Hacker News new | comments | show | ask | jobs | submit login
The New Normal: 200-400 Gbps DDoS Attacks (krebsonsecurity.com)
93 points by Smerity on Feb 15, 2014 | hide | past | web | favorite | 48 comments

Interesting article. The black market looks far away from me. I always want to know how to get one of those "hacking service" but I can't tell who is genuine and who is not. People literally take risk to do business with these people. I guess I should just get a GreenDot one day and use that to pay a cracker, right?

I don't know how old the kid is, but sounds like someone between junior high and high school. I don't even know how to launch such massive DDoS attack yet. How many do I need to send such? This is interesting...

Side note: Krebs is an interesting person. I have come across his blog many times but I never bothered to find out his actual job. He's a journalist. no technical background. Self-taught. http://krebsonsecurity.com/about/

This is the best example of a civilian out there interested in protecting his data. He would go out his way to eliminate worm and hacker from touching his laptop... we need more civilian like this (not to blog or to go on a strike, but to be aware of the seriousness of the unsafe nature of the Internet).

Also, his article is really well-written. No doubt; he's a reporter after all.

he is a former journalist was with WashingtonPost

CloudFlare is absolutely right. As long as the attacks are not coming from CloudFlares network, it's not up to CloudFlare to play judge and jury concerning the legality of content.

What would be next? Service providers taking down a white hat site because it discloses vulnerabilities?

I'm quite frankly shocked that Krebs would make the argument to put security before freedom of speech and due process.

For something that threatens the very infrastructure CloudFlare operates their business on, I disagree.

Also, CloudFlare is not an essential service nor are they a monopoly. So if CloudFlare goes too far with something, it's not a problem for their customers to leave them.

Look at it this way. Without Cloudflare providing free DDOS mitigation, the attacks would not be happening as frequently.

Put that way, I see them as responsible for the attacks. Maybe you'd feel differently if you were the target of some of these attacks.

> Look at it this way. Without Cloudflare providing free DDOS mitigation, the attacks would not be happening as frequently.

I don't see the cost of CloudFlare's service as a problem. In fact, free DDoS mitigation is great. The problem is that they're willing to provide service to booters/DDoS-for-hire services.

Reputable providers prohibit this kind of activity in their AUPs, and there aren't that many companies with their own large networks capable of DDoS mitigation (many are just resellers). If CloudFlare stopped supporting such services, it would immediately put a large dent in the entire booter market because the kids would take care of shutting each other down, and individual booters would find it difficult to find a provider who can mitigate attacks and is willing to provide service to them. (In other words, let them fend for themselves. Screw them.)

> Maybe you'd feel differently if you were the target of some of these attacks.

I agree, and I think this is why a few of us (you and me, in particular) have different views compared to others.

(I have talked to you on WHT recently. Not under this name, but you might have an idea.)

Background on these kinds of attacks: http://blog.cloudflare.com/understanding-and-mitigating-ntp-... http://blog.cloudflare.com/technical-details-behind-a-400gbp... Or if you prefer audio/video: http://twit.tv/show/security-now/438 (also worth a listen for a few possibly off details on NSA spying kit)

Possibly the implication against CloudFlare is that a service which makes money off DDoS attack prevention (and many other things) shouldn't drum up business by encouraging such attacks. Though in CloudFlare's defense, the attacks wouldn't stop if the sites did. And I'm not sure what else CloudFlare could do to get people to fix NTP servers.

The attacks would be a lot smaller and infrequent if cloudflare did not host them.

The reason why the DDoS market exploded is because you can now sell your services behind cloudflare for very little cost instead of competitors ddosing each other. You can see all the services being sold at hackforums.net.

Without a publicly assessable store front, you will not get funding.

Without funding you will not be able to rent servers to power reflection attacks and to process requests from hosts that turn a blind eye like ecatel.

Can you elaborate on "Hosts that turn a blind eye"?

Hosts that negligently allow (do not implement technical measures to block) packets to be sent from an IP address not routed to the sender.

Ecatel is the big one here. I don't know what it will take for their upstreams to shut them down, but it needs to happen. Do that and many of these reflected attacks will stop.

You can send spoofed packets from nearly every host.

However hosts like Ecatel are known to specifically allow their customers to send spoofed packets at full speed 24/7.

I think most hosts will notice heavy bandwidth usage, investigate, and then terminate your account. This is why people buy servers at Ecatel even if it is more expensive.

Sure, you can _send_ spoofed packets from any host, but any reputable host will drop them.

Reputable hosts use uRPF or at least an ACL at their edge to drop any outbound traffic with a source address that isn't in their network.

People buy servers from Ecatel because they're one of the few that (intentionally) do not have such measures in place.

No, very few hosts drop them because it costs time and money to do BGP38.

I have tested 5+ major hosts spoofing packets to a remote destination and they all allowed spoofing except OVH.

Poor Rasbora, being an example of how you can be very smart and absolutely retarded at the same time.

