Question about DoS Attacks

[hongman]

Hiya

After browsing some of Soul's thread on Ping's, it got me thinking. Somewhere there was mention that a DoS Attack is a massive flood of Ping requests.

I already knew that, but my question is: how many is 'massive'?

How much would it take to saturate a line enough to halt all traffic? I'm guessing this depends on bandwith available, lets just say 10Mb for arguments sake.

Any thoughts?

[Tuttle]

Massive is relative. Some botnets are estimated to be 20,000 or 30,000 PCs strong, many of which would be on DSL/Cable connections these days. If each of those can average just 50 kbps upstream (obviously dialup bots will do less and broadband bots will do far more), that's over a gigabit per second of traffic. In many cases that's enough to cause headaches for the ISP as a whole, not just the target.

It's also worth noting that DDoS attacks aren't necessarily based purely on filling the target's pipe, although that's certainly one way of doing it. Creating a whole lot of legitimate-looking requests can also be enough to keep the target application (eg a web server) so busy that it can't handle legitimate requests. The box itself might still have bandwidth free, but if the web server is overloaded then it's still effectively down.

[CataclysmCow]

Somewhere there was mention that a DoS Attack is a massive flood of Ping requests. I already knew that, but my question is: how many is 'massive'? How much would it take to saturate a line enough to halt all traffic? I'm guessing this depends on bandwith available, lets just say 10Mb for arguments sake.

I assume you mean 10Mbps? (10Mb has no relation to time). The largest packet you can reliably send over the internet is 1500 bytes so you would need to send approx 834 ICMP0/8 packets a second. This really isn't "massive" when you consider the effectiveness of bandwidth saturation attacks like the smurf amplifier.

A smurf amplifier works through two principles: directed broadcast and IP spoofing. Directed broadcast means that I can address a packet to all the hosts in a particular subnet. IP spoofing allows me to craft the packet so that the response goes to the target machine. Using this method I can send out one packet that will generate hundreds to thousands of packets addressed to the target machine - hence the term "amplifier".

It's important to note that a firewall at your end of the pipe will not prevent a bandwidth saturation DDoS attack. Even if you don't reply to the echo_request/reply's the packets are still routed to you. To effectively combat a DDoS attck of this type you either need to use redundant pipes or filter the attack farther upstream where you have more of a pipe to absorb the attack. Getting an ISP to support this and react quickly takes a lot of phone calls or a lot of money for security features.

[hongman]

Thanks for the explanations. I just wanted to get some sort of figures into my head.

I assume you mean 10Mbps? (10Mb has no relation to time).

Yup

Thanks again