DDOS Attacks Explanation

Question

I have some questions regarding the ddos attacks and how it really works , i really need some good explanation for it as i can't find any good reference that can help me .

Questions :

what are the relations between PPS (packets per seconds) and MBPS and can a huge number of pps like 500k/second leads to a ddos if even packets are getting dropped by the firewall ?
can ddos like syn/udp flood get fully mitigated only by iptables and can iptables handles any kind of ddos regarding it's strength and speed , also can iptables installed on the same server that is being attacked handles a very huge number of pps and drop them without any problems or affect on the performance ?
for the syn flood most of ppl recommend using syn cookies as a perfect solution to mitigate from the syn floods but unfortunately trying it didn't help , why ? does syn cookies have a limits or a something need to be tweaked on the server like the file discriptor ?
does upgrading for the network card on the server from 100mbit to 1gbps can help in more mitigation for the ddos attack or it will have no effect ?

NOTE : i mean in this case only upgrading the network interface but network speed still the same

does the connection speed of the attacker like an attack from a server of 100mbps can send more number of packets per seconds or make more bandwidth than a normal connection with 10mbps ? in other words can a single server with 1GBPS connection take a a whole server down like a ddosing from a big botnet that have around 100k infected computers online with home connections ?

score 5 · Answer 1 · edited May 13 '12 at 15:19

You have to be more specific here. There are a couple of ways to do a (D)DoS:

a) "Application DoS" (don't know if the correct name exists for this), is where the network can handle the traffic, but the application server(s) cannot. That is when incoming traffic is below network speed, but the number of requests is above what the application server can handle. (or your proxy, or whatever the attacker is connecting to)

In this case, yes (question 1), the bigger the number of packets, the higher the load is to filter/drop them. But usually if there are simple rules (drop packets after a specific number of concurrent connections), most firewalls can work at line speed. If you have more complex rules (L4, L7,...), and a great number of them, a large number of packets can produce a high enough load for the firewall to drop all packets which didn't make it to the buffer (because it was filled-up).

For iptables (question 2) it is the same. If there is only one DROP rule, it will work without problems with a large number of packets. If you make rules more complex, load goes up, and kernel starts dropping packets no matter what the rules are.

Syncookies (question 3), work well with syn floods because the system does not need to reserve some resources for the connection. If the botnet computers respond to syn/ack with ack, the handshake is made, and the resources are reserved and used. It depends on what you tested the syncookies with.

Upgrading a network card (question 4) depends on the network/internet provider. If you have a 20/20mbit line, it doesn't matter if you have a 100mbit or 1gig card, since you are limited by your ISP. If you have 200mbit line, having a gigabit card helps a lot (but why would you have a 100mbit card with a payed 200mbit service??).

b) The (D)DoS attack traffic is larger than your network/internet connection speed. This is when the attacker sends you more traffic (no matter which - tcp, udp, icmp,...) than your network connection can handle. If this happens, you are basically screwed, and there is nothing you(!) can do. You can of course call your ISP, and arrange for them to firewall you (just allow connections from your country, etc), if they can do it and if you can afford it.

The number of computers DDoSing is not relevant in theory. If you have a 10mbit line, and if the attacker sends 100mbit of UDP traffic, your connection "stops working". It doesn't matter if the traffic comes from 1 pc with 100mbit line, or from 100pcs with 1mbit lines. But for your ISP it's a lot easier to block 1 ip, than block a 100, 1000 or millions of different IPs, and it's even harder to know what traffic is legitimate (people wanting your service), and which is malicious attack traffic.

thanks alot many things now is more clear for me , i still need to know now if my server with a 100mbit line and it get attacked by large number of packets per seconds which reaches the server and it make like 200mbps that is more than the server line speed , but these packets when it reach the server it's is getting dropped by the iptables rules , will this have any effect on the server or make any kind of a ddos ? — Security Geek, May 14 '12 at 02:05
If you have a 100mbit line, and someone sends you 200mbit of traffic, your connection wont "work" (packets will be dropped even by the ISP, and half od the legitimate packets won't go through so your service won't work). It's like being on a sinking ship... if you can pump out 100liters/second of water, and there is 200liters/second coming in, you're sinking...it doesn't really matter how many holes there are, or where exactly are you pumping from (directly at the hole - iptables, or bottom of the ship - application side). — mulaz, May 14 '12 at 08:20
ok i understand , so this mean that you cannot block any ddos using iptables on your server , as dropping packets when it reach the server will have no effect , so if server is getting incoming traffic to the http with speed of 1gbps and that traffic will get dropped by the the iptables when it reach the server , this mean also the server will get ddosed right ? no matter packets is dropped or not ? so the main solution to protect from the ddos attack is by filtering the traffic before it reach the server by the datacenter or the ISP , am i correct ? — Security Geek, May 14 '12 at 10:06
If there's more incoming traffic than your connection can accept, there is nothing you can do, except talk to your ISP. If someone ddoses you with 1gbps and you have 100mbps line, only your ISP can help you. But, if you have a webserver with a slow (cpu intensive) PHP script, an attacker can do enough requests and use up (for example) only 1mbps, but your server will still be overloaded (cpu-wise) to serve anyone else - but you can use iptables to block the attacker, and still serve other (legitimate) users. — mulaz, May 14 '12 at 10:18
well , i understand the cpu overload and dosing for the server applications like apache or mysql as you said , but what i was refer to that filtering packets with iptables and drop it based on the server that being ddosed then will have no effect for mitigate the ddos ? iptables in this case cannot do anything regarding the ddos and the solution should come only from the datacetner to null route the attackers ip address , is that correct ? — Security Geek, May 14 '12 at 11:16
If someone is sending you 1gbit of data, and you're on a 100mbit line, when the buffers get filled (fast), you get (at least) 90% of packet loss. Even if you drop all the attackers packets with iptables, no legit traffic works with 90+% packet loss. So if you drop them locally with iptables, (or not, or whatever else you do locally), your service doesn't work. If the datacenter/ISP has a 10gbps line, and they filter the traffic and drop all the attack traffic, you service still works, since only legit packets come through to you. — mulaz, May 14 '12 at 11:26

score 2 · Answer 2 · answered May 13 '12 at 14:59

Packet per second (pps) and Megabit per second (Mbps) are related as:

Megabit per second = Packet per second * packet size (bits) / 1,000,000

iptables can help you in somehow controlling DDOS attacks, but the problem is how to distinguish attack requests from legitimate requests. Yes, you can use iptables on your gateway and on your servers.

I don't think upgrading your NIC or changing its speed will have any effect on the ability to defend against DDOS attacks as in most cases your bandwidth is much lower than interface speed.

DDOS Attacks Explanation

Questions :

2 Answers2