
The New Normal: 200-400 Gbps DDoS Attacks - Smerity
http://krebsonsecurity.com/2014/02/the-new-normal-200-400-gbps-ddos-attacks/
======
yeukhon
Interesting article. The black market looks far away from me. I always want to
know how to get one of those "hacking service" but I can't tell who is genuine
and who is not. People literally take risk to do business with these people. I
guess I should just get a GreenDot one day and use that to pay a cracker,
right?

I don't know how old the kid is, but sounds like someone between junior high
and high school. I don't even know how to launch such massive DDoS attack yet.
How many do I need to send such? This is interesting...

Side note: Krebs is an interesting person. I have come across his blog many
times but I never bothered to find out his actual job. He's a journalist. no
technical background. Self-taught.
[http://krebsonsecurity.com/about/](http://krebsonsecurity.com/about/)

This is the best example of a civilian out there interested in protecting his
data. He would go out his way to eliminate worm and hacker from touching his
laptop... we need more civilian like this (not to blog or to go on a strike,
but to be aware of the seriousness of the unsafe nature of the Internet).

Also, his article is really well-written. No doubt; he's a reporter after all.

~~~
fredgrott
he is a former journalist was with WashingtonPost

------
bowlofpetunias
CloudFlare is absolutely right. As long as the attacks are not coming from
CloudFlares network, it's not up to CloudFlare to play judge and jury
concerning the legality of _content_.

What would be next? Service providers taking down a white hat site because it
discloses vulnerabilities?

I'm quite frankly shocked that Krebs would make the argument to put security
before freedom of speech and due process.

~~~
devicenull
Look at it this way. Without Cloudflare providing free DDOS mitigation, the
attacks would not be happening as frequently.

Put that way, I see them as responsible for the attacks. Maybe you'd feel
differently if you were the target of some of these attacks.

~~~
pktgen
> Look at it this way. Without Cloudflare providing free DDOS mitigation, the
> attacks would not be happening as frequently.

I don't see the cost of CloudFlare's service as a problem. In fact, free DDoS
mitigation is great. The problem is that they're willing to provide service to
booters/DDoS-for-hire services.

Reputable providers prohibit this kind of activity in their AUPs, and there
aren't that many companies with their own large networks capable of DDoS
mitigation (many are just resellers). If CloudFlare stopped supporting such
services, it would immediately put a large dent in the entire booter market
because the kids would take care of shutting each other down, and individual
booters would find it difficult to find a provider who can mitigate attacks
and is willing to provide service to them. (In other words, let them fend for
themselves. Screw them.)

> Maybe you'd feel differently if you were the target of some of these
> attacks.

I agree, and I think this is why a few of us (you and me, in particular) have
different views compared to others.

(I have talked to you on WHT recently. Not under this name, but you might have
an idea.)

------
lstamour
Background on these kinds of attacks:
[http://blog.cloudflare.com/understanding-and-mitigating-
ntp-...](http://blog.cloudflare.com/understanding-and-mitigating-ntp-based-
ddos-attacks) [http://blog.cloudflare.com/technical-details-
behind-a-400gbp...](http://blog.cloudflare.com/technical-details-
behind-a-400gbps-ntp-amplification-ddos-attack) Or if you prefer audio/video:
[http://twit.tv/show/security-now/438](http://twit.tv/show/security-now/438)
(also worth a listen for a few possibly off details on NSA spying kit)

Possibly the implication against CloudFlare is that a service which makes
money off DDoS attack prevention (and many other things) shouldn't drum up
business by encouraging such attacks. Though in CloudFlare's defense, the
attacks wouldn't stop if the sites did. And I'm not sure what else CloudFlare
could do to get people to fix NTP servers.

~~~
codexon
The attacks would be a lot smaller and infrequent if cloudflare did not host
them.

The reason why the DDoS market exploded is because you can now sell your
services behind cloudflare for very little cost instead of competitors ddosing
each other. You can see all the services being sold at hackforums.net.

Without a publicly assessable store front, you will not get funding.

Without funding you will not be able to rent servers to power reflection
attacks and to process requests from hosts that turn a blind eye like ecatel.

~~~
voltagex_
Can you elaborate on "Hosts that turn a blind eye"?

~~~
pktgen
Hosts that negligently allow (do not implement technical measures to block)
packets to be sent from an IP address not routed to the sender.

Ecatel is the big one here. I don't know what it will take for their upstreams
to shut them down, but it needs to happen. Do that and many of these reflected
attacks will stop.

~~~
codexon
You can send spoofed packets from nearly every host.

However hosts like Ecatel are known to specifically allow their customers to
send spoofed packets at full speed 24/7.

I think most hosts will notice heavy bandwidth usage, investigate, and then
terminate your account. This is why people buy servers at Ecatel even if it is
more expensive.

~~~
pktgen
Sure, you can _send_ spoofed packets from any host, but any reputable host
will drop them.

Reputable hosts use uRPF or at least an ACL at their edge to drop any outbound
traffic with a source address that isn't in their network.