I know retarded isn't the right word, but nothing else I can think of represents kicking your future self in the balls so hard they're permanently destroyed and you're crippled for life.

> In a phone interview today, Prince emphasized that he has seen no indication that actual malicious packets are being sent out of Cloudflare’s network from the dozens of booter service Web sites that are using the service. Rather, he said, those booter services are simply the marketing end of these operations.

This is how they justify hosting *booter.com. Personally, I don't see a big distinction. If you weren't hosting the frontend site, there would be no malicious packets going out from other people's networks. These booter sites attack each other all the time, so without DDOS protection they'd take of shutting each other down for us :)

I agree with you.

Having sent multiple abuse complaints to CloudFlare regarding booters, I have found them difficult to work with. As we've established, they will not censor anything; instead, if they determine your complaint to have some level of validity, they will send you to the actual host.

In one instance, the booter site had no information on registration or what was offered, so I gave them the hackforums thread where the service is being sold. I realize this is basically hearsay and not sufficient evidence to actually shut a site down, but remember that they won't shut a site down in any case. They did not consider this acceptable enough to release information about the host. They wanted me to register an account there and provide it to them for verification. Luckily, I could register without actually paying anything, providing me a nice UI with a big "launch attack" button, and this was sufficient for them.

More recently, they will not even release the site's IP address. All they will do is tell you to email the abuse department of [host] and ask the abuse department to contact them for details. This is ridiculous.

CloudFlare purports to be against DDoS attacks, yet has no problem providing service to admitted DDoS attack services. In other words, CloudFlare is a racketeering operation. They create the problem, indirectly, and offer services to solve it. (I realize they offer a free tier, but their advanced mitigation features are only available on paid tiers.)

Not sure how that works. Wouldn't it simply amp up the attacks? It also doesn't address the root causes: DDoS attacks happen because they can. People do these things for social reasons more than profit, when they're easy.

And here's what CloudFlare isn't telling you: many DDoS attacks are made possible thanks to their service, openly providing service (they would dispute my use of the word "hosting") to booters.

This is called racketeering. Create the problem indirectly and offer protection. Sound familiar?

I don't see that being a problem. People have been developing tools like firesheep which can be used to benefit and against people.

Some people like me may suspect some viruses and trojans are created by AV companies out there. In fact malicious, money-greedy one (which no one would use until they got a nice pop that reads "your computer is infected now use our solution") do this. I don't know about the big players out there, but who knows?

If CloudFlare can handle such bandwidth and can defend such attacks for enterprise users, wow, that's a big win for them. Whether they should offer stronger mitigation for any level of users is a different story.

Firesheep is a poor comparison. It's a piece of software. The developer (or his associates) do not provide a product or service to protect against it, which would be a requirement to be considered racketeering. (Even if they were offering some "service," say to set up SSL on your server, I'd have a hard time calling it a racket simply because what Firesheep accomplished, i.e. packet sniffing for cookies, has always been possible.)

I don't have a problem with CloudFlare offering multiple service levels. That's just smart business. They are one of the relatively few companies with their own network that can mitigate attacks. And that's where the problem lies - they are using that capability to prop up booters (DDoS attack services, if you weren't familiar with the term). As others have said, booters would be largely uneconomical to operate without the cheap assistance of CloudFlare, because the booter "market" is similar to drug gangs - it's a "war" with the booter owners all trying to take out their competition. (So this makes DDoS attacks less easily available, a good thing for the rest of the Internet.)

The problem is that CloudFlare is choosing to allow them to operate, while offering protection services at the same time. This is the very definition of a racket. It is no different from "wouldn't it be a shame if your shop burned down, you should pay us money."

Now, I'm not saying that _all_ DDoS would instantly go away if CloudFlare stopped this. It wouldn't. It would make a significant difference though, IMO. Services like this make it easy for anyone with little skill to launch attacks, and with amplification techniques (NTP, DNS, SNMP, chargen, etc.) the booter needs very little hardware and bandwidth to launch massive attacks.

From some of your comments, it seems like you are heavily involved with similar situation as former CloudFlare customer?

put it this way: if I am a security researcher and I want to publish a paper on DoDs, I can make use of CloudFlare to accomplish my objective. How do you distinguish good from the bad?

What do you propose they should do?

I'm not and have never been a CloudFlare customer. My experience with them stems from hosting game servers and dealing with many DDoS incidents, nearly all of which originated from CloudFlare-"supported" (I would like to use the term "hosting" but I realize they will dispute this, and I'm not interested in a debate on semantics) booters. As part of this, I also have experience dealing with CloudFlare, which I detailed in another comment here.

Publishing research papers about DDoS attacks is one thing. Selling a service that performs them (i.e. DDoS-for-hire) is completely different, IMO.

Anyone guilty of providing free services is evil!!! How dare people provide a paid service which could be used to against people using another free service to attack your site on another free service!!!!

Except CloudFlare only provides "basic DDoS mitigation" on their plans under $200/mo.

