
A DDoS in Asia Pacific - boutcher
https://telegram.org/blog/ddos
======
irvinfly
China is doing a mass arrestment*1 of 100+ human right lawyers last weekend,
in the same times as DDoS start and end, and there's a news from China's
official news agent indicate that Telegram is the main secret contacting tool
that human right lawyers used.

Some people think it's China who attack Telegram, to avoid the lawyers to
warning each other for the arrestment.

1)
[https://www.facebook.com/chrlcg/photos/a.1571958406350448.10...](https://www.facebook.com/chrlcg/photos/a.1571958406350448.1073741828.1571955643017391/1634700570076231/?type=1)

2)
[http://news.xinhuanet.com/politics/2015-07/11/c_128010249.ht...](http://news.xinhuanet.com/politics/2015-07/11/c_128010249.htm)

~~~
kijin
Interesting.

We know from this year's GitHub attack that (a) China is willing to DDoS
foreign internet services, and (b) China is able to enlist foreign traffic to
carry out the actual attack.

So it wouldn't be surprising if China DDoSed Telegram and made it look like
the attack came from South Korea.

------
kijin
According to the founder [1], Telegram was even removed from Play Store for a
few hours at the request of a South Korean competitor.

For whatever reason, somebody in South Korea is seriously pissed off with
Telegram.

[1]
[https://twitter.com/durov/status/619486763032182784](https://twitter.com/durov/status/619486763032182784)

~~~
zodiakzz
LINE is a Japanese company IIRC.

~~~
kijin
It is a subsidiary of Naver, the largest (and politically well-connected)
portal in Korea.

------
mahranch
I _knew_ it would be S.Korea. The company I used to work for, at the time I
left, was dealing with some particularly spiteful individuals from S.Korea who
have been DDoSing their gaming platform and their separate video host. This
was happening off and on for about 12 months. Interestingly enough, each
attack was committed by completely different individual and were unrelated. In
one attack where the guy was caught (I think they caught all but 2 of the
attackers), he claimed he ran the DDoS because he didn't like the fact that
there was a Japanese pop music video being hosted on the video site. This
wasn't a young kid either, the guy was 33 and had a full time job at some
advertising company.

~~~
dylz
This more or less reflects my stance on SK too. I ran a reasonably large
APAC/SEA esports-related site for a while, competing sites in SK often
attempted to attack it (and outright told me as such, to get out of korea).
It's strange and I really have no idea why.

~~~
cpncrunch
We had a 9Gbps attack from SK earlier in the year. I have no idea why we were
targeted, but my best guess is that a user in SK got upset at some user-
generated content and decided to DDoS the site rather than report it to us.
Weird.

Anyway, we decided to move to OVH, and haven't had any problem since. We did
get an email about an attack being mitigated a few months ago (which didn't
cause any outage at all), and since then the trolls have realised that we
can't be DDoSed any more :)

------
dbrannan
I got hit by two of these (1/27 to Feb 4th and 6/4 to 6/22), and they were
relentless. It was difficult to know where the attack originated because many
proxies were involved - most inside the USA). We only managed a 62% uptime
during the whole affair, many customers were upset, and it really hurt
business. We ended up refunding everyone for the month and sending out a huge
apology, for which many customers were understanding. Still, it hurt our
business dramatically.

------
linhat
This is most interesting...

    
    
      The garbage traffic came from about a hundred thousand
      infected servers, most noticeably, in LeaseWeb B.V.,
      Hetzner Online AG, PlusServer AG, NFOrce Entertainment
      BV, Amazon and Comcast networks. That said, the attack
      was distributed evenly across thousands of hosts and none
      contributed more than 5% of the total volume.
    

I used to host a lot with Hetzner, and while quite expensive, they mostly
responded to these kinds of things very quickly and with a certain level of
technical competence (which definitely cannot be said of every hoster). Also,
I'm quite surprised to not see OVH in there, as their network has a kind of
"reputation" for these things...

    
    
      Fighting back would‘ve been a little easier, if the abuse
      departments in most of the mentioned companies didn’t
      process requests 9-5, Mon-Fri only. (Hours more befitting
      a scuba-diving shop in Vatican.)
    

Business as usual I would say...although I don't scuba-dive...

Edit: formatting

