If you are reading this, it’s likely you have already deployed an Intelligent DDoS Mitigation System or plan to do so soon. It’s a great feeling to know you are seeing and stopping attacks. It’s also important to know that you have the systems properly tuned and your operators are prepared to deal with attacks in the future. As with any type of response activity, practice makes perfect. To that end it’s a good idea to have a DDoS simulator on hand.
By simulating a DDoS attack you can verify that you are catching the real ones. It’s also a great way to fine tune your mitigation for optimal performance. Last and most importantly, you can run drills at regular intervals. In this way your team can practice identifying and dealing with threats in real time without having to put production resources at serious risk. Drills can also be useful for training new employees.
We know that DDoS attacks can be multi-dimentional and even though you have the right tools in place, you really don’t know if your team is up to the challenge. You need some sort of multi-dimentional tool to simulate real world attacks. It isn’t enough to simply use a script that sends SYN packets towards a single host. In order to know how to use countermeasures, you need a tool that can send multiple types of attacks. Ideally, that tool will also be easy to use.
Recently, I got to spend some time the folks at BreakingPoint. What I liked about their solution was the combination of simplicity and power. They have pre-configured Denial of Service attacks to evaluate your defenses.These include application-layer, VoIP and brute force attacks such as: HTTP Fragmentation, SlowLoris, SSL Renegotiation, UDP Flood, VoIP Flood, and IPv6 Extension Header Fragmentation among others. They can also simulate legitimate traffic combined with multiple types of DDoS for a very realistic test environment.
Last month at Cisco Live! in San Diego, Arbor and BreakingPoint teamed up for a live demonstration at the World of Solutions. Using BreakingPoint’s Firestorm system, Arbor Consulting Engineer, Scott Rikimaru, was able to easily create a DDoS attack profile simulating SlowLoris. During the live demonstrations Scott would initiate the attack from the Firestorm against an Arbor Pravail APS appliance. The attack immediately became visible on the Pravail APS and then Scott began mitigation by switching into “Active Mode”. The audience got to see the mitigation in real time with attack traffic being dropped and legitmate traffic passed.
We all know the threat landscape is constantly changing. Make sure you test your IDMS deployment regularly so you can keep it running in top condition and get the most out of your investment.