Snort

[Mornincupofhate]

Hows snort at mitigating ddos out of the box? I'm planning on pairing it with iptables.

[unijab]

following

[leadeater]

Also interested in this discussion.

 

Few comments I'll make is it depends on the type of DDoS attack. If it's a straight bandwidth flood then snort won't be able to do much at all, this is where the DDoS protection services you were looking at come in. DNS amplification, DNS reflection, SMURF etc are all bandwidth attacks designed to saturate your connection so snort isn't likely to help much with these alone.

 

Snort should be good to protect against application layer attacks and SYN/ACK attacks though.

 

@Wombo you got any experience in this field? 

Edited August 25, 2016 by leadeater

[Wombo]

Unfortunately I don't have any actual first hand experience with snort. I've also never really heard of snort being used specifically as a DoS mitigation tool, I suppose the packet inspection aspects of it would lend itself to being somewhat usefully for DoS protection. As @leadeater eluded to however, this isn't going to help in the event of bandwidth starvation type attacks.

 

The only way to beat bandwidth starvation is with more bandwidth and a whole lot of scrubbers.

[Mornincupofhate]

1 hour ago, leadeater said:

Also interested in this discussion.

 

Few comments I'll make is it depends on the type of DDoS attack. If it's a straight bandwidth flood then snort won't be able to much at all, there is where the DDoS protection services you were looking at come in. DNS amplification, DNS reflection, SMURF etc are all bandwidth attacks designed to saturate your connection so snort isn't likely to help much with these alone.

 

Snort should be good to protect against application layer attacks and SYN/ACK attacks though.

 

@Wombo you got any experience in this field? 

I mean, if I had a 100g backbone and was distributing for say, 1 gig lines to customers, would smaller bandwidth consuming floods be stoppable? (Let's just say 15Gbps NTP.)

[Mornincupofhate]

1 hour ago, Wombo said:

Unfortunately I don't have any actual first hand experience with snort. I've also never really heard of snort being used specifically as a DoS mitigation tool, I suppose the packet inspection aspects of it would lend itself to being somewhat usefully for DoS protection. As @leadeater eluded to however, this isn't going to help in the event of bandwidth starvation type attacks.

 

The only way to beat bandwidth starvation is with more bandwidth and a whole lot of scrubbers.

You say get more bandwidth. Would it need to be all on the same pipe? 

[Wombo]

1 hour ago, Mornincupofhate said:

I mean, if I had a 100g backbone and was distributing for say, 1 gig lines to customers, would smaller bandwidth consuming floods be stoppable? (Let's just say 15Gbps NTP.)

Short answer, yes. I'm really not sure if snort can do this, but then again I've never gone deep into it, so it may be possible.

[leadeater]

 

1 hour ago, Mornincupofhate said:

I mean, if I had a 100g backbone and was distributing for say, 1 gig lines to customers, would smaller bandwidth consuming floods be stoppable? (Let's just say 15Gbps NTP.)

 

You talking a 100Gbps connection rate or an aggregate connection that equates to 100Gbps? It's a lot harder to cause load issues on a 100Gbps line vs 10 x 10Gbps obviously since you could saturate 1 or more of the 10Gbps connections which may be tied to a single or multiple clients.

 

Quote

CloudFlare routinely mitigates attacks that exceed 100Gpbs, and recently protected a customer from an attack that exceeded 300Gbps—an attack the New York Times deemed the “largest publicly announced DDoS attack in the history of the Internet.”

https://www.cloudflare.com/ddos/ 

 

Looking at the common DDoS protection services they have scrubbing capacities in the TBps which is just scary to even think about.

http://www.toptenreviews.com/business/internet/best-ddos-protection-services/

 

1 hour ago, Mornincupofhate said:

You say get more bandwidth. Would it need to be all on the same pipe? 

Yes since an attack on one client is actually an attack on all clients. You may have given a client a 1Gbps share of the 100Gbps but if someone sends an attack of 101Gbps then that client, everyone else and you included are pretty much dead in the water.

 

It's all down to risk though, just because these huge DDoS attacks exist doesn't mean they would ever be directed at any of your potential clients.

[Mornincupofhate]

24 minutes ago, leadeater said:

 

It's all down to risk though, just because these huge DDoS attacks exist doesn't mean they would ever be directed at any of your potential clients.

That's exactly what I was thinking. I know a data center that supplies 10g incoming connections for very cheap, like $200 a month, but as you said, if some skid logs into his booter and it's hitting 11gbps, then I'm gonna get rekt.