by zeroBS: highest competence in the realm of DDoS-Assessments
Made in Germany
zeroBS operates a dedicated, cloud-based platform for the implementation of DDoS-test-attacks on networks, appliances and applications. With the help of our platform we are able to check the effectiveness of your DDoS defense mechanisms.
In addition to team training and checking anti-DDoS measures, one of our main focus are basic functionality test, either after implementation or after major changes.
We have gained extensive experience in order to identify and test the individual parts of the entire dataflow-chain, from the BGP-side entry point, via anti-DDoS appliances, Targeted testing of firewalls, load balancers and application servers.
A selection of manufacturers, technologies and providers we already tested:
Part of our stresstest are comprehensive analyzes (OSINT) in advance and integrated monitoring of attacked targets in order to be able to make qualitative, measurable statements on performance and limits.
Features
- volumetric attacks up to 100 GB/s or 100 Mio pps, TCP, UDP or ICMP
- Layer-7-Attacks with full-stack-browsers, up to 10 Mio RPS
- 50 locations and up to 100.000 dedicated IPs available
- IPv4 and IPv6
- full automated setup and orchestration
- dashboard and monitoring for clients
- monitoring-logfile and export for further analysis
- simulation of real-world-botnets (server, IoT, Mirai etc)
- customizable attacks, if necessary
- interactive dashboard: every attack is recorded and can be replayed for later analysis
- multi-location-monitoring
AttackModes
- Standard: Single-IP-Attacks, perfect for basic certificates of performance
- CarpetBombing: Attacks against whole Networks/CIDR-Ranges, necessary for advanced tests and increased threatlevels [1]
- ChewieAttack: CarpetBombing v 2.0; even more randomness, to tangle any statistic-based detection [2]
- ThorsHammer: an to the exact millisecond timed Attack (Thors Hammer), based on our own R&D with devastating success
Definition CarpetBombing von APNIC / Global DDoS attack trends 2018
Carpet bombing attacks are a new variant of the more common reflection or flooding attacks, where instead of focusing the attack on a single destination, the attacker attacks every destination within a specific subnet or CIDR block (for example, a /20). This will both make it more difficult to detect the attack and also to mitigate it, potentially resulting in outages due to the flood of attack traffic across network devices and internal links.
In addition, these attacks are often fragmented, resulting in a flood of non-initial IP fragments, which can be tricky to mitigate. The attacker will often shift their attacks from one subnet (or CIDR block) to another, complicating the detection and mitigation even further.
Definition ChewieAttack (CarpetBombing 2.0)
Very similar to CarpetBombing in terms of target selection, the Chewie-Attack-Mode brings more randomness into play by adding target, strength, vector and protocol completely random to be chosen.
This ensures that pure statistics-based detection methods completely confused, as the packet stream from an attack IP never lasts longer lasts than 30 seconds, stops for at least 120 seconds and then start again with a new target and pattern.
Only 25% of the bots of a botnet are active at any given time, but this attack is much more difficult to defend.
DDoS RedTeaming
We are able to recreate and execute sophisticated attacks, using the Recon and OSINT method of target analysis and selection... selected attacks on neuralgic points in order to a) test the defence a) to test the defence and b) to simulate a real "targeted attack". So it's more like a sniper than a mallet. The fact that this attacker behaviour is not uncommon, as we have seen in several DFIR analyses:
- DDoS-Sniper: sophisticated attacker analyzed
- DDoS-Incident-Response - Ein Bericht von der Front (german only)
Reasons for a stress test
- functionalitytests and performance record for the individual network components
- check whether DDoS protection measures work as desired (proof of function),
- Measuring your own protection level compared to the threat level according to the DDoS Resiliency Score
- Test if administrators are adequately trained for a DDoS attack
- Optimize the workflow in the event of a DDoS attack
- Estimate the effects of a successful attack
- Estimate the cost / effort of a successful attack
The following targets/technologies can be tested:
- networks
- BGP routers
- Firewalls and VPN gateways
- Web server / Web infrastructure
- APIs
- SSL-Offloader
- Loadbalancer
- DNS Infrastructure
- any TCP services
- DDoS-Appliances
- WebApplicationFirewalls
- IDS / IPS
- CDNs
- cloud-based DDoS protection (Akamai, CloudFront, CloudFlare)
- Inhouse DDoS protection
attack vectors
- Layer 3/4 (volumetrics attacks)
- Layer 7 (attacks on applications)
- Botnet-Simulation
- IPv4 and IPv6
- Attacks against firewalls
- Attacks against load balancers
- DNS Waterboarding
- over 50 different attack types
- CDN-Reflections
- individually designed attacks
- Real World Botnet Simulations (10,000 IPs)
- Paperwork and dry run exercises to test emergency workflows