Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

DDoS Larger Than the Spamhaus Attack Strikes US and Europe

Unknown Lamer posted about 8 months ago | from the do-not-stare-directly-into-the-udp-packet dept.

Security 158

mask.of.sanity writes "CloudFlare has been hit by what appears to be the world's largest denial of service attack, in an assault that exploits an emerging and frightening threat vector. The Network Time Protocol Reflection attack exploits a timing mechanism that underpins a way the Internet works to greatly amplify the power of what would otherwise be a small and ineffective assault. CloudFlare said the attack tipped 400Gbps, 100Gbps higher than the previous record DDoS attack which used DNS reflective amplification."

Sorry! There are no comments related to the filter you selected.

You get some funny looks (5, Funny)

Cryacin (657549) | about 8 months ago | (#46215349)

When you approach the business and say that a zombie network is DDossing the website with a Reflection attack, and that's why no-one can access the website.

Re:You get some funny looks (3, Funny)

Shadyman (939863) | about 8 months ago | (#46215425)

Zombie used Reflection! It's super-effective!

Re: You get some funny looks (-1)

Anonymous Coward | about 8 months ago | (#46215499)

Zombie used Beta! It's super effective! Everyone starts leaving!

Oh well, at least I wasn't raped like the other people that commented earlier. My sympathies to them.

Re: You get some funny looks (-1)

Anonymous Coward | about 8 months ago | (#46216013)

Whining dick heads keep posting comments about leaving but somehow they are still coming in here and posting comments.
Leave already.
We are over the stupid complaints.
Bring on beta.

Re: You get some funny looks (-1)

Anonymous Coward | about 8 months ago | (#46216195)

Fuck Beta.

Re:You get some funny looks (3, Funny)

FatdogHaiku (978357) | about 8 months ago | (#46216119)

Zombie used Reflection! It's super-effective!

We can only be thankful that this method is not available to the Vampires...

Re:You get some funny looks (0)

Anonymous Coward | about 8 months ago | (#46215513)

Yet another reason not to talk to business jerks.

400 gbps? (1)

aliquis (678370) | about 8 months ago | (#46215595)

I can see how that's a problem for U.S. subscribers.

Re:You get some funny looks (-1)

Anonymous Coward | about 8 months ago | (#46215825)

I fucking love it when the gods speak via DDOS :)
Long live cracking and internet mayhem!!!

Beta...Beta raped me last night and I'm speaking o (-1)

Anonymous Coward | about 8 months ago | (#46215355)

I didn't know where I should post this, but I need to tell someone. I was just minding my own business when it came out of the shadows and grabbed me. I shouted NO! as loud as I could, over and over, but it wouldn't let go. And then it...it...(crying).
Don't let beta rape you too. Learn from my story.

Re: Beta...Beta raped me last night and I'm speaki (-1)

Anonymous Coward | about 8 months ago | (#46215383)

It raped me too man. You aren't alone. I just took a cold shower and cried for a while, but I'm going to overcome this. Beta you won't take my life!

Re: Beta...Beta raped me last night and I'm speaki (-1)

Anonymous Coward | about 8 months ago | (#46215415)

I throat-fucked Beta and made her swallow every last drop, too.

Fucking pussies.

Re: Beta...Beta raped me last night and I'm speak (-1)

Anonymous Coward | about 8 months ago | (#46215439)

Those two are women you insensitive clod!

Re: Beta...Beta raped me last night and I'm speak (-1)

Anonymous Coward | about 8 months ago | (#46216351)

Buy a strap-on!

Though, i don't understand this whining. Whenever i get redirected to beta.slashdot.org, i just delete the beta. It works for me.

Re: Beta...Beta raped me last night and I'm speaki (-1)

Anonymous Coward | about 8 months ago | (#46215533)

Fuck you betafucking assholes who can't be fucking arsed to click Classic.

The problem is (-1)

Anonymous Coward | about 8 months ago | (#46216535)

that beta sucks.

And yet... (1)

Anonymous Coward | about 8 months ago | (#46215391)

The ISPs of the world keep letting this kind of crap happen.... It should be pretty obvious when someone is trying to DDoS a server. Even if they don't want to lose a "paying customer", simply cutting access to that server for x amount of time for that IP would be more than enough.

Re:And yet... (3, Insightful)

jawnah (1022209) | about 8 months ago | (#46215443)

The ISPs of the world keep letting this kind of crap happen.... It should be pretty obvious when someone is trying to DDoS a server. Even if they don't want to lose a "paying customer", simply cutting access to that server for x amount of time for that IP would be more than enough.

