Re: OT: Effects of Flow-Based WFQ on DoS/DDoS Attacks from Joe Sanchez on 2013-12-02 (Ccielab archives 12/2013)

From: Joe Sanchez <marco207p_at_gmail.com>
Date: Mon, 2 Dec 2013 18:43:20 -0600

Kristian, this is something you should be looking at a third party services for true DDoS mitigation.

Simple trying to guess what type, method, duration and size of a DDoS attack is, with hard set QoS/HQoS is just simply futile.

Today's DDoS attacks are not normal and I've seen some take upwards 5 hour long 125Gbps sustained volumetric attacks , but mostly the packets per seconds is what is going to hurt you the most 100+ million pps for 1 hour is something financials institutions are looking to mitigate against.

You need layer 7 with dynamic mitigation technology.. Such as protection against the HTTPS syn floods observed during most new attacks and most SSL DDoS protection isn't even provided by most companies today.

I know this doesn't help, but maybe you can provide more information as to exactly what your looking to protect against and someone can provide the basic links for things like RFC 3330 , NSA router security guides, and NIST guides.

Regards,
Joe Sanchez

( please excuse the brevity of this email as it was sent via a mobile device. Please excuse misspelled words or sentence structure.)

On Dec 2, 2013, at 2:51 PM, Kristian Francisco <kristian.j.f_at_gmail.com> wrote:

> Hello,
>
> I am hoping someone with deep QoS experience can help direct me in an
> attempt to mitigate DoS/DDoS attacks using QoS. In theory, WFQ seems like a
> good mechanism to handle excessive bandwidth usage by a small number of
> hosts attempting to starve the class-default queue.
>
> Scenario:
>
>
> - High Bandwidth Transit Links from Service Provider (40 Gbps)
> - Large Number of Customers (Tens-Hundreds of Thousands)
> - Small Traffic Consumption per Average User (>1Mbps)
>
> Concerns:
>
> - Effectiveness of WFQ as a solution
> - Limited Number of Dynamic Queues
> - Willingness of service provider to implement
>
> Does anyone have experience with mitigating these type of attacks without
> specialized services?
>
> Best Regards,
>
> Kristian J. Francisco
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Mon Dec 02 2013 - 18:43:20 ART

This archive was generated by hypermail 2.2.0 : Wed Jan 01 2014 - 20:26:19 ART