
400Gbps: Winter of Whopping Weekend DDoS Attacks - riqbal
https://blog.cloudflare.com/a-winter-of-400gbps-weekend-ddos-attacks/
======
cft
Too bad this was written as a Cloudflare advert, instead of emphasizing the
changes that ISPs need to make (ingress source address verification) to make
these attacks much harder.

[https://www.ietf.org/rfc/rfc2827.txt](https://www.ietf.org/rfc/rfc2827.txt)

~~~
jgrahamc
We've written about BCP 38 repeatedly:

[https://blog.cloudflare.com/understanding-and-mitigating-
ntp...](https://blog.cloudflare.com/understanding-and-mitigating-ntp-based-
ddos-attacks/)

[https://blog.cloudflare.com/technical-details-
behind-a-400gb...](https://blog.cloudflare.com/technical-details-
behind-a-400gbps-ntp-amplification-ddos-attack/)

[https://blog.cloudflare.com/the-ddos-that-knocked-
spamhaus-o...](https://blog.cloudflare.com/the-ddos-that-knocked-spamhaus-
offline-and-ho/)

~~~
sargun
uRPF is a pain to people who want to do any kind of creative TE with their
network. For residential networks, I somewhat understand the value, but it
makes dual homing unreasonable for anyone who doesn't have an ASN + BFP
sessions.

I'd argue rather than this, we need to be able take Flowspec (RFC5575), and
make it more reasonable for transit.

------
eXpl0it3r
Maybe a little less "we are the best", "our hardware can handle nearly
everything", "we can take it", etc. next time...

~~~
eloff
Now a company is not allowed to be proud of their service? Cloudflare does a
good job, and they're proud of their accomplishments, and they have a right to
be. There's nothing wrong with that! I imagine you're also proud of your
accomplishments.

~~~
eXpl0it3r
You can be proud, but you can also overdo it. A man's praise in his own mouth
stinks.

------
jacquesm
Has there been any recent jump in the size or grade of bots available to
botnet operators or is there some other technological reason underlying this
change in magnitude?

~~~
ChuckMcM
I think its a good question to ask if the _way_ in which attacks are generated
these days has enabled greater size. Cloudflare points out that they may have
already been this big, they just couldn't measure them before.

What I find most interesting is that this problem is providing a lot of
pressure on ISPs to co-operate more. There are a lot of competing agendas,
which we've seen with the very outsized fights of NetFlix against tier 1 and
tier 2 transit providers, but those transit providers are being hurt by these
people. By cooperating at some level it may be possible to mitigate the attack
surface available to DDoS agents.

------
ChuckMcM
I always appreciate Cloudflare's write ups. That said, once folks are
attacking it, and since you can measure things without black holing traffic,
is it possible to identify machines participating ? Specifically to work with
ISPs and network service vendors such that such attacks would serve to
highlight compromised machines and then working with the ISPs of those
compromised machines create an automated channel back to the operator?

~~~
kkirsche
It depends heavily on the type of attack. In many cases it is not like a syn
flood which commonly used random spoofed (i.e. fake) source ip addresses.

------
plainOldText
With more and more network attacks and an increase in security breaches, I
think we need to rethink some parts of the Internet for better security and
reliability.

There's an interesting project going on - SAFENetwork[1] - similar to ipfs,
which has the potential to render DDoS attacks obsolete for some use cases, if
it gets adoption of course.

[1] [https://safenetwork.org](https://safenetwork.org)

------
coldcode
Given the size of the attacks, shouldn't it be possible to identify who is
behind these (or at least where it is coming from)? Or are they all
distributed attacks from random hacked PCs? I find it hard to believe there
are still enough vulnerable PCs: the count of those should be going down, not
up. I guess if the source is nations the actually source might be difficult to
pinpoint.

~~~
cft
These volumetric attacks are likely UDP amplification attacks from hacked
servers, not PC s.

~~~
pilsetnieks
They don't even have to be hacked, just expose vulnerable services.

~~~
bcook
I think OP is referring to the origin, not the mirror.

------
mmmBacon
In the lab it's difficult to generate 400Gb/s traffic.

From my perspective it seems like this attack is pretty sophisticated and has
access to some pretty fat pipes. It's hard to imagine that this scale of
attack could come from some infected PCs.

Can an expert weigh in here on the difficulty of generating this much traffic
in an attack?

------
r1ch
I'm curious what happens if a free website is on the receiving end of a L3
attack, since only business plans and higher are advertised as having
"Advanced DDoS support". Does CF dynamically adjust DNS and send the malicious
traffic to your origin once it hits a certain threshold?

~~~
jgrahamc
Matthew answered that below, but at this point our L3/L4 attack handling is
mostly automatic and we would protect the FREE web site. We can dynamically
adjust DNS to do all sorts of things when we feel like it.

------
nxzero
Funny, stories like this to me always read as someone hacking themselves for
job security; clearly not the case. Curious who the target was Cloudflare, or
their clients.

~~~
eastdakota
Targets are typically clients. Sometimes we can reasonable speculate as to
motive, other times we're perplexed. One example: we saw a huge uptick in
attacks targeting adoption agencies. Couldn't figure it out until we learned
that adoption of Russian children by US/EU parents was a major hot button
political issue in Russia. In other words, there's always a motive, it's just
not always clear to us what it is.

~~~
nxzero
Yeah, that's obvious to me that the adoption sites like that are targets, but
see how it be bit puzzling off the cuff, or something of the sort. Not sure in
fact what for sure would be a target that clearly lacks anything of note.

~~~
eastdakota
Usually forums of one sort or another. Obviously they're being attacked for
something that's being posted there, but usually we have no idea exactly what
or why.

------
the_arun
I wish we could see an article like this for AWS.

~~~
caleblloyd
I don't think AWS mitigates DDOS. If an app is under DDOS at AWS and was using
an Elastic Load Balancer, the app would have to pay for the inbound bandwidth
through the ELB and would have to pay for scale-up to respond to the increased
traffic load.

It'd be much more cost effective to pay CloudFlare a fixed monthly fee and
stop the DDOS attack before it even gets to your AWS resources.

~~~
virtuallynathan
Last time I looked at the AWS jobs site, they were hiring for a DDoS
mitigation team.

~~~
pyvpx
having a slight understanding but no direct knowledge of their network
infrastructure, that's probably for financial not technical reasons (they can
handle the largest volumetric attacks and then some)

------
joelthelion
Who's behind these?

------
pmlnr
Dejavu.

"the largest distributed denial of service (DDoS) attacks ever seen" ...
returns again part 2

------
codecamper
Hmm Looks like if you want to benefit from this level 3 DDos protection,
you'll need to hand $200 / month over to Cloudflare.

Sounds fishy to me.

~~~
pilif
$200/month feels cheap to me considering how much effort and money it would
take to get this defense if you are on your own.

Just talking about the bandwidth cost, if it was even possible for me to get
the 400gbit/s bandwidth required to weather such an attack, it would cost me
way more than $200 per day with my current ISP. And that doesn't yet include
my own time and stress.

If the stuff we're running was valuable enough to DOS, I would totally
consider the 200/month extra

------
ryao
If internet connection speeds continue improve, it is fairly obvious DDOS
traffic will increase. Claiming that it is bigger than ever when Internet
connection speeds are higher than ever is like claiming that gravity from the
Sun is stronger when you are closer to the Sun.

~~~
taf2
Pretty sure they are saying that because they can handle more traffic they can
measure the attack now instead of blackholing...

