks, is more critical than the actual
> bandwidth consumed by a ddos.
Whatever "Sick asynchronys entropy in packet latency" is supposed to mean
- it does not enter into CPU utilization or DDoS susceptability.
WRT "types of packet header changes based on routing" - you probably mean
"flow-based routing" as practiced by Linux (I don't know BSD forwarding
stack well enough to comment, but I believe it is similar). Yes, stock
kernels are designed to optimize for 'typical' traffic (which means,
number of flows established per second is 2 orders of magnitude lower than
packets per second). That also means that performance is really a function
of flows/second, and if hit with a ddos of 1 flow/packet (random src/dst),
router (or host) will croak.
> That said, a single box slinging fat packets is far easier for any
> system to deal with than a few thousand boxes trickling out a few
> packets in semi-synchronized bursts. I mean there's tons of ways to
> tweak out packets from a few boxes to come *closer* to all that
> distributed entropy and chaos, but in the end, it's still limited to the
> number of actual boxes and networks in the mix...
Not true. You can easily simulate proper ddos off a single box with
> > Thoughts? Observations? Hints on tuning polling (Hz value) if this
> > were a real-world DDoS and I wanted to make sure I'm not wasting
> > cycles processing garbage?
> Nah- I don't think you'll waste cycles- totally bound to learn some
> interesting stuff about performance/behavior, but I've just found for
> performance/etc... testing there's just nothing that compares to
> thousands of machines from around the world slamming things- production
> webserver traffic is the best place to learn, and the kiddies keep us
> busy with *plenty* of chances to learn :)
More information about the talk