Cloudflare blocks an almost 2 Tbps multi-vector DDoS attack(blog.cloudflare.com) |
Cloudflare blocks an almost 2 Tbps multi-vector DDoS attack(blog.cloudflare.com) |
Sadly it's only in German, but if you are on desktop, you can auto-translate the subtitles.
The absence of any real accountability, and admiration of hypocrisy, is what threatens us most heading into the future.
— Richard Stallman, 1986 https://www.gnu.org/gnu/byte-interview
[1] https://krebsonsecurity.com/2015/01/spreading-the-disease-an...
quote from said article for perspective:
The Web site crimeflare.com, which tracks abusive sites that hide behind CloudFlare, has cataloged more than 200 DDoS-for-hire sites using CloudFlare. For its part, CloudFlare’s owners have rather vehemently resisted the notion of blocking booter services from using the company’s services, saying that doing so would lead CloudFlare down a “slippery slope of censorship.”
As I observed in a previous story about booters, CloudFlare CEO Matthew Prince has noted that while Cloudflare will respond to legal process and subpoenas from law enforcement to take sites offline, “sometimes we have court orders that order us to not take sites down.” Indeed, one such example was CarderProfit, a Cloudflare-protected carding forum that turned out to be an elaborate sting operation set up by the FBI.
And now, we have people essentially conspiring that Cloudflare creates their own DDoS attacks just so to prevent it based on a glib oversimplification.
Does that imply that Cloudflare is intentionally boosting the problem? No. But let's be clear here: anything that makes DDOS attacks less of a problem means less money for Cloudflare. So whatever their intent, Cloudflare is helping to support the problem that they owe their existence to. It's very much a conflict of interest.
I'm sure that the fact that it's highly illegal and unethical are reason enough for Cloudflare to not sell DDoS capacity, but the perverse incentive is still there.
Cloudflare facilitates DDoS, yet Cloudflare "mitigates" for free. "How could this EVER be a business model?", you disingenuously ask.
Simple - if DDoS are common, then more and more people and companies become afraid of them. After a while, everyone wants DDoS mitigation. More and more people move to Cloudflare.
Whether paid or not, you now control more people. Duh.
At least that’s how it feels in the U.S.
Never seen it applied to DDoS kind of things.
Maybe premature for cloudflare to be declaring victory?
Are they doing it for money ?
It just seems silly with services like cloud flare
There is so much mitigation so it's pretty much ineffective
Did the attack last one minute because Cloudflare 'mitigated' it after that, or because the attackers stopped?
When testing they seldom run for a long time.
Cloudflare's mitigation would've dropped in on the metals and still been visible to Cloudflare's monitoring... so the attackers stopped after a minute.
To my knowledge, we never got any communication from the people behind the attack, seemed like people just kicking the tires on DDoS as a service. Ocassionally, we'd get a longer interval, sometimes 60 minutes.
Eventually we migrated behind CF and the problem was solved but I couldn't help but wonder if there are some applications for which even a few seconds disruption (I assume that's the minimum time Cloudflare needs to begin effectively mitigate the attack of this scale) will be disastrous and what could possibly be done in this case?
Volumetric udp reflection isn't really too bad to process anyway, as long as you've got the bandwidth --- fancy tricks get you from the UDP stack dropping useless packets to dropping useless packets without the UDP stack, possibly at the edge without using up nearly as much internal bandwidth.
Where it gets pretty hard to manage would be application level bursts, IMHO.
For this attack and many like it, yes, the bots hide their IP.
Per the article, this attack was a combination of DNS amplification and UDP flood. UDP packets don't use a connection like TCP (where the recipient verifies it can talk back to the sender); instead, the packet just declares where it came from, and the recipient fires-and-forgets a response to that IP, blindly assuming that IP is actually the sender.
So for the UDP flood portion, the victim receives a packet with a fraudulent source IP and no way to tell where it really came from.
For the DNS amplification part (also done over UDP), the attacker finds an open DNS resolver online, sends it a request to resolve a record, and fakes the UDP source IP, telling the DNS server to send the response to the attack victim. Not only does this mean the DDoS packets aren't coming directly from the attacker, but DNS responses can easily be much larger than DNS requests, so an attacker multiplies how many gigabits of traffic they hit the victim with, versus just sending UDP packets directly to the victim.
Here's Cloudflare's primer on DNS amplification attacks: https://www.cloudflare.com/en-gb/learning/ddos/dns-amplifica... and UDP floods: https://www.cloudflare.com/en-gb/learning/ddos/udp-flood-ddo...
As far as solutions go, the answers are broadly 1) get everyone in the world to stop putting up UDP services that send large responses to unverified requests (this attack used DNS, but this happens with other protocols too), and 2) convince ISPs everywhere to deny outbound UDP packets which claim a source IP from outside that ISP's network. Since this is one of those "you have to be perfect, but the attacker only has to find one weakness" scenarios, these sorts of attacks will keep happening until it becomes impractical to find enough abusable networks/services to mount high-volume attacks.
I haven’t tried but I would hope my ISP would drop any packets I send out from my home network which do not have the public IP address of my router, but I haven’t tested it.
What about the ones overseas that just don't care?
CF actually wrote a pretty nice article about challenges in doing so - https://blog.cloudflare.com/the-root-cause-of-large-ddos-ip-...
I assumed that they actually did the ddos
And there are plenty of them out there. Look at the opioid epidemic, where a pain-relieving drug creates pain when you try to stop it. Look at Facebook, which simultaneously creates loneliness [1] and purports to offer its cure. To say nothing of more traditional addictive substances, like nicotine and alcohol, which create problems for users that more consumption temporarily ameliorates.
