Since our post yesterday, we were holding something close to our chest that we didn’t want getting out right away and that is our vulnerability to some vectors for DDOS.  They have been entirely closed off now and we would like to show off our filtering and scrubbing.

So, what is it you’re seeing taking place here? You are seeing me go to a website that is questionable that hackers use to attack people’s networks – quite popular among hackers which will deliver a 100gbps DDOS – far greater than our circuit links. I then send a DDOS attack against our main web server’s IP. From there you see the traffic level off for nearly 20 seconds. This is due to an automated response by our firewall. When an event like this is triggered, the first thing it does is stops all non-essential packet transversals and then begins to learn. As time progresses you’ll see the the traffic begins to return to normal despite the DDOS attack that is continuing for a grand total of 250 seconds. You’ll also see a spike that happens and then another immediate leveling of packets again to essential only – this is a bleed-through effect, the routes changed and the firewall has to re-learn some of the packets on ingress.

While I do not care to explain all of the technology that I’ve put into this for security reasons, what you’re seeing is a brand new firewall method using packet marking and automatic route updates through our border gate community. With the border gate route updates, we can knock a DDOS attack down by at least half of it’s strength making it more manageable for our network. Then by using queues at the firewall along with packet marking, we can sort through the packets with low CPU costs to get the packets where they need to be with near-no noticeable effect on traffic.

While I will not claim this is a perfect method of total mitigation, it is a method that I have found through days of testing that works best in almost every DDOS situation including DNS Amplifications and as of 3am this morning, I have officially deployed this on our entire network which means every customer including the customers of Goldsboro Web Development are protected by this new technology.

If there are any network administrators that are interested in this code and method, you can reach out to me through a quote request to discuss licensing.