In this second installment of our two-part blog exploring the record setting Rapid Reset distributed denial of service (DDoS) attack, we demonstrate how to pair BreakingPoint with Keysight’s hyperscale APS-100/400GE series appliances or powerful CloudStorm load modules to recreate the Rapid Reset attack at scale, allowing users to generate the 398 million requests per second (RPS) as seen wild with this potent DDoS attack.
And in case you missed it, you might want to check out part-one of this blog series called, “Is Your DDoS Mitigation Ready for 398 million Requests Per Second?” which explores the underpinnings of the Rapid Reset DDoS attack and shows how it starves a server of resources to deny legitimate traffic.
To recap, DDoS attacks are cyber-attacks that flood a target system with traffic to starve that system of resources and deny access to legitimate users. The Rapid Rest DDoS attack leverages the HTTP/2 protocol to flood a target system with multiple, simultaneous HTTP/2 request streams. The client then immediately cancels these requests and sends a fresh batch of requests, repeating this process over and over, overwhelming the target system as it tries to handle this flood of requests and resets.
To recreate Rapid Reset’s record setting 398 million RPS, we will use three CloudStorm 100GE 2-port load modules installed in an XGS12-HSL chassis running Keysight’s BreakingPoint application and network security testing platform.
Figure 1: CloudStorm load modules as depicted in the BreakingPoint web UI
In this example the test runs in “two-arm” mode, where BreakingPoint emulates both the test clients and servers. However, you can also run other variations of this test in “one-arm” mode and send test traffic directly to your own server or service.
One requirement of a “successful” DDoS attack is the use of many thousands of unique client IP addresses to send the malicious traffic which ensures the connections appear legitimate, helping to avoid any DDoS protections that may be in place on the target system. To this end, we configured more than 300,000 unique IP addresses in BreakingPoint Network Neighborhood for use in this test.
Figure 3. More than 300,000 unique IP addresses configured in Network Neighborhood
Next, Test Components are needed to configure the test traffic and associate it with the Network Neighborhood settings. In this example, the test is configured with three Application Simulator Test Components (“DDoS Attack Traffic 1”, “…2” and “…3”), one Test Component for each CloudStorm load module. Additionally, the “Super Component” feature is enabled for each Test Component which ensures that all test traffic is divided evenly amongst the compute resources available on each CloudStorm load module.
Figure 4. Adding Application Test Components While it is straightforward to perform dual-stage
Next, each of the three “DDoS Attack Traffic” Test Components is edited to:
-
Add component “Client Tags” and “Server Tags” to associate the Network Neighborhood settings we defined earlier.
-
Define the Test Parameters “Maximum Simultaneous Super Flows” (10M) and “Maximum Super Flows Per Second” (1.5M).
-
Create a new “Application Profile” to define the detailed characteristics of the DDoS attack traffic.
If you have followed along to this point, you might be asking, “if we have three Test Components (“DDoS Attack Traffic 1”, “…2” and “…3”), and each of these are configured with Maximum Super Flows Per Second set to 1.5M, won’t that only generate 4.5M RPS, well short of the 398M RPS target?”
Great observation! This does indeed appear to be the case, but remember that the Rapid Reset DDoS attack leverages a feature of the HTTP/2 protocol that allows multiple HTTP streams to be sent simultaneously over a single TCP connection. Accordingly, the test generates 100 HTTP GETs for each HTTP transaction (as we can see in the test traffic PCAP below):
So, now let’s reconsider the traffic being sent:
3 Test Components x 1.5M Max Super Flows/Sec x 100 Requests Per Super Flow or:
- 3 x 1.5M x 100 = 450M RPS (!)
Ok, back to the test configuration!
Once the new Application Profile – called DDoS Rapid Reset Profile” in this example – is created (Step #3 in Figure #5 above), (we call it “DDoS Rapid Reset Profile” here), the pre-defined Super Flow called “DDoS HTTP/2 Rapid Reset (no TLS)” is added to the configuration:
The “Super Flow Actions” associated with this Load Profile can then be reviewed/edited:
Sever SETTINGS Frame
- SETTINGS MAX CONCURRENT STEAMS “100”.
Rapid Reset Request:
- Rapid Reset Count: “100”
Rapid Reset Response:
- Custom Data File: “http2_rapid_reset_response.html”
The test configuration is now complete and when the test is launched, we can see in the Real Time Statistics window that traffic quickly ramps up to generate 4.3M transactions/sec. Remember the test is sending 100 GETS/RST per transaction which equals 430M RPS, 30M RPS more than the actual Rapid Reset attack!
And, while busy, the “Resources” tab of the Real Time Statistics show that the CloudStorm load modules are effectively handling this hyperscale traffic load:
And finally, the test report confirms the result, showing BreakingPoint quickly ramping up to 4.3M transactions/sec or 430M RPS and sustaining that load for the duration of the test:
Figure 11. Test report showing 4.3M transactions / 430M RPS
By harnessing the power of just three CloudStorm load modules (or just three APS-ONE-100 appliances), organizations can emulate this staggering attack volume with exceptional precision. The APS-ONE-100 and CloudStorm load modules both offer a level of scalability and versatility that sets a new industry standard. These hardware solutions not only empower users to test their systems’ ability to withstand such attacks but also demonstrate Keysight’s commitment to staying at the forefront of DDoS mitigation technology, helping organizations ensure they are fortified against even the most formidable DDoS threats.
