200-400 Gbps DDoS Attacks Are Now Normal

An anonymous reader writes "Brian Krebs has a followup to this week's 400 Gbps DDoS attack using NTP amplification. Krebs, as a computer security writer, has often been the target of DDoS attacks. He was also hit by a 200Gbps attack this week (apparently, from a 15-year-old in Illinois). That kind of volume would have been record-breaking only a couple of years ago, but now it's just normal. Arbor Networks says we've entered the 'hockey stick' era of DDoS attacks, as a graph of attack volume spikes sharply over the past year. CloudFlare's CEO wrote, 'Monday's DDoS proved these attacks aren't just theoretical. To generate approximately 400Gbps of traffic, the attacker used 4,529 NTP servers running on 1,298 different networks. On average, each of these servers sent 87Mbps of traffic to the intended victim on CloudFlare's network. Remarkably, it is possible that the attacker used only a single server running on a network that allowed source IP address spoofing to initiate the requests. An attacker with a 1 Gbps connection can theoretically generate more than 200Gbps of DDoS traffic.' In a statement to Krebs, he added, 'We have an attack of over 100 Gbps almost every hour of every day.'"

Well

[The+Cat]

The obvious solution is to unplug the Internet. I'm sure the government and the movie people will be thrilled.

Re:Well

[Travis+Mansbridge]

Then wait 10 seconds before plugging it back in.

Re:Well

[Burz]

Notice the sidebar to the Krebs article: "The value of a hacked PC".

I say unplug Windows from the Internet. The world has had enough of this already.

Re:Well

[dreamchaser]

No. You need to wait at least 30 seconds to make sure the Internet's RAM is cleared and it's ready to reboot.

Root issue is lack of URPF and similar

[silas_moeckel]

Hosting/Colo/Transit providers are the real core issue. There is absolutely no reason that URPF or similar or at least ingress ACL's are not in place. Lets face it if your limiting the prefixes announced you should be filtering on them as well. Anything even close to core can do this in hardware, URPF and similar there is generally no config required more than turning it on. At Hosting/Colo levels do you still have something on the public side that can not do at least ACL's in hardware? Plenty of automation packages can do this stuff in an automated fashion. The root cause is lazy and broken providers that just do not care, DDOS traffic can make some of them piles of cash directly in transit billing or indirectly as the only people with a big enough pipe to do ddos protection.

Re:Root issue is lack of URPF and similar

[BSAtHome]

Indeed, reverse path filtering should be mandatory, especially because it is so easy.

Also, RFC3514 should become a part of the IP standard. Not setting the appropriate bit from the sender side should then be punishable with eternal flogging.

Re:Root issue is lack of URPF and similar

[silas_moeckel]

Is transit billing not a good enough one for you? Selling there own DDOS protection or transit bandwidth to others to do the same. Seems like good reasons for them to not want to.

There are potentially serious issues with tier 1's putting this in place today with there peers etc. Anything that is not a BGP speaker should have his on today, BGP speaking clients should be given a timeline to be ready for this to be turned on (there is some broken bits out there). Tier 1 peers is another story but if everything else is done it does not matter much.

Re:Root issue is lack of URPF and similar

[Pinky's+Brain]

It would be hard to do ingress filtering by the backbones for those larger companies, but the companies can surely do egress filtering at each edge of their networks ... just a question of sufficient (financial) incentives.

Most of the internet edge could be ingress filtered by the core, the rest should do it's own egress filtering.

Re:Root issue is lack of URPF and similar

[CyprusBlue113]

The problem with this becomes what if you're a transit provider yourself. The logistics of managing that kind of fitering suck. It's why most peers don't.

There needs to be a middle ground between loose and strict like feasable. I don't want to accept packets for any route I have, nor do I want to drop any packet that doesn't head back the same direction. For reasonable filtering at that level, it needs to be "allow any packets that should reasonably come from this peer per their advisement that I can filter". Sure you can base it of IRR or something, but it would be much more effective if this was signaled than configured.