~~~
latch
Did you mean to say that they are quite UNexpensive? (because they are)

------
asdfaoeu
200Gbps (if true) seems very high for a non reflection attack.

~~~
cft
This tsunami TCP SYN attack uses 1000 byte SYN packets apparently. A good
countermeasure for these would be rejection of all large SYN packets. Verisign
DDoS protection services claim that they can withstand 2Tbps attacks of most
types.

~~~
r1ch
Unfortunately this would break TCP Fast Open, which transmits data with the
initial SYN.

~~~
scurvy
I can tell you that almost no one uses TCP Fast Open. It's a draft RFC that
violates other RFCs. Google has given up on it in favor of QUIC. You should
give up on it, too. It's not going to happen. It's a bad idea cooked up by
ivory tower researchers who have never run a network.

------
ised
Question: Is this possible because they are using Linux servers? The Linux
kernel adopted TCP Fast Open?

[https://www.ietf.org/mail-
archive/web/tcpm/current/msg08204....](https://www.ietf.org/mail-
archive/web/tcpm/current/msg08204.html)

~~~
scurvy
TCP Fast Open is a terrible idea, and RFC 7413 should be marked as historic so
that no one actually tries to implement it. Google has given up on it in favor
of QUIC and so should everyone else. QUIC allows for "zero RTT" requests that
are also signed (preventing spoofing).

We started blocking these large requests over 3 years ago when we started
seeing them. Interestingly enough, that was a full 6-9 months before Radware
wrote an article and coined the term Tsunami SYN. We just called it "big SYN".
The attack is trivially easy to stop, and anyone running a client that tries a
TCP Fast Open should expect failure frequently.

------
cpncrunch
Simple solution: move to OVH. Although they don't have servers in SE Asia,
perhaps 100% uptime is more important than shaving 100ms off the ping time.
(As far as I can tell they don't have real-time audio or video anyway).

~~~
nly
What makes you think OVH could cope with a 200 Gbps DoS attack of this nature?
A quick look at their services indicates they don't mention what kind of
attacks they defend against, and SYN floods are some of the hardest to defend
against.

~~~
cpncrunch
They say they have facilities to clean 480Gbps of data, and 5Tbps of mostly
spare inbound bandwidth, so their DDoS mitigation capacity is somewhere in
that range ([http://www.ovh.com/ca/en/a1171.protection-anti-ddos-
service-...](http://www.ovh.com/ca/en/a1171.protection-anti-ddos-service-
standard)).

~~~
scurvy
Customer testimony on places like Webhosting Talk have cast all of those
numbers into serious doubt. OVH is more likely to nullroute your IPs than it
is to fight off a 300gig attack.

~~~
cpncrunch
Do you have a ref for that? I did quite a few searches and didn't find a
single person on webhostingtalk saying they had been null-routed by OVH in the
past year. Only one guy who worked for a competing hosting provider.

~~~
scurvy
Shut down this guy's account during an attack:

[http://www.webhostingtalk.com/showthread.php?t=1467534&highl...](http://www.webhostingtalk.com/showthread.php?t=1467534&highlight=ovh+null)

That said, I'm not a personal search engine. Here's a link to search results:

[http://www.webhostingtalk.com/search.php?searchid=1555010](http://www.webhostingtalk.com/search.php?searchid=1555010)

~~~
cpncrunch
He said OVH didn't give a reason for shutting him down, which seems unusual.
Perhaps he's breaking their ToS?

OVH themselves say they protect 24/7 against DDoS attacks, regardless of
duration or size.

