Another 100 Gigabit DDoS Attack Strikes — This Time Unreflected

darthcamaro writes "In March of this year, we saw the first ever 100 Gigabit DDoS attack, which was possible due to a DNS Reflection Amplification attack. Now word is out that a new 100 Gigabit attack has struck using raw bandwidth, without any DNS Reflection. 'The most outstanding thing about this attack is that it did not use any amplification, which means that they had 100 Gigabits of available bandwidth on their own,' Incapsula co-founder Marc Gaffan said. 'The attack lasted nine hours, and that type of bandwidth is not cheap or readily available.'"

Is that all?

It was probably just one guy in Tokyo using his $9/month internet package ...

Re:Is that all?

[goddidit]

On his mobile, to be exact.

Re:Is that all?

[Cryacin]

the guy mistyped the address on the page and hit refresh. Very Very quickly.

Re:Is that all?

[Yaotzin]

...For nine hours.

Re:Is that all?

[wisnoskij]

It was a Korean professional Starcraft player.

Re:Is that all?

[Anubis+IV]

Easily explained by the presence of a sleeping cat and the F5 key (oh, and he had some crazy Japanese phone that has an F5 key...).

Incapsula

Seriously...this reads like a brochure for Incapsula's services lol

Re:Incapsula

[Joce640k]

They don't name the site, they don't name the attacker, the customers were "completely unaffected"....they could be making it up for all we know.

Re:Incapsula

[Anachragnome]

"....this reads like a brochure for Incapsula's services..."

http://bgp.he.net/AS19551#_whois

Well, I imagine most US server farms are hurting pretty bad right now, what with all the NSA luvin' going around over here. Now imagine a company that has all of it's servers in the US, Israel and Germany (with a few in Japan)--in light of recent revelations regarding NSA spying--and maybe you'll understand why Incapsula is paying for ads/articles all over the damn place, including /.

They are fucked, and this marketing blitz is a Hail-Mary attempt to save their ass from the fire that Snowden just lit under it. Personally, I love a good BBQ.

Re:Incapsula

[lazybeam]

We are an Incapsula customer and I can tell you we were NOT "completely unaffected". We experienced about an hour total of complete down time and several hours of slow response. Our servers were unloaded - no problems when bypassing Incapsula. So I guess they protected us from "that" but in the meantime all sites were unreachable. Though different ISPs had different levels of slowness at different times (trying our two different office connections and three different mobile networks).

Re:Incapsula

[Joce640k]

We are an Incapsula customer and I can tell you we were NOT "completely unaffected".

Maybe you could call Sean Michael Kerner at eWeek and tell them Marc Gaffan was lying.

He's also on twitter: https://www.twitter.com/techjournalist

Is this an ad?

TFA sure reads like one...

I can't get one thing

[ruir]

If they haven't identified the attacker how can they say with 100% certainty it only came from one source, and was un-reflected? For I all I know, you could have a botnet fabricating packets with the same characteristics simultaneously.

Re:I can't get one thing

[icebike]

The article suggests it was a "Distributed attack"

the victim of the attack is remaining in the shadows, not wanting to be publicly identified. The target Website is protected by cloud security vendor Incapsula, which was able to withstand the massive distributed denial-of-service (DDoS) attack and keep the targeted Website up and running.
which means it must have bounced off of some botnet used some means of amplifying the attack and make it appear to come from different targets. Had it not been so, they would know exactly where it came from.

Perhaps judging from the number of different sources, and the type of packets, they can calculate the number of control packets needed.
If they know it required a one-for-one ratio of control packets to target packets, that is what they mean by un-amplified.
But it doesn't mean they came via the same route.

Re:I can't get one thing

[malacandrian]

That is the point of using a botnet to run a DDoS, yes. A single control signal issues a huge surge in traffic. That doesn't make it an amplified attack though. An amplified attack is when the zombies trick a third party (such as a DNS server) to reply to the victim with more information than you sent them. This can up the size of the attack 100-fold.