Re:Root issue is lack of URPF and similar

[AK+Marc]

Working for a company with 4,000,000 users, we are ingress filtered (but only over a very tiny subset of links). It works fine. Why would it fail for a larger company? We know every "legitimate" IP on or through our network, and notify those, when required. IP address ranges are static. They don't change who they are assigned to. And the number of changes to providers for those ranges is low, easily manageable for providers and users alike.

Re:Root issue is lack of URPF and similar

[DarkOx]

I agree for edge networks there is no good reason for RPF not being enable but you hit the nail on the head when it comes larger customers that have an AS or multiple AS allocations and ip addressing they may not share with you. Its not really as simple as just throwing a switch at most of the sites which really matter.

As far as the home and SoHo users I don't know how the rest of the world is but I don't know any main stream ISP that isn't doing some kind of reverse filtering. I have not been able to get packets with spoofed source addresses to the internet on any of the cable or DSL providers I have had at my homes in the last decade. Can I send some spoofed packets to my neighbor who is probably on the same cable segment, very likely maybe I could even push them around Cox's network, but they don't get to the Internet.

RPF is not going solve the problem of these big amplification DOS attacks either. All it really takes is a handful sites with a decent amount of upstream to not be running RPF or other effective egress filtering and an amplification attack like the recent NTP jobs is possible. So its going to go back to those sites where you can't just enable RPF and go back to playing FlappyBird for the rest of the afternoon. Essentially this is any place where you a significant number of customers who are multi homed. Which in turn describes many corporate entities who do not specialize in Internetworking and like have plenty of vulnerabilities attackers can use to get control of a host or two inside of and launch their DDOS.

Re:Why not rate limit?

[Pinky's+Brain]

They're all buggy commodity routers which are never getting updates.

Re:Why not rate limit?

[Gerald]

Most modern servers don't respond to the offending command (monlist) at all. Older/misconfigured servers are the problem and there are enough of them to cause trouble.

Re:Then there's the human end

[SuricouRaven]

The problem with that approach is that a lot of those internet criminals are actually just immature teenagers - all they really need is a slap on the wrist to scare them straight and a good talking-to by their parents. Throwing them in jail is a good way to make sure they turn into real career criminals - if you can't get employment in legitimate work, what other choice is there? It's the same problem with heavy sentences for drug possession.

Almost every decent computer security expert dabbled in black-hating a little when they were learning, if only to prove to themselves what they could do or for the fun of adventuring into forbidden places. I used to port-scan for open netbios shares back in the win9x era - found a lot of people who had their entire C: drive open to the world. I left text files on their desktops warning them about the open access.

Re:Then there's the human end

[Concerned+Onlooker]

"Almost every decent computer security expert dabbled in black-hating a little"

Oh, my. I had no idea that the computer security field was so rife with racists.

Re:Then there's the human end

[jythie]

We already have pretty strict (and overused) laws involving cybercrime.

Problem is, people who do this stuff professionally are pretty much immune from being caught, and the people who do get caught are usually teenagers which, while we like talking about personal responsibility, biologically young brains really do have physical issues when it comes to impulse control and risk analysis. So punishing them harshly does not actually do any good other then satisfying a certain bloodlust.

Re:Why not rate limit?

[mysidia]

They're all buggy commodity routers which are never getting updates.

Relatively recent Juniper JunOS versions respond to ntpdc monlist, as well, so they're vulnerable. The only way to address these, I found.... was to completely firewall off NTP on the loopback interface.

The same for a number of other appliances, that are still technically supported, but the vendors seem uninterested and unconcerned about NTP issues, so much so, that they are only suggesting workarounds such as "turn off NTP", no indication that a patch will be forthcoming

Re:Then there's the human end

[rbrander]

Appropriate to what 1961 would have called a science-fiction crime, the punishment taken from Starship Troopers. I like it.

No they will not be thrilled

[nurb432]

How can you push out propaganda if your main distribution method goes away?