CloudFlare is great, but will it ever be possible for them to expand the services that they can protect? Obviously short connection http requests work great with their platform, but will it ever be possible for them to say offer their protections on any service that requires some form of connection between client and server? Like a global TCP load balancing and DDOS protection for connections that need to stay open? For say game servers that are constantly being attacked, etc?

Probably not. CloudFlare only makes sense for websites because they can cache content, resulting in a more responsive website and better user experience. Games can't be cached, so whatever protections they can offer will come at a downside of having to use CloudFlare servers instead of servers designed to host games.

Also, DDoS isn't a big deal for most games. (MMOs, yes, but not most games.) If a gameserver is DDoSed, then a few dozen or a few hundred people are going to be unhappy. Whereas if a website is DDoSed, then tens of thousands of people will be unhappy at a minimum. Since most games aren't really affected by DDoS, it doesn't make much business sense for CloudFlare to try to offer gameserver protection. The market probably isn't big enough to warrant diverting CloudFlare time and resources.

Few dozen or few hundred? This isn't the 90s, games are played by millions of people daily. More than tens of thousands of people are effected by someone taking down, say, LoL servers with a DDoS.

you're forgetting that a lot of games use the individual server model. for example battlefield 4 has 70 player max on any given server. meaning a DDOS will only cause problems for that many

In those cases, there is usually a non-player server that can be targeted.. Also, there is absolutely nothing stopping this kind of attack from hitting multiple servers; the only limit is the total bandwidth.

I don't see why not, but it would have to be baked into the client/server connect model. Basically they would have to act as a bouncer and only allow connections to the server after being authenticated before hand. If they detect a DDoS incoming then they just need to ask each legit client for a proof of work, this makes it so no amplification attack would work.

I am curious as to not only how did he find out the attackers identity but also got on the phone with his dad. I mean, this is straight out of detective novels.

This is easier than you think. Most of these kids have no clue what they're actually doing and link their personal identities with the name they use.

I run (as a hobby) some game servers and have handled several DDoS incidents. Out of all of them, I think there's only been one that I couldn't find real-life details for. When this occurs and the perpetrator is a minor, and I can find details for them, I give the parents a friendly call and let them know. Usually this can be easily resolved in a peaceful manner and without any mention, threats or use of legal action.

At a guess, some searching of the kid's handle will probably lead to a Facebook page or something else that links back to his real identity, and something else related led to the father.

You should see the work he did on finding the guys behind the Target breach. http://krebsonsecurity.com/2013/12/whos-selling-credit-cards...

"After searching my huge personal archive of hacked cybercrime forums for Andrew’s various email and Jabber addresses, I found several private messages sent by different users on the Spamdot[dot]biz forum who recommended to other members the “ikaikki@neko.im” Jabber address as someone to contact in order to hire a service that could be used to flood someone’s Gmail inbox with tens or hundreds of thousands of junk messages."

several private messages sent by different users on the Spamdot[dot]biz forum who recommended to other members...

So, an archive of illegally obtained private communication? (Or, is it just questionably obtained by having several false identities across boards? The term hacked forums seems to suggest otherwise)...

I guess that by doing illegal surveillance, one kind find out things that aren't obvious. How surprising.

The sites were hacked by other hackers, and uploaded as a dump to the public. Krebs just has copies of them, that's all.

I think that's still a bit questionable. I'm not allowed to have copies of child porn, even if the children were abused by someone else and they uploaded the photos to the public.

There's something I find rather surprising. It would appear that attacks using spoofed IP addresses need help from a rogue ISP, unless both the attacker and the victim use the same ISP. Presumably, an ISP can easily block packets that originate in its network but have a source address that's not part of its own IP range.

Why does it take so long until most rogue ISPs are detected and cut off the rest of the global internet?

> It would appear that attacks using spoofed IP addresses need help from a rogue ISP ...

Not a rogue ISP, just one that hasn't implemented BCP38 (which is most of them, unfortunately).

> an ISP can easily block packets that originate in its network but have a source address that's not part of its own IP range.

Is it really so easy? How does the ISP know that the package came from within its network?

I'm not an expert on this at all, but I think that unless an ISP's customer is allowed to run a public facing router it would be trivial for the ISP to determine that. There simply cannot be any legit packets with a source address from outside its address range arriving at inward facing network interfaces. Maybe I'm not getting something here...

Yes, it really is. I can tell where it came from based upon the interface I received it on. Google "BCP38".

I thought DDoS attacks were done through networks of hacked computers. Is that not the case here?

The 400 gbps attack on Cloudflare was supposedly launched by this group.


Imagine what it'll be when 100 - 1000 megabit connections are also the new normal. Is it possible that DDoS attacks will end up unstoppable?

Most DDoS attacks send the majority of their traffic from unsuspecting and unwilling hosts. Hopefully, as these patterns become more and more well known the weaknesses that allow that to happen will be increasingly less common.

Don't they do that because the servers tend to have a higher bandwidth connection, and NTP amplification attacks let you make use of that even if your own is slower?

Link bait for CDN services

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact