On 12/16/2012 10:49 AM, Robert Williams wrote:
Hi,
I'm sensing a lot of frustration / anger / hatred for NLB, having never really
used it myself I'll just back away from that quietly :)
Unfortunately the test is valid because the situation actually arose when a
Windows NLB cluster went offline and there was a load of DDoS traffic heading
to it. The whole reason I'm even working on this is because it 'did' happen,
unfortunately...
It's not valid if you are randomly selecting many multicast addresses.
If you read the link I posted, it explains the issue and the work
around. If you do not have the work around as part of your use case and
test, your test is invalid if you expect a reasonable outcome. Again, we
can all come up with corner cases that crush boxes.
Not that I need to tell you this, but making corporate standards that do
not follow general networking common sense are not standards. MS is
notorious of making up their own networking solutions without consulting
or referencing the rest of the world.
With that said, there are many many cost effective load balancing
solutions in the market place.
However, aside from <cough> NLB, what stops a compromised device from being
used to emit such traffic maliciously?
Power button. Or host security.
In the colocation world we have seen examples where the attacker just rents a
couple of VPS instances with the same provider as their target and uses it to
take down the target from the 'inside' by messing with the providers'
infrastructure.
External and internal DDoS protection are, although they may use the
same tactics, are 2 separate beasts.
The (two lines in linux) example I was testing with would be a nice way to do
this, at least until the provider tracks it down and pulls it. Which in itself
could be tricky if the CPU is maxed out and/or your traffic graphing shows only
'unicast' traffic PPS, thus is blind to multicast.
I assumed that there was just a configuration I was missing but it's now
sounding like it's just a limitation, which is a real shame. Although it's
partially possible with 15M it seems.
Oh well, time to move on, so thanks again for all the input everyone :) Cheers!
Robert Williams
Custodian Data Centre
Email: rob...@custodiandc.com
http://www.CustodianDC.com
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