Re:I can't get one thing

[skids]

This, and you can easily distinguish a reflected attack by the type of packet, which will be an unsolicited reply to an application level request.

I just wish the stupid script kiddies would realize that not every SNMPv2/SNMPv3 client that responds actually amplifies traffic or gives maybe a 30% gain (because what you're getting back is an "access denied") and so isn't worth it, and stop trying to reflect off the printers here. I'm sick of chasing around the people who are supposed to lock them down, and banning entire protocols that don't really, really deserve it just fills me with ick.

How much bandwidth is that?

[mveloso]

Is that 100 GB/sec, 100 Gbps/sec, 100 GiB/sec, or 100 GiB over 9 hours?

Re:How much bandwidth is that?

It's probably not "100 Gbps/sec" since the seconds cancel out and thus isn't a measure of bandwidth (a 12MB attack would be pretty lame). And since TFS said "bits," not "bytes," all of those options with a capital "B" are also unlikely. So, the answer to your question is "no."

Re:How much bandwidth is that?

[TubeSteak]

The attack peaked at 100 Gigabits per second
The webhost (actually a CDN) had 400 Gigabits of total bandwidth available + various DDOS protections in place.

RTFA

Re:How much bandwidth is that?

Seconds don't cancel... it gives you a 100Gbps^2 (aka, 100Gb.s^-2) which is a bandwidth acceleration...

Re:How much bandwidth is that?

The "p" in "Gbps" is "per", that is "/". Therefore "Gbps/s" is "Gb/s^2", which would be a data rate acceleration. "100Gbps/s" would mean that every second, another 100 Gb/s were added to the data stream. Doing that for 9 hours would be quite impressive.

Re:How much bandwidth is that?

Using the perl "english words have lower priority than real operators" convention (see "and" v/s "&&"), the / binds more tightly than the "per" operator, and thus, it's Gb / (s/s). And the seconds therefore cancel. ;)

100 GBit isn't large

A botnet with 10000 bots, each on a 10 MBit connection, will suffice.

Re:100 GBit isn't large

[wonkey_monkey]

Thank you Captain Multiplication.

Re:100 GBit isn't large

[isorox]

Not our fault your office is located in South Africa.

I have many offices. Some have 100mbit connections coming out their ears (Tokyo, HK, Singapore, Washington). Others struggle to get 10 (Kabul, Nairobi)

Beiruit is probably the only office which can't get 10mbit connection. The average is far higher.

no real verifiable info but plenty of product plug

[YesIAmAScript]

The worst example of advertisement through press release in recent memory.

At least on slashdot.

I know what happened

[OhANameWhatName]

other than Incapsula and its own service providers that were on the receiving end—no one seemed to notice

Thanks a bunch for saving the internets Marc. I'll be sure not to notice again soon.

Re:worst use of a DDoS

You missed a possibility:

D) None of the above, it's just Incapsula's anti-DDoS services ad.

The article goes all how attack was "unknown to many" and "victim remains in shadows" (read: we can't even know whether it all took place), and then goes into something that reads like sales brochure.

Re:first

[oldhack]

If you were a Japanese dude with $9/month internet package, you could have been the first. Loser.

That's nothing

[Lieutenant_Dan]

I once experienced an DoS MitM LTE XSS attack that lasted 42 hours and had a steady stream of 105TB/ms using NetBIOS Saturation over AppleTalk techniques that spread over a redundant cluster of MBR using HPFS. Of course the victim wishes to remain in the shadows as sharing the company's identity would either harm their reputation or allow you to verify the plausibility of the incident.

Re:Another site down ...

[faffod]

Yes, usda.gov is down because of a DOS attack. But I don't think this attack can be measured in Gbits, GB/sec, GB/sec^2... In this case the attack is coming from a well known zombie botnet called congress. They measure bandwidth in tubes.