The main reason to test your defenses is to obviously see if your website can withstand a DDoS attack. More importantly is, what happens if it doesn’t ? Are you subscribed to a fully managed service that is responsive enough to get things rectified in a few minutes or will it take hours and multiple tickets with no updates followed by numerous calls into your solution provider’s SOC. Now if you’re sure that there will be minimal or no delay on making your site available you may just forgo testing your defenses and leave it up to your provider, also known as the “blind faith” method.
For those interested in having at least some assurance that your DDoS mitigation solution works, here are a few finer points to consider when testing.
Break things up to make it easy on yourself
Does your site stand-up to volumetric attacks ?
A) Try a 5 Gb/sec UDP attack
B) Try a 5Gb/sec TCP attack
C) Try a 10Gb/sec TCP attack
D) Try a 25 GB/sec TCP attack
If you pass all of the above, proceed to step 2
Can your site handle HTTP attacks ?
This is where things can get really complicated as there are so many variations of HTTP attacks that we would need 20 pages here to get into all the variations. At DOSarrest we are lucky in that we can use our Cyber Attack Preparation Platform(CAPP) That has an easy to use interface that even I can use with ease !
CAPP comes with over a dozen TCP attacks and a dozen different HTTP attacks we have captured from the wild in our 11 years of being in this business and this is small fraction of what’s out there. It’s not perfect and there’s nothing that’s going to be perfect in terms of creating the ultimate attack, every site has its weak points and that’s what good hackers are always looking at hitting.
How or where you launch your attacks from is not that important, what’s important is that the requests coming in are not hitting your origin server, you want your mitigation gear to stop it.
A point that’s often overlooked is, does your site survive an attack by serving up the content requested by the attack or is it not responding to the “HTTP GET “ attack ? What’s the difference and why should you care ? If you are using AWS, Azure or even some CDN services claiming DDoS protection, they may be just using their humongous resources available to serve up the requests, yes your website may not go down but when you see the bill at the end of the month, you’ll be scratching your head to figure out why you have to pay so much more for your service for the last month.
Interesting side story:
Back in 2009 one of our competitors in this game was Akamai. They are still competitors but this was before they bought Prolexic which was in 2013. They had kicked off their service a Brazilian newspaper that was under attack the attack was 30Gb/Sec(to the Internet) and at that time Akamai did not have that type of capacity in Brazil. The newspaper came to us and we took care of things for them and got them back up and running. It was a legendary attack for us at the time. How did we manage this ? Instead of serving up the requested content that was approximately a 350KB front page we served up an 8 Byte file because we had features that could distinguish between a real visitor and a bot participating in the attack, total outbound bandwidth was approx. 800Mb/sec and 2 Million requests a second.
So as you can see its not the same thing to serve the request versus not responding so to speak, to the request. With machine learning and other bot detection methods we use today its important to know this fact.
Here’s an example of a site and how it responds on AWS vs our system it’s the exact same attack and in both cases the site suffered no downtime or latency. Its how the attack is handled. Below are a couple of screen shots showing an example
Screen shot from CAPP using a “HULK” attack on a website on AWS.
Screen shot from CAPP using a “HULK” attack on the same website going through our DDoS protection service.
What if I test and fail ?
- Don’t worry, every reputable DDoS protection service has the ability to stop these attacks. Have your DDoS mitigation provider make some config. changes until you pass.
Feel the need to test your defenses ? Have a look here
CEO, DOSarrest Internet Security