
Statistics of amplification DDoS attacks over last six months - majke
https://blog.cloudflare.com/reflections-on-reflections/##
======
majke
Author here. AMA! This post was tough, since the industry doesn't really have
common language for discussing the packet floods. In this article I tried to
build some language and put focus on Gbps, Mpps, Unique IP's, packet lengths,
duration of events in aggregate. I know the post is dense in numbers, but we
want to encourage folks to be more open with attack data.

Finally, the "flowspec" section is somewhat controversial - for reasons I
can't understand - even though Inter-AS flowspec should be a norm, it still
isn't.

~~~
codezero
How long does cloudflare keep connection metadata/captured packets?

~~~
majke
This blog post explains our attitude to logging:

* [https://blog.cloudflare.com/what-cloudflare-logs/](https://blog.cloudflare.com/what-cloudflare-logs/)

For attack data we do two things:

* We find the attacks and log the attack metadata (dest ip, duration, unique IP count with HLL, etc). This is in database and stored forever. Most of the info in this blog post is from this aggregates.

* We automatically capture pcaps for some packet floods. The pcaps are pretty small, contain sampled packets (not full flows), and in many cases don't contain packet payload (netflow doesn't have payloads). These pcaps are kept for about a month and are automatically rotated. The "tcpdump-like" snippets in this blog post are from these files.

~~~
codezero
Cool thanks for the link to the blog post.

