[123853] in North American Network Operators' Group
Re: anti-ddos test solutions ?
daemon@ATHENA.MIT.EDU (Nathan Ward)
Wed Mar 17 08:17:13 2010
From: Nathan Ward <nanog@daork.net>
In-Reply-To: <1268817124.2479.3.camel@localhost>
Date: Thu, 18 Mar 2010 01:16:41 +1300
To: nanOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Hire/buy what I know as a router tester. People call them different =
things.
It's a device that generates packets, and can normally simulate TCP etc. =
all the way up to HTTP etc. or higher. BGP, OSPF, MPLS, etc. etc. etc.
Tell it to generate packets that look like they come from many many =
hosts (you can normally simulate some kind of network topology with =
hosts in different places and hence different TTLs etc.), and viola.
They normally let you generate background noise traffic, or you could =
record 24 hours of packet headers from somewhere in your network and =
play it back through your test network. This needs a lot of disk of =
course.
I used to work for an anti-ddos vendor (Esphion, now owned by Allot) and =
built their first test rig. First we did it with a bank of PCs with =
custom Linux kernel code to generate packets because we were a startup =
doing things on the cheap and I was a bit masochistic. Then we got a =
router tester and did exactly the same thing, but in a whole lot less =
space with a whole lot less effort.
Both worked great, naturally I recommend a router tester.
--
Nathan Ward=
