
The Daily DDoS: Ten Days of Massive Attacks - jgrahamc
https://blog.cloudflare.com/the-daily-ddos-ten-days-of-massive-attacks/
======
blakesterz
"The attacks are also highly concentrated in a small number of locations
mostly on the US west coast."

Does that mean the attacks are _against_ a small number of locations on the
west coast or _originate_ from those locations? I suppose if they are
originating from a small number of locations (is a location a single IP?) then
it's easier to defend? It's hard for me to wrap my head around attacks of this
scale.

~~~
jgrahamc
Arrive at our PoPs on the US west coast and elsewhere.

------
EvanAnderson
"...very large L3/L4 floods aimed at the TCP protocol."

If these attacks aren't simple floods of bogus TCP segments (SYN floods, etc)
and they're actually completing the TCP handshake then tracing their source
should be trivial (since, by definition, they couldn't use forged source
addresses).

I'm assuming that they are just floods of bogus TCP segments w/ forged source
addresses, which seems like a simple-enough "upgrade" that could have been
deployed to existing botnets.

~~~
throwwatgku
Anyone not using syn cookies is foolish these days. With the modified
handshake a regular machine can handle 1Gbps+ of these packets

~~~
majke
Right. Assuming it was SYN floods, and spoofed IP addresses, do you imply that
Cloudflare should send back 400gbps of SYN+ACK syn cookies packets to the wide
internet?

------
thinkMOAR
I'm getting quite fed up with CloudFlare using HN as marketing tool.

Their maffia style feature up-sales (oh you want the features that matter,
start paying 8k a month), lack of responsibility flowing through their
infrastructure, 'we do not host anything so we are not responsible'
attitude...

If i use that mentality or reasoning when stolen or other illegal goods flow
through my house or shed, the police will not accept that as an excuse....
facilitating criminals.

~~~
laumars
_> Their maffia style feature up-sales (oh you want the features that matter,
start paying 8k a month)_

They offer for more in their free plan than any other CDN of their ilk which
I've used (good look getting Akamai for free!!). However if you know a service
like CloudFlare that's as good as CloudFlare are and are as cheap as you
suggest they should be, then I'm sure many on here would love to hear your
recommendations ;)

 _> lack of responsibility flowing through their infrastructure, 'we do not
host anything so we are not responsible' attitude..._

That's exactly how the vast majority of the tech industry works though. No
service provider wants to be held accountable for the illegal activities of a
small minority of their users. It's like blaming the telephone companies
because a terrorist happened to lease a line from them. Or blaming Google for
automatically crawling a site which hosts warez. What you're asking is the in-
house moderation at scale and that's unsustainable.

 _> If i use that mentality or reasoning when stolen or other illegal goods
flow through my house or shed, the police will not accept that as an
excuse.... facilitating criminals._

I appreciate no analogy is perfect but yours is further off than most. People
shouldn't get access to your property without your concent so it's hard to
argue that you weren't aware of the illegal activities happening in your
house. However if you gave your house keys to friends who then went behind
your back to distribute said content without your knowledge and knowing that
you would disallow it if you were aware then you wouldn't be facilitating the
criminals. CloudFlare offers an automated service at scale. Occasionally that
gets abused but it's not something they condone. Blaming CloudFlare for that
is like blaming kitchen knife manufacturers because some thugs used their
blades to stab someone.

~~~
faded242
I don't think you've tried to report abuse to CloudFlare before, have you?
Your analogy is actually further off. CloudFlare _IS_ aware of the abuse and
illegal activity. They _DO_ condone it through their inaction. They claim
since they aren't the actual source of the content, they don't have to do
anything about it, effectively letting the criminals and scammers continue
their abuse behind their shield. They have all the capability in the world to
respond to valid abuse complaints, and actually stop the abuse, but they
actively choose to allow it.

~~~
maxander
If they start accepting takedown requests as a general policy, though, they
become an attack vector themselves. Their customers would start getting calls
saying "give us $LARGE_SUM in untraceable bills or there'll suddenly be
thousands of plausibly-authentic complaints that your $VALID_BUSINESS is
actually a malicious site"; no one wants that. They've decided to not make
themselves the internet police for a reason.

------
SomeStupidPoint
Could this be people trialing cyberweapons/defnses? (Not necessarily a state
actor, though not excluding that possibility either.)

"If using x% of our resources CF is degraded/loaded y%, then there is z%
chance they'll be disabled by _W_ cyberattack."

I've never been sure how scientific red team is, particularly blackhat ones.

------
gondo
isn't this because the attack is originating from office work computers?
people come to office in the morning, turn on the pc = attack starts. at the
end of the day they simply switch off their computer = attach stops.

~~~
jerf
If this was the result of many thousands of such machines, you'd see a much
more gradual ramp up and shut down because they wouldn't be in such good sync
with each other, plus the ceiling wouldn't necessarily be so sharp either.
This is especially true once you consider timezones, and the fact that botnets
are not generally confined to a single timezone. While this may be a lot of
machines, the relative sharpness of the bandwidth graphs suggests a single
control source turning things on and off, even though the attack itself may be
using an arbitrary number of machines.

(Note the fact that it isn't perfectly sharp doesn't mean it isn't a single
source... it takes time to command and control thousands of machines over the
internet.)