People buy servers from Ecatel because they're one of the few that
(intentionally) do not have such measures in place.

~~~
codexon
No, very few hosts drop them because it costs time and money to do BGP38.

I have tested 5+ major hosts spoofing packets to a remote destination and they
all allowed spoofing except OVH.

------
awakeasleep
Poor Rasbora, being an example of how you can be very smart and absolutely
retarded at the same time.

I know retarded isn't the right word, but nothing else I can think of
represents kicking your future self in the balls so hard they're permanently
destroyed and you're crippled for life.

------
devicenull
> In a phone interview today, Prince emphasized that he has seen no indication
> that actual malicious packets are being sent out of Cloudflare’s network
> from the dozens of booter service Web sites that are using the service.
> Rather, he said, those booter services are simply the marketing end of these
> operations.

This is how they justify hosting *booter.com. Personally, I don't see a big
distinction. If you weren't hosting the frontend site, there would be no
malicious packets going out from other people's networks. These booter sites
attack each other all the time, so without DDOS protection they'd take of
shutting each other down for us :)

~~~
pktgen
I agree with you.

Having sent multiple abuse complaints to CloudFlare regarding booters, I have
found them difficult to work with. As we've established, they will not censor
anything; instead, if they determine your complaint to have some level of
validity, they will send you to the actual host.

In one instance, the booter site had no information on registration or what
was offered, so I gave them the hackforums thread where the service is being
sold. I realize this is basically hearsay and not sufficient evidence to
actually shut a site down, but remember that they won't shut a site down in
any case. They did not consider this acceptable enough to release information
about the host. They wanted me to register an account there and provide it to
them for verification. Luckily, I could register without actually paying
anything, providing me a nice UI with a big "launch attack" button, and this
was sufficient for them.

More recently, they will not even release the site's IP address. All they will
do is tell you to email the abuse department of [host] and ask the abuse
department to contact them for details. This is ridiculous.

CloudFlare purports to be against DDoS attacks, yet has no problem providing
service to admitted DDoS attack services. In other words, CloudFlare is a
racketeering operation. They create the problem, indirectly, and offer
services to solve it. (I realize they offer a free tier, but their advanced
mitigation features are only available on paid tiers.)

------
pktgen
And here's what CloudFlare isn't telling you: many DDoS attacks are made
possible thanks to their service, openly providing service (they would dispute
my use of the word "hosting") to booters.

This is called racketeering. Create the problem indirectly and offer
protection. Sound familiar?

~~~
yeukhon
I don't see that being a problem. People have been developing tools like
firesheep which can be used to benefit and against people.

Some people like me may suspect some viruses and trojans are created by AV
companies out there. In fact malicious, money-greedy one (which no one would
use until they got a nice pop that reads "your computer is infected now use
our solution") do this. I don't know about the big players out there, but who
knows?

If CloudFlare can handle such bandwidth and can defend such attacks for
enterprise users, wow, that's a big win for them. Whether they should offer
stronger mitigation for any level of users is a different story.

~~~
pktgen
Firesheep is a poor comparison. It's a piece of software. The developer (or
his associates) do not provide a product or service to protect against it,
which would be a requirement to be considered racketeering. (Even if they were
offering some "service," say to set up SSL on your server, I'd have a hard
time calling it a racket simply because what Firesheep accomplished, i.e.
packet sniffing for cookies, has always been possible.)

I don't have a problem with CloudFlare offering multiple service levels.
That's just smart business. They are one of the relatively few companies with
their own network that can mitigate attacks. And that's where the problem lies
- they are using that capability to prop up booters (DDoS attack services, if
you weren't familiar with the term). As others have said, booters would be
largely uneconomical to operate without the cheap assistance of CloudFlare,
because the booter "market" is similar to drug gangs - it's a "war" with the
booter owners all trying to take out their competition. (So this makes DDoS
attacks less easily available, a good thing for the rest of the Internet.)

The problem is that CloudFlare is choosing to allow them to operate, while
offering protection services at the same time. This is the very definition of
a racket. It is no different from "wouldn't it be a shame if your shop burned
down, you should pay us money."

Now, I'm not saying that _all_ DDoS would instantly go away if CloudFlare
stopped this. It wouldn't. It would make a significant difference though, IMO.
Services like this make it easy for anyone with little skill to launch
attacks, and with amplification techniques (NTP, DNS, SNMP, chargen, etc.) the
booter needs very little hardware and bandwidth to launch massive attacks.

~~~
yeukhon
From some of your comments, it seems like you are heavily involved with
similar situation as former CloudFlare customer?

put it this way: if I am a security researcher and I want to publish a paper
on DoDs, I can make use of CloudFlare to accomplish my objective. How do you
distinguish good from the bad?

What do you propose they should do?

~~~
pktgen
I'm not and have never been a CloudFlare customer. My experience with them
stems from hosting game servers and dealing with many DDoS incidents, nearly
all of which originated from CloudFlare-"supported" (I would like to use the
term "hosting" but I realize they will dispute this, and I'm not interested in
a debate on semantics) booters. As part of this, I also have experience
dealing with CloudFlare, which I detailed in another comment here.

