You are on page 1of 5

DDoS Simulation a necessity?

Introduction

DDoS attacks are now a major threat to all financial institutions, e-commerce businesses as
well as governments. DDoS attacks can take down stock exchanges voting sites as well as
other critical online infrastructure. Many large organizations are investing larger sums of their
capital to mitigate this devastating attack vector.

Most companies’ budgets are applied to the DDoS mitigation systems themselves. It has also
now become a necessity to validate the DDoS mitigation systems deployed in an organization,
the same way in the 90’s firewalls were deployed, next IPS device and WAF devices.
Organizations wanted to verify those systems performed what they were relied upon to do, that
is protect their network from being hacked into, so the phrase “pentesting” and “Vulnerability
Scanning” became synonymous with every organization’s cyber security program for protecting
their network against malicious infiltration.

The same logic applies to DDoS simulation testing, organizations like stock exchanges, banks,
governments and any large organizations cannot afford to have downtime without having
significant FINANCIAL and public relations damage. These organizations should have ongoing
DDoS tests run against their environment to ensure a stable and secure cyber security posture.




The Problem
The vital issue for those organizations with a DDoS mitigation deployment is that they are
unable to verify the level of protection deployed. Prior to testing, an organization only has
unproven assumptions as to his DDoS mitigation capabilities. Whilst they may have had a
couple of DDoS attacks mitigated in the past, and in some cases had no DDoS attacks at all, it
is not possible to know what level of protection is really deployed without testing that protection
and seeing what you are and are not protected against when it comes to DDoS. Like all other
systems DDoS mitigation systems have their weaknesses and those weaknesses are unlikely
to be fully disclosed or even known by the various vendors when they pitch their solutions. Of
course configuration issues and architectural design weaknesses can also lead to serious
downtime and not just the mitigation systems themselves.

Some causes of why a DDoS attack will affect an organization’s service availability
may include:

 No DDoS protection deployed
 DDoS protection deployed but incorrectly configured
 Incorrect DDoS protection deployed for the specific environment
 Incorrect IT architecture within the organization
 New DDoS attacks in the wild are not protected with the system deployed
 Undefined IT procedures on how respond to such attacks



When a DDoS mitigation system is deployed and configured it is important to remember it is
configured to that point in time. An organization may only utilize a DDoS mitigation system once
the entire year, and with each passing month threats are emerging that may render the current
configuration inadequate.

The worst possible scenario an organization can face after having invested in DDoS mitigation
equipment, is the organization comes under DDoS attack and all service availability is disrupted
for between a few hours or even up to a few weeks. No organization wants to troubleshoot their
DDoS mitigation system in times of crisis, as cost and complexity will go up significantly as well
as the amount of downtime incurred.


The Solution

Testing on your DDoS mitigation strategy along with all assumptions made about it should be
performed at least every quarter, to verify you are indeed ready for both quick and prolonged
DDoS attack campaigns. The Securif DDoS testing platform, with real-time reporting and control
will assist you in verifying the stability of your IT infrastructure in an ongoing fashion. The only
way to know you are indeed protected against DDoS attack is by launching similar
attacks against your infrastructure during “peace time”.

Securif offers 2 specific types of DDoS testing

“Base level DDoS” testing – In this test we simulate the most common volumetric and
application layer DDoS attacks. For example: SYN Floods, UDP Floods, ICMP Floods,
Fragment floods, HTTP Flood, HTTPS Flood, Slowloris, Botnet simulations.

This type of testing takes a few hours to perform and will verify that the fundamentals of
your DDoS mitigation system are working.

“APT level DDoS” testing (Advanced persistent Threats testing) – This type of testing verifies
that if you are targeted by cyber criminals and other groups wanting to harm your
organization, you can effectively withstand the attacks without your service availability and
security being disrupted. In this type of test we verify the following:
 All “base level” testing was successful
 L7 challenge strength
 Behavioral algorithm strength
 Infrastructure resilience to a well planned DDoS attack
 Review of all API’s in use and their resilience to DDoS attack
 Review of all services in the organization and how a successful attack on one affects the
other
 Business logic flaws under DDoS
 Create customized attack tools similar to that of a potential attacker

This type of testing takes anything from a few days to a few weeks to complete, depending on
the environment being tested.

Consulting
With both types of DDoS tests Securif will provide a report and recommend how to proceed in
strengthening the IT infrastructure being tested, with both current equipment as well as other
available solutions.




Conclusion

Regular DDoS testing should be an integral and essential part of a medium and enterprise
organizations threat assessment cycle, the same way pentesting is.

The sheer volume of DDoS attacks, combined with the persistence and sophistication of attacks
are complex enough to understand under normal circumstances. When a DDoS attack is
thrown into the equation the complexity rises and security and IT staff need to swiftly
understand their risk level, as well as how to react when an APT targets their organization. The
last situation any IT manager wants to find themselves in is troubleshooting your DDoS
mitigation strategy whilst under a DDoS attack.

Many organizations have a mix of new and outdated legacy technologies that are relied upon for
serving the organization. Use a vendor neutral testing service to verify your DDoS mitigation
strategy. Utilize this service when you are deciding upon which vendor to purchase from, this is
critical to making informed decisions.

With increasing threats on the rise, if organizations ignore either aspect, the price to pay could
be catastrophic. Avoid your organization becoming another statistic or headline. Prepare your
organization realistically by verifying, validating and educating yourself and your staff on how
to react to both DDoS attacks and exploitation attempts.

Technical specifications of the Securif DDoS testing platform


Rate specifications
Some of the maximum specific rates which can be tested by default are (There is a wide array
of other more obscure attacks available on request), Securif can create almost any type of
DDoS attack tool needed:

Attack PPS Mbps CPS

SYN Flood 5,700,000 2,500 N/A
RST Flood 5,700,000 2,500 N/A
FIN+ACK Flood 5,700,000 2,500 N/A
PSH+ACK 5,700,000 2,500 N/A
ACK Flood 5,700,000 2,500 N/A
HTTP flood N/A N/A 1000,000
HTTPS Flood N/A N/A 1000,000
ICMP Flood 5,700,000 2,500 N/A
UDP Flood 3,600,000 15,000 N/A
UDP Garbage Flood 3,600,000 15,000 N/A
DNS Request flood 500,000 N/A N/A



Other specifications
 Number of Nodes - Securif DDoS platform can utilize over a 1000 nodes (Actual
nodes not virtual) over Europe, Asia and United States, to emulate larger BotNet
style attacks.
 Real-time Reporting - Securif has real-time reporting for PPS, CPS and Mbps for the
organization to view real-time
 Asset monitoring - Securif will also monitor the health of the systems being verified
with our asset monitoring system
 Panic button - There is an “emergency stop” button for the organization to utilize in the
real-time reporting during a DDoS attack simulation