Then we could look at more subtle, multi-agent problems. For example, consider the way the US's incarceration rate is 5-10x peer countries. [2] Why is that? There are many factors, but look at the way for-profit prisons and prison guard unions are big spenders on influencing politicians to be "tough on crime". Look at the media that profitably generates fear about crime. The way police are not incentivized to reduce crime, but just to performatively fight it. This of course takes money away from schools and social services. And all of that creates disruption in communities that ensure the supply of criminals necessary to keep this going.
Is there any conspiracy there? I doubt it. One of the miracles of free-market systems is the extent to which conspiracy is unnecessary. All you need is networks of agents with aligned incentives and you get very robust, persistent systems. There's no conspiracy to get lovely fresh produce in my grocery store the year round; there's no need of one. But markets are morally neutral, so we always have to use POSIWID [3] thinking to keep an eye out for pernicious systems.
[1] https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7820562/
[2] https://en.wikipedia.org/wiki/Comparison_of_United_States_in...
[3] https://en.wikipedia.org/wiki/The_purpose_of_a_system_is_wha...
Not really a conspiracy theory... Just a personal opinion.
These days sharing "conspiracy theories" get people banned online and worse...
Just made as a statement in reply to the parent comment, but if you watch the commercials during television news, you might perhaps wonder how "Restless Leg Syndrome" became a real thing, and why there's now how conveniently there is a drug that claims to "fix it" if you're willing to sacrifice diarrhea for in exchange for the pill's implied benefits.
However, I have RLS to the point that I'll kick my wife awake at night. I have found that certain foods trigger this, and avoid those foods. Search for "IBS RLS" if you don't believe me.
I guess what I mean is, don't let the existence of hucksters for a problem's cure convince you that the problem doesn't exist.
One of the most fascinating things I've read recently is the rise of "Denial-of-Capital" attacks.
Essentially, you DDoS a competitor, but not directly in the interest of just taking them offline.
Instead (hopefully) running up a massive cloud bill and putting them out of business. Or a similarly critical financial hit.
If you don't have billing limits enforced for all of your services, and you run auto-scale/serverless workloads in any part -- if someone can pass enough traffic to your services they can cause you potentially incredible financial grief.
Most recent (publicized) one I can think of is this one. Fathom Analytics attacks:
https://news.ycombinator.com/item?id=25194795
There was an initial cloud bill, but now they're paying $3,000/mo for AWS to have a Cloud Protection team on standby for them.
"$36,000 & my call with Fola"
"I don’t know anybody who has signed up for this $3,000/month service from AWS… it’s called AWS Shield Advanced. The big value of this service to us is that we have access to some of the world’s best DDoS mitigation experts. In the event of an attack, we can page them, and they’ll help us mitigate the attack, creating firewall rules, identifying bad actors, and offering advice. So instead of just two of us responding to DDoS attacks, we have genius engineers we can speak with, and that feels good."
Ouch.Not that ISPs aren't evil. They were paid to run fiber everywhere, such that everyone would have 1000/1000 fiber links by now. But such as it is.
5mbps x 200,000 subscribers is already 1 tbps
We all need faster speeds at home, not slower.
Counter suggestion: make fcc regulate iot, whenever a person's appliance enters a botnet, suspend his connection until said appliance is removed and fine the person if the device wasn't fcc aproved.
There, no more botnets inside the US. The rest of the world to go
Appliances sold in the US already have to prove they don't create harmful EMF emissions. It wouldn't be much of a stretch to add minimum security requirements to avoid harmful "data emissions" to that same certification process.
If cooperation of intermediary networks is assumed, these attacks can be crippled by convincing ISPs to deny outbound UDP packets claiming source IPs from outside their networks.
That is explicitly a simplified representation used only to compute the checksum of the UDP package. It doesn't even include the full IP header, nor does it touch any of the protocols the IP package would be encapsulated in at all. Network tagging and other fun things happen as low as the Ethernet layer.
> these attacks can be crippled by convincing ISPs to deny outbound UDP packets claiming source IPs from outside their networks.
Not sure this would be enough, I think ISPs generally have complete ranges of IP addresses so it would be trivial for an attacker to create a list of "valid" IPs to use.
I see the IP packet ID field (which appears to have this very use prohibited?) and the 802.1Q VLAN tag on Ethernet frames (a 32-bit value). Is that what you're referencing? Does that mean the idea is each network tagging traffic during transit within their network, with a process for downstream entities to request logged tracking data? I got the impression you meant for the end recipient to receive the intermediate tracking markers alongside the sender's original data, but maybe I misunderstood :)
> Not sure this would be enough, I think ISPs generally have complete ranges of IP addresses so it would be trivial for an attacker to create a list of "valid" IPs to use.
It would prevent the reflection portion of these attacks (a bot could only reflect traffic back into its own IP block, not towards an arbitrary global target), and knowing which networks originated the traffic would enable other countermeasures.
It doesn't help much with direct volumetric attacks, but it would potentially make it easier to track (hey ISP, we're getting a lot of traffic evenly divided over your IP ranges, and they can confirm it's coming from their network and maybe figure out where it originates)
In some cases, it's simple, one address/subnet per port, would be 'easy' to enforce; this is often the case for normal residential connections and commercial users that didn't bring their own IPs. In other cases, networks are connected to networks and what to send there and what is ok to receive may not be the same and may also be dynamic.
> It would prevent the reflection portion of these attacks (a bot could only reflect traffic back into its own IP block, not towards an arbitrary global target), and knowing which networks originated the traffic would enable other countermeasures.
That makes sense.
If they apply this algorithm to the source IP and find that the optimal route to the source is a different interface than it was received on, that’d potentially be a red flag. But if the optimal route to the source is the same as the optimal route to the destination, that’d be a huge red flag.