Publishing research papers about DDoS attacks is one thing. Selling a service
that performs them (i.e. DDoS-for-hire) is completely different, IMO.

------
JoshGlazebrook
CloudFlare is great, but will it ever be possible for them to expand the
services that they can protect? Obviously short connection http requests work
great with their platform, but will it ever be possible for them to say offer
their protections on any service that requires some form of connection between
client and server? Like a global TCP load balancing and DDOS protection for
connections that need to stay open? For say game servers that are constantly
being attacked, etc?

~~~
sillysaurus2
Probably not. CloudFlare only makes sense for websites because they can cache
content, resulting in a more responsive website and better user experience.
Games can't be cached, so whatever protections they can offer will come at a
downside of having to use CloudFlare servers instead of servers designed to
host games.

Also, DDoS isn't a big deal for most games. (MMOs, yes, but not most games.)
If a gameserver is DDoSed, then a few dozen or a few hundred people are going
to be unhappy. Whereas if a website is DDoSed, then tens of thousands of
people will be unhappy at a minimum. Since most games aren't really affected
by DDoS, it doesn't make much business sense for CloudFlare to try to offer
gameserver protection. The market probably isn't big enough to warrant
diverting CloudFlare time and resources.

~~~
diminoten
Few dozen or few hundred? This isn't the 90s, games are played by millions of
people daily. More than tens of thousands of people are effected by someone
taking down, say, LoL servers with a DDoS.

~~~
devicenull
you're forgetting that a lot of games use the individual server model. for
example battlefield 4 has 70 player max on any given server. meaning a DDOS
will only cause problems for that many

~~~
diminoten
In those cases, there is usually a non-player server that can be targeted..
Also, there is absolutely nothing stopping this kind of attack from hitting
multiple servers; the only limit is the total bandwidth.

------
middleclick
I am curious as to not only how did he find out the attackers identity but
also got on the phone with his dad. I mean, this is straight out of detective
novels.

~~~
sp332
You should see the work he did on finding the guys behind the Target breach.
[http://krebsonsecurity.com/2013/12/whos-selling-credit-
cards...](http://krebsonsecurity.com/2013/12/whos-selling-credit-cards-from-
target/)

~~~
e12e
"After searching my huge personal archive of hacked cybercrime forums for
Andrew’s various email and Jabber addresses, I found several private messages
sent by different users on the Spamdot[dot]biz forum who recommended to other
members the “ikaikki@neko.im” Jabber address as someone to contact in order to
hire a service that could be used to flood someone’s Gmail inbox with tens or
hundreds of thousands of junk messages."

 _several private messages_ sent by _different users_ on the Spamdot[dot]biz
forum who recommended to _other members_...

So, an archive of illegally obtained private communication? (Or, is it just
questionably obtained by having several false identities across boards? The
term _hacked forums_ seems to suggest otherwise)...

I guess that by doing illegal surveillance, one kind find out things that
aren't obvious. How surprising.

~~~
girvo
The sites were hacked by other hackers, and uploaded as a dump to the public.
Krebs just has copies of them, that's all.

~~~
gwern
I think that's still a bit questionable. I'm not allowed to have copies of
child porn, even if the children were abused by someone else and they uploaded
the photos to the public.

------
fauigerzigerk
There's something I find rather surprising. It would appear that attacks using
spoofed IP addresses need help from a rogue ISP, unless both the attacker and
the victim use the same ISP. Presumably, an ISP can easily block packets that
originate in its network but have a source address that's not part of its own
IP range.

Why does it take so long until most rogue ISPs are detected and cut off the
rest of the global internet?

~~~
perlgeek
> an ISP can easily block packets that originate in its network but have a
> source address that's not part of its own IP range.

Is it really so easy? How does the ISP know that the package came from within
its network?

~~~
fauigerzigerk
I'm not an expert on this at all, but I think that unless an ISP's customer is
allowed to run a public facing router it would be trivial for the ISP to
determine that. There simply cannot be any legit packets with a source address
from outside its address range arriving at inward facing network interfaces.
Maybe I'm not getting something here...

------
Kiro
I thought DDoS attacks were done through networks of hacked computers. Is that
not the case here?

------
codexon
The 400 gbps attack on Cloudflare was supposedly launched by this group.

[https://twitter.com/DerpTrolling](https://twitter.com/DerpTrolling)

------
benologist
Imagine what it'll be when 100 - 1000 megabit connections are also the new
normal. Is it possible that DDoS attacks will end up unstoppable?

~~~
InclinedPlane
Most DDoS attacks send the majority of their traffic from unsuspecting and
unwilling hosts. Hopefully, as these patterns become more and more well known
the weaknesses that allow that to happen will be increasingly less common.

~~~
wlesieutre
Don't they do that because the servers tend to have a higher bandwidth
connection, and NTP amplification attacks let you make use of that even if
your own is slower?

------
apunic
Link bait for CDN services

