
Reddit is currently experiencing a malicious DDoS attack - mediumdeviation
https://twitter.com/redditstatus/status/325193410464055296
======
foob
Reddit also got hammered pretty hard by legitimate traffic last night. There
were many thousands of people in the Boston live update threads hitting
refresh over and over all night. The admins actually locked the first update
page because they said that so much traffic on an article with so many
comments would crash the site.

If there's a malicious DDOS attack then this surge in legitimate traffic
likely compounded the problem.

The update threads: [1]
[http://www.reddit.com/r/news/comments/1co395/live_updates_of...](http://www.reddit.com/r/news/comments/1co395/live_updates_of_boston_situation_part_2/?sort=new)
[2]
[http://www.reddit.com/r/news/comments/1cnwms/mods_removed_th...](http://www.reddit.com/r/news/comments/1cnwms/mods_removed_thread_live_updates_of_boston/)

Where the updates moved when reddit went down: [3]
<https://twitter.com/JpDeathBlade>

~~~
alienth
The traffic surge from the Boston incident is extremely marginal compared to
the DDoS which we're facing right now. It is far and above any form of
possibly being compounded, unfortunately.

But I wish it was :) Compounding I can deal with, astronomical is harder.

------
radge
I hope this is a retaliation for the abhorrent behaviour of reddit users in
blind smearing of innocent individuals in an attempt to prove the worth of
social media/the internet/their "community". Information is dangerous when it
is placed in the hands of these clowns and reddit needs to address their
problems quickly before they ruin more lives.

[http://www.newstatesman.com/world-affairs/2013/04/reddit-
bos...](http://www.newstatesman.com/world-affairs/2013/04/reddit-boston-and-
missing-student)

~~~
darkarmani
> I hope this is a retaliation for the abhorrent behaviour of reddit users

You don't like vigilantes, but you hope vigilantes are punishing reddit users?

~~~
facorreia
Quis custodiet ipsos custodes?

~~~
bjhoops1
"Who watches the watchmen" would have been simpler and spared me a google
search.

~~~
sgdesign
But I wouldn't have learned a cool new latin proverb.

~~~
bjhoops1
Although it should be noted that the Latin itself is a translation, since this
quote is attributed to Socrates and would have originally been in Greek.

~~~
facorreia
According to Wikipedia it's (incorrectly) attributed to the Socrates
_character_ in Plato's Republic. Although a related idea is discussed in that
book, the saying itself is attributed to Roman poet Juvenal, which was
discussing marital affairs.

------
josteink
As opposed to a non-malicious DDOS attack?

Sorry about the snarky remark, but the headline does feel a tad redundant.

~~~
UnoriginalGuy
Yes, as opposed to a non-malicious one.

The best example off the top of my head was a D-Link firmware update which
added an NTP server operated by a third party for "public use." This wound up
increasing the NTP server's traffic by 90% and costing them over $8K/year in
additional bandwidth fees. See [1].

Then you have so called "slashdotting." Or linking to a small web-site with an
interesting story and overloading it with legitimate traffic until it goes
down. See [2].

[1]
[http://en.wikipedia.org/wiki/NTP_server_misuse_and_abuse#D-L...](http://en.wikipedia.org/wiki/NTP_server_misuse_and_abuse#D-Link_and_Poul-
Henning_Kamp)

[2] <http://en.wikipedia.org/wiki/Slashdot_effect>

~~~
josteink
Getting a slashdotting is not a "DDOS attack" under any definition although
the practical consequence is the same. If the resulting traffic overload is
caused by a (massive) router-configuration error or similar mishaps, it's also
by definition not an attack.

Sorry about being picky around semantics, but still: No point in throwing
words around to the point where they become completely pointless.

~~~
smoyer
Well ... It's definitely a DDOS but you're right about the attack part.

------
Achshar
Could this have something to do with reddit's co founder speaking against
CISPA and calling out major tech companies? [1] Considering reddit played a
big role in killing SOPA, CISPA backers feel threatened?

[1] - <https://news.ycombinator.com/item?id=5570670>

~~~
socillion
I think it's far more likely that someone decided to mess with the party all
the Boston observers are having on Reddit.

It's all idle speculation, though.

