

Saturday Night Fever: Layer 7 attacks against CloudFlare sites - jgrahamc
http://blog.cloudflare.com/saturday-night-fever-layer-7-attacks-against

======
stephengillie
_The trend across the year shows some intriguing, and dramatic, dips in layer
7 DoS activity. The dips in the chart are around the following dates: January
30, February 21 (Mardi Gras), March 20 (attackers recovering from St.
Patrick's Day?), April 22 (did attackers take Earth Day off, or did people
switch off their home machines making botnets smaller for a day?), May 29
(Memorial Day weekend), June 28 (just before July 4)._

We should tell people to turn their PCs off when they're not using them - not
to save power, but to reduce the total number of bots in the botspace
available to attackers.

But then what to do about iZombies and botdroids?

~~~
jgrahamc
I don't, unfortunately, have statistics on the type of devices involved in
these attacks because we currently don't keep them. I'll ask if we can start
keeping track.

------
sdoering
Interestingly, visiting cloudflare from Germany get's me redirected to
de.cloudflare.com, which, being down (according to the site itself) seems
quite funny to me.

Wanted to take a look around, encountered site down and tested with chrome
(adblock plus and ghostery activated) and firefox 15 (clean).

hope nothing serious. I really love reading these accounts, as they show, what
can be done to protect sites from malicious requests.

~~~
jgrahamc
Yes, sorry about that. Kernel panic occurred on the www server and it's being
brought back up now.

~~~
peterwwillis
Yikes. Panics are never good; usually indicators of buggy hw, buggy drivers or
overheating. Hope you have a cold spare handy :o

~~~
larrys
I've had these only a few times over the years mainly back in the day for some
of the reasons you mentioned. At this point I can't even remember the last
time I encountered one.

For reference, for anyone interested (based on your comment), I just pulled
this up relative to Mac OSX:

<http://thexlab.com/faqs/kernelpanics.html>

------
derleth
So, layer 4 in terms of the model people actually implement?

<http://tools.ietf.org/html/rfc1122>

Or does Cloudflare run X.400 email servers or something? Maybe a nice X.500
directory server?

~~~
shaggy
Very few protocols fully or properly implement the entire 7 layer OSI stack.
Most times you see layers 3-5 lumped together. The way that they are looking
at it is that the application (a browser, something else?) is being used to
generate HTTP requests. So while it's technical accurate to say that because a
browser or other application is acting as an HTTP client, the attack itself it
not at layer 7 because they are receiving the attachs on layers 3 and 4 on
their side.

Where the article says "But layer 7 attacks, where the attacker actually
connects to our hardware using TCP and makes apparently valid HTTP requests
are another matter"

Those would be layers 3 and 4.

Mis-communication and outright wrong communication about layer 7 in networking
has been rampant for years.

~~~
aidenn0
Someone stole my copy of Comer, so I'll have to go from memory, but HTTP would
best correspond to layers 5-7 IIRC.

On the other hand it's stupid to use OSI layers when talking about the
internet since the internet has its own, well defined, terminology for layers.
In that case HTTP is clearly at the Application layer.

