[c-nsp] Opinions of DDoS appliances, other techniques, most notably Cisco Guard

Tue Mar 24 16:43:23 EDT 2009

On Sun, Mar 15, 2009 at 10:54 AM, Drew Weaver <drew.weaver at thenap.com>wrote:

> Does anyone here have any real world experience with Cisco Guard or other
> products such as Arbor's Peakflow that they can share?
>
> If you've tried multiple systems and ended up with a specific one, please
> share the reasoning behind it.
>

I have had Cisco/Riverhead Guards deployed for years.  I bought them back
before Cisco bought Riverhead.  I do not have the the detectors though.

> Also, without a dedicated DDoS system deployed, what is the most
> reliable/fastest way to determine the destination(s) of the attacks (SNMP,
> NetFlow, etc)?
>

Netflow is what we use.  Something as simple as a "top 100 sources" and "top
100 destinations" page, which then lets you click on a listed IP and see a
random selection of flows is tremendously useful for this.

Our focus is to keep the victim site active, so null routing (locally or
upstream) isn't an option unless traffic levels reach catastrophic levels.
 For this purpose, we've found the Guard to be very effective at flood
attacks, but pretty much useless for zombie attacks.

SYN floods, UDP floods, or really any kind of raw packet flood is easily
handled by the Guard.

However, build a zombie network of 10,000 hosts, each of which hits a
high-cost URL (say /search.cgi?query=findme) only hit per second, and the
guard just passes it through.

In one situation (back in 2004 I believe), I had a long list of zombies that
I detected through simple perl analysis of the web server log files.  I
think the method I used was something like "exluding all GIF/JPG hits, any
host that hit this search URL, and only this URL, at least once during each
hour of the last 12 hours".  This generated a list of roughly 20,000
attacking hosts. But even knowing that, how could I block them?  The
firewall can't handle a config of 20,000 /32's.  The router can't handle
that either.  I tried putting them in the guard, and nope it couldn't handle
the blacklist either.

So, what worked?  I put them in .htaccess.  It was trivial for the web
server to handle a 20,000 line .htaccess file, accept these connections, and
return 403 forbidden.  This kept the attackers from hitting the high-cost
dynamically generated URL and brought load on the servers to near-normal
levels.

So, in short, I've found the Guard to be very effective at blocking flood
type attacks, but I've found zombie attacks (where each zombie is actually
hitting the site very slowly) is generally best handled on the server.