~~~
Achshar
Yes, reddit was up for a bit and I saw two (edit: now _four_ ) huge threads
with 10k+ comments and live updates from the shoot out in Boston. So maybe
they are indeed messing with the Boston live event updates thing on reddit.
DDOSing reddit is no small feat, unless you have a botnet at your disposal.
Should be more than just some "fun".

~~~
mh-
I don't have data to back me up other than an anecdotal 'I seem to notice',
but doesn't reddit often become unusable during exceptional usage spikes? the
Obama AMA comes to mind.

if you look at their numbers[1] for 2012, it's plausible that they are simply
overwhelmed during these bursts and they've judged it worthwhile to let these
aberrations play out.

for many operations.. moving your availability from, say, 99.9% to 99.99% is
simply not worth the cost.

uptime is hard; GitHub has only maintained 99.96% for the past month[2][3]
(and, IMO, they're actively trying to improve it)

[1]: [http://blog.reddit.com/2012/12/top-posts-of-year-and-best-
of...](http://blog.reddit.com/2012/12/top-posts-of-year-and-best-of-2012.html)

[2]: <https://status.github.com/graphs/past_month>

[3]: <http://cl.ly/image/0O2S0L3O0l3J>

edit: clean up links

edit2: learning \n

~~~
Achshar
But reddit confirmed it's malicious, so the idea that reddit DDOSed itself is
out of the question.

------
alienth
We're mostly recovered, at this time.

~~~
windsurfer
You might be overzealous with your bot blocking. I'm being told I'm actually a
robot:

    
    
        you appear to be a bad robot
        check out the rules for robots. thanks.

~~~
Pyramids
Same here, are you using RES or anything else which might increase request
volume?

~~~
jaredmcateer
I use RES, not having any issues.

------
throwaway1979
Is there a defense against DDoS attacks? CloudFlare? Incapsula? Does anyone
have experience with how well these solutions work?

~~~
buro9
In ultra-simple terms you need to have a network capacity greater than the
attacker and to identify the attack requests and discard them whilst still
honouring valid requests.

That is basically what CloudFlare is.

Add in things like caches to prevent even valid requests from getting to the
backend (so you've now added a CDN), and many peers to your network so that an
attacker cannot saturate one or two peers... and you've got the essence of
CloudFlare (sans features like optimising content for speedy delivery).

Ultimately the best defence to a DDoS is to be able to soak up the attack
before it hits the backend, and to have enough spare capacity to keep serving
regular traffic.

You can cache and distribute everything save for the valid requests to a
dynamic resource (but even those you can optimise). So the whole game from a
defensive point of view is to let nothing but valid dynamic requests through
to the backend.

The attacker's side of a DDoS is about acquiring network capacity greater than
your network capacity, identifying your weaker points (in an attempt to cause
a domino effect, if they can take out a weaker peer then a stronger peer will
need to do more work and itself becomes weaker). And then sending what appear
to be valid requests without triggering an attack on themselves (having a 150
byte request respond with 100KB would wipe out the attackers). Bonus points
for constructing requests that can get through to the dynamic resources on the
site being attacked (as those are the weakest link).

~~~
heroic
how is adding things like caches adding a CDN?

~~~
buro9
I probably should have clarified that by caches I mean reverse proxy caches
that can take up the work of serving static resources from the network edge.

The combination of adding caches and distributing those caches is to add a
CDN.

You add caches to stop the request reaching a backend and doing the work
twice, for optimisation. But in effect they become defensive shields as
serving a static file or an in-memory file is less work and can be handled in
far greater numbers than doing the work on the backend, and if one cache is
attacked users accessing other caches elsewhere in the world continue to get
their requests served.

If you then place a cache at every point at which your site is surfaced, for
example you use DNS anycast to have your front-end appear to be surfaced from
every Amazon datacenter and the closest one is nearly always selected... then
you've helped stop requests at the first opportunity and to return them from a
place which can handle far greater requests.

You've increase your network capacity, increased the ability to serve valid
requests, and you've prevented all of that traffic reaching the backends.

And in doing all of this... placing caches for static resources throughout the
world and using DNS anycast to return the cached item from the closest peer...
well, you have created a CDN. A primitive one for sure, but it still is one.

------
bjhoops1
I wonder if it would be possible to generate a DDoS attack by reporting that a
site is experiencing a DDoS, causing people to flock to the site to see if it
is down.

------
wjamesg
I was on Reddit until 2am (EST) with no issues. Back on at 6:45am with no
problem.

Either they've been doing a wonderful job with mitigation, or I'm missing
something (I suppose I did miss a few hours while sleeping...). If anything I
figured they're getting hammered with EST sunrise/Boston incident
traffic...but a simultaneous malicious DDoS attack "beyond any shadow of
doubt"? Wow

------
nickpinkston
Total speculation, but: perhaps the police / FBI would DDoS Reddit to prevent
the suspect from gaining intel on their operations? The Reddit live stream was
all over Twitter...

------
swayvil
The chinese are trying to censor reddit because of that article about china
censoring the term "censorship".

------
stcredzero
Fark is down too, 4:21 am Pacific time.

------
raulonkar
what is impact of this "DDOS" attack on reddit?

~~~
k__
hopefully that reddit is over and all reddit-users can leave the internet now
;)

------
officemonkey
Batten down the hatches, pg, here comes the redditors.

