New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
DDoS Trends (Sept 10, 2023)
We see a lot of data in our business and thought we would share a small part of it. We've visualized DDoS attack trend data in a weather forecast style.
Temp (in *F) = Relative size of attacks
% Chance Rain = Frequency of attacks
Feel free to ask any questions.
Comments
w0t
What's the air pressure metric?
Publish DDoS'ing ip address
So, is there a high chance of rain or DDoS today? 😂
hows the AQI looking
it's same at this video )
What did I just watch?
Wrench is a meme - Watch Dogs 2 funny moment in the new DLC
don't think this'll help much, lots of it is abused resources or AS networks who don't give a f.
Exactly. Random ISP X from China is not going to give a flying fuck about random user Y having his router hijacked...
Or they're legitimate hosts responding to a spoofed request. example; malicious actor spoofs victim IP toward hundreds/thousands of legitimate udp endpoints, and they respond to the victim with an amplified amount of traffic.
We have a lot of game/voip customers, which are commonly targets of these kinds of attacks. Hetzner still sends automated abuse reports when malicious actors spoof our IPs toward their network.
I reached to @Hetzner_OL last year in July regarding this, after their "network administrator" that I spoke with didn't even understand how UDP spoofing worked. And they said they would contact me when they had more information regarding the issue. Radio silence ever since, it's like whoever developed their automated netscan/ddos reporting wasn't aware that UDP traffic is often spoofed to amplify attacks. We just immediately bin Hetzner abuse reports now.
The majority of the attacks that we see are not from hijacked gear. It seems that those attacks tend to be reserved as exposing those resources will cause them to disappear once abuse complaints do actually hit.
It's all mostly amplification, the majority of it DNS via spoofed IPs.
One of the most effective amplifications that is "easy" to pull off.
It's 100% going to be one of those that never goes away.
Sad but true
Most attacks I get (that are not on ReliableSite, but also probably most there too) is also vastly from port 53.
I'll try to include some attack statistics on my next trend report. I'll see if I have time to get it together.
Be sure to plot it in regards to 'cups of coffee before 9AM'.
Francisco
What would I do without your genius.
Well, it really depends on how you detect suspicious network activities. If you focus on "established" TCP connections, you're less likely to get tricked by fake requests because those "established" connections have already gone through TCP's 3-way handshake.
If you want to know where the attacks are coming from, don't pay too much attention to UDP traffic detection.
What about applications that use UDP? What about preventing port flooding?
Most if not all UDP are Spoofed packets with fake source addresses or reflection depending on source port.
Most if not all TCP are also usually just spoofed SYN or ACK messages with fake source address that never even expects reply.
The attackers just use dedicated server provider or datacenter which allows packets with invalid or impossible source IPs to exit their network. The server which is attacking probly just uses some compiled .c binary which randomizes the source IP in packet construction phase between 1.1.1.1 and 255.255.255.255 excluding private or reserved ranges and fires at full port.
Therefore you can mostly see from the traffic already if its spoofed or not. Mostly from source ports and even by comparing the list to see how many actually respond to such protocol which they supposedly sent out to you.
dcstar.be and northlayer.is are one of the worst spoof traffic offenders. Including their downstream. Northlayer.is source apparently went down about a month ago, as we can no longer see it.
Nice dumbed down version of UDP vs TCP, nothing needs to be added.
Where do you get the dcstar.be and northlayer.is information from though?
Self hosted scanner that abuses recent CVE against specific version of certain software and checks if the service responds with impossible IP back to my invalid request. Then buy service and check manually to verify. And some other stuff as well.
Ty for the clarification and doing gods work
Well, I am thinking if I can have an API return that information to me in JSON so I can have a script. When I login to my system, I can see today's internet weather. The same goes for CVEs
Attackers have become smarter over time. DDosers are now sending legitimate requests. Apparently some are using TFO cookie for DDoS as well. It's easy for them to do 3 way handshake.
UDP doesn't really work for my detection and reporting because I can't trust where it's coming from. So, I only report network issues based on "established" TCP connections. I ignore UDP entirely.
However, if your goal is to gauge the magnitude of network attacks, there's no harm in including UDP attacks in your data.
I build my detection hosts with no public network services. There is no valid justification for connecting to these hosts. Therefore, any "established" TCP connection attempts targeting these hosts are considered suspicious network probes, and the source IP addresses linked to these attempts will be reported.
It seems like we're targeting 2 different this here.