New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
OVH reported 1150+ Gbps attack on their networks, they posted on twitter they're upgrading their DDOS mitigation ASAP to support 5Tbps and already started upgrading to more 100Gbps routers !
1150+ Gbps? thats huge and maybe the largest in the history of internet? Voxility was facing 300+ Gbps this week and even that was making it hard for them to handle.
Well, OVH upgrading to 12 VAC's, usually they can tank 160Gbit each, so they could tank with ease 1.9Tbit
1156Gbps and a 901Gbps attack to be precise
and logged stats of the other attack sizes at
See, this is why these kids are idiots. Instead of keeping the floods under control (rate limit, etc, try to aim more for 100gbit or so) they're swinging with their full force and while right now they're making a bit of a mess, it's going to just pressure ISP's to start nullrouting/cutting these customers off or they're going to have some seriously massive bandwidth overage bills.
"How the fuck is our 95% 100gbit+ more this month than last???"
The same thing happened with NTP. Granted, NTP was easier to deal with since it wasn't actual bots but just an amplification point, but since they shouldn't be able to spoof IP's on these lines, it should be easy enough to detect which are doing it.
Hell, the majority of these are residential ISP's and such, they could simply dump the majority of GRE for the immediate and at least try to curb some of it.
Francisco
Just give DDOS attacks a severe terrorism charge with minimum life sentence without chance of parole or even the death sentence where allowed, they will reduce pretty quickly.
That should curb some more of it.
I think is not a coincidence that all Hurricane Electric free DNS is down at this very moment.
The problem is that there is no real solution. Just throwing more bandwidth capacity at the problem has been the only real solution for many years. It hasn't worked long term because the attacks have just gotten bigger.
More coordinated enforcement and much stiffer penalties would be nice. They caught those 2 guys in Isreal but those guys apparently didn't put in much effort to cover their tracks and were pretty easy to track down. So I don't think those guys were major players.
I read somewhere a couple years ago that Windows XP was a major source of the problem and once most people upgraded the problem would go away. So yea that didn't work. I guess a lot of the bot slaves now are linux servers in datacenters so they have a lot more bandwidth available.
Ultimately there needs to be a good technical solution. Doesn't seem to be any good ones at the moment and that's a problem
living in dream land but would love to see more work done on compression algorithms to the point we can get 1:100 so a 1Gbps connection could handle 100Gbps of data coming in heh
I've actually been working with a few network engineers on a real solution to DDoS but its nowhere near market ready. These attacks are really helping us gauge how the current attack's are being scaled. Best of luck to all the peeps in a NOC or NET team for these ones though.
I don't think there is a technical solution right now, just put a 30 year or death sentence on it, I suspect that even the risk would seriously outweigh whatever benefit the attackers get from the attack.
Would be nice if there was some technical possibility to tell the source router and all routers along the way to drop traffic from [source ip] to [your own ip]. I know this probably wont happen, just dreaming a bit.
Have any of these organizations reported getting ransoms? I have a feeling they all are but are not telling. Some of them are paying which is why these guys keep doing it.
this is probably a thing that a lot of people would hate, but there could always be some agency like ARIN/RIPE/APNIC with global remit with real time control that could simply provide a reporting mechanism to ASN's to have source IP ranges dropped, even if that is residential.
If a home or even corporate network is infected it needs to be stopped.
I don't think with how many jurisdictions and boarders this crosses it's a viable solution to depend on the local justice systems which are already struggling with the technicalities. I could be way off base but I just don't think it's a practical approach.
That wouldn't work and, if anything, likely make the problem worse.
That's why people like you have no say in this matter.
Would put a stop to most CGNAT solutions too, probably.
Racist!
maybe if it's only applied to inbound side of the network ? just dreaming
All the providers here offering DDoS protection...
I thought I read somewhere their new ones will be able to handle 500Gbit/s or so each.
I don't think that's true. Just enforce strict filtering on what you receive from customers, this will stop source IP spoofing. And mandate that legally, so if you don't, then your upstreams must disconnect you until you do.
Then we'd need to implement a secure cryptographically-signed BGP, this would stop rogue announcements (the current BGP based on trust is honestly a joke). There is S-BGP already, though AFAIK not as widely deployed, it may or may not be the final solution. While at it, the secure BGP could also propagate AS IP lists -- again, to be used for filtering on the receiving side. All of this will require some changes to network gear (to implement fast source IP filtering fully in hardware).
So it may be complex, but nowhere near impossible. Even just the first part would do a great deal to stop most of the attacks.
Just enforce strict filtering on what you receive from customers, this will stop source IP spoofing.
Ok I'll bite. Walk me through how I would do that.
Is IP spoofing even a problem? The IP's that these attacks are coming from are not spoofed as far as I know. They are all actual IP's from PC's and servers that have been compromised in some way.
Still wouldn't work. You'd need to make it optional so as to not break compatibility, which means the attacker now has free choice between "lots of packets" or "lots of compression", depending on what they think will take down your network more easily, since compression isn't free.
Basically, all you've done is added another attack vector...
Along the lines of:
iptables -I FORWARD -i customer_facing_interface ! -s customer_ip_range/subnetmask -j DROP.Of course expessed in whatever networking hardware lingo they use, instead of iptables.
Maybe you mean AS/BGP customers which are a bit of an another story, but I was talking primarily about residential or even non-BGP business connections. Yes you can spoof source IP on many of those, and AFAIU it's what those IP cameras actually do in these current attacks.
ah i see !
You must be talking about Internet of Things IP devices. I know that is a growing concern but I don't think that is the source of most of the bots currently.
I'm no expert but I don't think you can spoof residential ISP dynamic IP's. All the networking gear from the ISP to the datacenter checks all that. Please correct me if I am wrong. Not even sure if you can do it from within the datacenter. Maybe with really old core network equipment that may still be around but not modern equipment. Please correct me if I am wrong as I do not know that much about core network gear.
A customer of ours got an attack early this morning, and DC decided to kick us off their network. They happily provided me with the dump of the attack log.