Tech Consortium Proves Next-Gen DDoS Defense Tool with CyPerf

Organization

• CENGN

Challenges

• validate client’s DDoS mitigation solution on a live, distributed network environment

• emulate malicious network traffic across physical and cloud-based infrastructure

• ensure that no damage occurs to systems or infrastructure in a production environment

Solutions

• Keysight CyPerf cloud-based traffic generator for physical and virtualized network infrastructure

Results

• Validated new DDoS mitigation solution against five different attack vectors in a real-world network environment

CENGN, Canada’s Centre of Excellence in Next Generation Networks, is on a mission to advance global technology innovation. Backed by the governments of Canada and Ontario, the consortium helps Canadian organizations test and validate promising network technologies at commercial-grade scale.

That’s why CENGN recently found itself working with a Canadian research and education network. Amid a widespread rise in distributed denial-of-service (DDoS) attacks, CENGN’s client organization had developed a new DDoS defense solution to combat the surge. However, their team still needed to validate the tool, so they partnered with CENGN to put their solution to the test in a simulated realworld environment.

Challenge: Find a Smarter Way to Test Hybrid Network Defenses

Late 2021 saw an all-time high for DDoS attacks, according to Kaspersky. Spurred in part by a drop in cryptocurrency prices, cybercriminals pivoted their botnets from mining Bitcoin and Ethereum to more familiar territory: volumetric network attacks.

CENGN is no stranger to information security — which is part of the reason their client was eager to collaborate. CENGN has a long history of validating network-related products for commercial deployment using its commercial-grade Testbed. Aided by its unique hybrid-network infrastructure, CENGN assists small and midsize Canadian businesses by testing new technologies and applications at scale before they go live.

Unfortunately, testing a hybrid-cloud DDoS mitigation system isn’t as straightforward as it sounds. A traditional network traffic generator — the most common tool for this test — wouldn’t work. Traditionally used to stress test “big iron” network infrastructure, these tools effectively emulate the kind of network traffic that flows through data centers. However, they struggle with generating the kinds of application- and services-based traffic that traverses modern distributed, production-level network environments.

If CENGN wanted to test this advanced DDoS mitigation system, it would need an equally advanced traffic generator to push the solution to its limits.

Solution: CyPerf, the Industry’s First Cloud-Native Traffic Generator

Keysight CyPerf proved a perfect match for CENGN’s client. The industry’s first cloud-native traffic generator, CyPerf was uniquely suited to simulate DDoS attacks across a mix of physical and virtual network environments.

Unlike hardware-based traffic generators, CyPerf goes beyond physical infrastructure. While traditional “bit blasters” specialize in pre-deployment testing for data center applications, they cannot emulate the complex traffic patterns needed to test hybrid networks. Moreover, these tools are generally best suited to test labs — since they can cripple or crash the infrastructure they test.

In contrast, CyPerf uses an agent-based architecture to simulate application workloads and malicious attacks across physical and cloud-based environments. CyPerf generates a digital twin of users, applications, and threats — making it safe for both pre-production and live network test applications. The subscription-based software solution can emulate millions of connections per second, tens of millions of concurrent users, and complex traffic patterns like zero-trust and DDoS attacks.

To ensure accurate results, CENGN worked closely with their client to plan and define test parameters, detection thresholds, and mitigations. With all parties aligned, CENGN chose to analyze the system under test (SUT), measuring bidirectional and reflection-based attack resilience against the following DDoS attack signatures:

• Transmission Control Protocol (TCP) handshake authentication: testing inbound and outbound authentications via synchronize (SYN) and acknowledgment (ACK) commands at speeds exceeding 3000 connections per second.

• Malformed HTTP: assessing detection and prevention thresholds of the SUT against more than 17000 bad HTTP connection requests.

• IPv4 blocklists: testing the SUT’s auto-filtering capabilities by simulating HTTP group encrypted traffic with a mix of block-listed and safe predefined IPs at rates exceeding 25000 connections per second.

• User Datagram Protocol (UDP) floods: analyzing SUT detection rates against a simulated flood of spoofed UDP data packets, with throughput at 100 megabits per second (Mbps).

• HTTP reflection and amplification: testing the SUT’s ability to detect and block trigger requests, which would otherwise produce a considerably larger response from the victim’s network and amplify the attack.