dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
787
share rss forum feed


ubermoe

join:2012-09-21
Jordan

1 recommendation

DDoS Attacks and Service Providers

I've always been interested in learning more about DDoS attacks and I truly think they are pretty interesting, the way they are done and the size of impact they leave but also I have a question that need an answer: Can't service providers detect that?

Point is: as for DDoS attack, multiple sources are sending enormous amount of data causing the links to be fully utilised and here is my question, multiple sources sending data to a certain subnet -lets say- of a bank, can't service providers detected that

Today's case: X bank service line's bandwidth is 32mb and there was a DDoS attack with +4.5GB/s targeting the subnet of that X bank which caused service interruptions in the backbone network of service provider. Why the service provider did not take a step and noticed that it's absolutely a huge size traffic going to a certain IP (probably, when talking about banks we're talking about a subnet) that is way too larger than what the link can carry?


watice

join:2008-11-01
New York, NY

1 recommendation

They can & do notice it. And take steps to avoid it. Redirect traffic, nullroute ips & hostnames, and then it becomes a game of cat & mouse until someone loses. If you're thinking about using such tactics for social protest, I would highly recommend against it. It's rude and cheesy, and there are way better forms of protest that have more of an impact towards your desired objectives.



ubermoe

join:2012-09-21
Jordan

1 recommendation

watice See Profile,

sure I am not one of those who will ever use these tactics to harm anything, I mean I will never participate in anything that will affect people but I am asking because it happened with me and our service provider did not notice it until I made a call and logged a ticket. Link was utilised for like 36 minutes then started dropping to normal then jump again from 2mb to +32mb at one shot. Quick bursts.

Services were up but today I was informed that customers connected to this service providers internet network are able to access our websites but customers with different ISP are not able to see anything. It's making me crazy to understand, in the first place, why to allow a certain amount of traffic to pass to a customer's link while the traffic being sent is like 10x the size the link can handle.

I know about redirecting traffic and hostnames but you gave me a topic that seems to be interesting to learn, NullRoute IPs.

Thanks for the reply


TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
East Stroudsburg, PA
kudos:3
Reviews:
·Optimum Online

One problem is that a DDoS is exactly what the name implies, Distributed. Since the traffic is coming from many different IPs and the source IP may even be spoofed it can be difficult to tell what is legitimate traffic and what is part of the DDoS. So you need to at a minimum know which IPs to block otherwise you are simply shutting off the legitimate traffic.

When you ask why they allow 10X traffic to pass to the link, you are really asking why they can not tell legitimate traffic from traffic that is designed to cause problems, and unfortunately the traffic may not have a "neon sign" that they are a part of the DDoS.
--
Warning, If you post nonsense and use misinformation and are here to argue based on those methods, you will be put on ignore.


Coolbrz

join:2002-12-16
Kane, PA
Reviews:
·Verizon Online DSL
·Comcast

1 recommendation

reply to ubermoe

I've worked for a cable company and currently work for a telecommunications company.

In either company we have not monitored specific traffic per IP to specific customers. Even customers that have large usage are not thought twice about, too many variables.

It shouldn't be up to the service provider to monitor the customer specific traffic and as TheWiseGuy said, try to determine legitimate traffic versus non-legitimate.

It is up to the customer to monitor this and report the offending IPs and the service provider can then block them at the request of the customer.



ubermoe

join:2012-09-21
Jordan
reply to ubermoe

TheWiseGuy See Profile and Coolbrz See Profile,

I totally agree with you guys. Our network team leader, on the phone, I asked him exactly saying this: "Dear X, in this case, what we..." he interrupted me saying:"nothing, we can do nothing". It was a bit frustrating that with all IPSs, Firewalls, Packet Shapers, and and, there was no solution and here comes the idea again which is what you mentioned: it's where we are unable to determine what traffic is legitimate and what is not.

Thanks for your thoughts guys.



ubermoe

join:2012-09-21
Jordan
reply to TheWiseGuy

TheWiseGuy See Profile and Coolbrz See Profile,

I forgot to mention a little issue that happened in the first 24 hours of the attack. The link was fully utilized for about 45 minutes then they started to notice abnormal bursts. They thought the issue was solved and the attack is over but here is what happened:

users (customers of X bank) running Internet connection from that provider were able to access services, but users from different ISPs weren't able to access anything. The issue is solved now but do you guys have an explanation for that matter?


TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
East Stroudsburg, PA
kudos:3
Reviews:
·Optimum Online

An ISP can drop all traffic at its gateway routers inbound to the IP address that is experiencing the DDoS, while continuing to route traffic to that IP internally. Of course this drops all traffic from other ISPs both legitimate and packets intended to DDoS the IP.
--
Warning, If you post nonsense and use misinformation and are here to argue based on those methods, you will be put on ignore.



ubermoe

join:2012-09-21
Jordan

2 edits

beautiful piece of info TheWiseGuy See Profile, but let me understand that. Packets being sent to the gateway inbound for that IP are packets sent from multiple sources including sources from within the ISP network and from different sources, if it's going to drop all traffic intended to enter the inbound gateway interface, this will drop all traffic from all sources including the ISP network. I imagine that traffic as the following:

- traffic from within the network: A1
- traffic from outside the network coming from different sources including the DDoS traffic: A2

A1 and A2 are going to enter the inbound interface in order to be routed to an outbound interface after matching QoS/ACLs/etc and then to the company's gateway router. In specific, that traffic entering the inbound interface of the ISP's gateway is going to be A1+A2 and dropping traffic that traffic will make all packets from all sources to be completely discarded.

If none of what I mentioned is correct, what do you mean by "continuing to route traffic to that IP internally". do you mean traffic known to be generated from within the ISP's network?

Really interesting to know and I hope I am not making it complicated.


TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
East Stroudsburg, PA
kudos:3
Reviews:
·Optimum Online

1 recommendation

Take a look at the above picture from a Cisco article.

Assume the IP being DDoSed is in AS(autonomous system) 65500. An ISP could drop all packets at the Border Gateway Routers labeled A and/or B that are being sent to the IP being DDoSed while still routing the packets within its AS. So in this case, when ISP A or B tries to send from Router D or E to the IP that is being DDoSed, routers A or B drop the packets.

An ISP can fairly easily drop *all* packets intended for a specific IP at any of its routers interfaces, not just the Border Gateway Routers but when it does that it blocks legitimate as well as unwanted traffic.
--
Warning, If you post nonsense and use misinformation and are here to argue based on those methods, you will be put on ignore.


ubermoe

join:2012-09-21
Jordan

Thank you so much TheWiseGuy See Profile for your time. Your explanation was totally clear and I get it now.

Appreciate it dude


HELLFIRE
Premium
join:2009-11-25
kudos:18

1 recommendation

reply to ubermoe

said by ubermoe:

Can't service providers detect that?

Detect, yes. Do anything about? That's a whole different ball of wax altogether.

Having worked with managed service provider solutions, I know Verizon has a service (something-flow) that
is supposed to detect traffic anomalies like you're describing ubermoe See Profile; I forget what AT&T calls
theirs. I've no doubt telcos worldwide have this ability as well in the gear they're running.

The problem has been and always will be, as you put it yourself, is this :

said by ubermoe:

it's where we are unable to determine what traffic is legitimate and what is not.

and all the IPS / firewall / QOS / Anti-anything does NOT replace the intelligence in a human brain
in answering that question.

Edit : just cuz I got bored on Google -- »www.google.com/patents/US20120233311

Edit 2 : a better picture of what TheWiseGuy See Profile was trying to explain -- »www.cisco.com/en/US/prod/collate···27-1.jpg

Edit 3 : Alittle "rah rah Verizon," but if you want an actual case study of such a thing, try reading this -- »www.verizonbusiness.com/resource···n_xg.pdf

Regards


ubermoe

join:2012-09-21
Jordan

great post HELLFIRE See Profile but you know what? it's the point of okay there is an attack happening on X and no one is noticing it while PRTG is showing that the link is fully utilized and services are falling all at once. As for service providers, I don't really get the idea (not completely) that the customer need to inform their support team of this issue, yes the customer need to monitor its services and links but wait a minute, a link of 32mb is receiving traffic of 4.5gb, shouldn't that mega even trigger something in their IPSs and firewalls. I mean, I know that we can't distinguish healthy and unhealthy traffic but as a service provider I assume that it's keeping an eye on the links.

Thanks for the links and documents dude, I saved them and I will finish them today. I liked the Google patent one the most. thanks again.


HELLFIRE
Premium
join:2009-11-25
kudos:18

said by ubermoe:

I don't really get the idea (not completely) that the customer need to inform their support team of this issue, ...

Replace "maxed out pipe" with "someone wandering without purpose on the street," "customer" with "a member of the public"
and "support team" with, say "police department" and you see how this isn't so clear cut. It's a real Catch-22 situation,
without an easy answer.

Regards