Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: The era of big DDOS? - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
The era of big DDOS?

I have been tracking DDOS's for a number of years, and quite frankly, it has become boring.  Don't get me wrong, I am not complaining, just stating a fact.  A number of factors seem to have contributed to its fall from mainstream consciousness.  Some of these factors being; somewhat better filtering practices, more awareness of timely patching, and probably the most significant being the novelty has worn off.  Occasionally I will still see a multi-Gbps DDOS, but mostly it has been relegated to booter traffic which is not even a nuisance for most providers.

Over the last few days though there have been two very significant DDOS events.  Firstly, on Tuesday, Sep 20, hosting company OVH was hit with DDOS which peaked near  the 1Tbps range, and also on Tuesday evening (Sep 20), InfoSec journalist Brian Krebs website was hit with a DDOS peaking at over 600 Gbps. 

These are believed to be the two largest DDOS on record and significantly exceed what it was believed could be achieved by any one DDOS group.

While the nature of the DDOS attack traffic used against OVH has not been revealed, the attack against Brian Kreb's site is unusual in that the traffic is not your typical reflective UDP DDOS traffic, but rather TCP traffic that made connections with the web server and GRE (generic routing encapsulation) packets.  The reason why this is unusual is that this traffic cannot be spoofed, but rather an analysis of the traffic should reveal which devices were used to launch the attack.

Is this a sign that big DDOS is making a comeback or just a couple of isolated attacks?

 

UPDATE: It appears Akamai is not happy with the extra excitement hosting Brian Kreb's site is bringing them.  Brian is looking for a new hosting provider.

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

Rick

293 Posts
ISC Handler
OVH CTO describes the attacks as TCT traffic
likely coming from over 140000 unsecured cameras, and possibly able to reach 1.5Tbps traffic

https://twitter.com/olesovhcom/status/779297257199964160
Anonymous
Brian should simply change the DNS entry for www.krebsonsecurity.com to what's used by www.whitehouse.gov and that attacker will go away. Black helicopters and all that.
Anonymous
Serious egg on Akamai's face.
Dean

135 Posts
Brian said on Twitter that he was being provided DDoS protection for free. So the related companies actually were doing the security community a big favor yet never bragged about it.

Sadly, when someone draws a target on your customer's back there's no stopping it. A paying enterprise would simply pay a lot more but Brian is just one person and they cannot let their community service effort affect the availability of their paying customers. That would put them in breach of their contracts to protect the paying customers.
Anonymous
Best new acronym / pun!
TuggDougins

37 Posts
Quoting Anonymous:Brian should simply change the DNS entry for www.krebsonsecurity.com to what's used by www.whitehouse.gov and that attacker will go away. Black helicopters and all that.


Too late - the White House web site was already hosted on Akamai, the very same infrastructure that wasn't up to shielding Krebs any more!

(I'm guessing they'd put more effort into keeping hold of whitehouse.gov - and indeed .gov would throw more money at doing that than Krebs could afford - but if Akamai really can't cope with this scale of attack, it would knock almost any site offline. Presumably, Akamai ejected him in such a hurry because the attack was big enough to endanger service on the other sites they host as well. If the problem were isolated to his site alone, they wouldn't have dumped him so urgently.)
TuggDougins
1 Posts

Sign Up for Free or Log In to start participating in the conversation!