I understand where you're coming from but I think that may be a premature observation. I doubt this is just an attack against a single IP address. You should also remember that there comes a point where the incoming volume of traffic destined for the IP address(es) under attack overwhelms the upstream carriers prior to the null-routing of said addresses. The lower the null-route is set, the greater the chance for upstream impact. Mitigating heavy DDoS isn't always just a simple matter.

Re:And yet... (-1)

sexconker (1179573) | about 8 months ago | (#46215475)

He's talking about cutting off the ATTACKERS, not the TARGET.
It is extremely simple to cut off the attackers.

1: Identify IP involved in the attack.
2: Switch their account off.

They won't be able to send a single packet. Whoever is actually paying for that connection is responsible for what comes out of it. If they let some shits host shit there, too bad. If it's a grandma whose box got owned, too bad. Fix your shit if you want access. We don't let cars drive the wrong way on the highway because some asshole has a license, we shouldn't let obviously malicious packets through just because some piece of shit is paying for the connection.

Re:And yet... (5, Informative)

Luckyo (1726890) | about 8 months ago | (#46215491)

The beauty of the first D in the DDOS is that it's in fact DISTRIBUTED denial of service. It's not coming out of single grandma, or even hundred grandmas.

You may be forced to switch tens of thousands, maybe even hundreds of thousands of people off. Can you imagine the massive PR fallout? Mass media would LOVE the story.

No one is going to go for that kind of PR disaster.

Re:And yet... (0)

Zorpheus (857617) | about 8 months ago | (#46216271)

These computers are parts of botnets that exist for a long time. Send the infected customers an email about their infection, containing the offer to fix it (for a certain price) and a deadline when they will be cut off if they do not get this fixed.

Re:And yet... (3, Insightful)

Luckyo (1726890) | about 8 months ago | (#46216323)

Which is going to be a great explanation to talk about on TV talk shows. Alongside of why ISPs cut off innocent people who are victims of a crime off the internet as an additional punishment, and what should be done about those evil ISPs.

All the while the person dumb enough to actually make that career ending call enjoys his new career at local fast food restaurant.

Re:And yet... (0)

Anonymous Coward | about 8 months ago | (#46216363)

Send the infected customers an email about their infection, containing the offer to fix it (for a certain price) and a deadline when they will be cut off if they do not get this fixed

"Hello, we recently became involved with a Nigerian Royal family who have had some difficulties of transferring their financials out of the country due to widespread viral infection on line. It has come to my attention that You are one of the sufferers of this serious outbreak. The outcome of this infection may be as severe as cutting off the Internet all together. For a negligible fee, your infection may be cured, and for a small additional deposit you can help the Royal family to transfer their financials aboard. For this you will be generously compensated. Faithfully Yours, Your ISP."
That should do it.

Re:And yet... (5, Insightful)

jawnah (1022209) | about 8 months ago | (#46215497)

How, exactly, would you propose that this is done by carriers? You say that it would be obvious if someone were attempting a DDoS attack but that may not be true. One of the major issues with DDoS is that it doesn't require tremendous bandwidth on the client sides. There could be millions of those (and with the fact that everyone thinks they need 50Mbps home internet for their web surfing) and there's plenty of bandwidth available that could be limited to appear like legitimate traffic. It has been my experience that the best attacks against things involve greater quantities of remote hosts and less bandwidth than fewer hosts with more bandwidth.

Re:And yet... (4, Informative)

justanothersysadmin (1750776) | about 8 months ago | (#46215581)

Except in this case (or other reflection attacks, i.e. you're dealing with source address spoofing), RPF [wikipedia.org] on customer-facing interfaces should prevent the attack from leaving the ISP's network in the first place. Note that I'm talking about the ISP of the original machine performing the request with the spoofed source IP here, not even even the ISP of the machine server that's being used for the reflection & amplification (which in this is a vulnerable or misconfigured NTP server). The affected NTP servers need to be cleaned up as well, but the sources of the original packets also should be preventing the spoofed traffic from leaving their networks.

Re:And yet... (4, Interesting)

Anonymous Coward | about 8 months ago | (#46215645)

The affected NTP servers need to be cleaned up as well,

Well, yes and no. There really aren't that many vulnerable NTP servers out there, and those which exist rarely have much bandwidth to do much damage.
HOWEVER there are many, many, many shitty little firewalls (I'm looking at you, SonicWall, among others) which for some FUCKING RETARDED reason default to responding to unsolicited NTP packets with a "reject" or "bad request" packet, instead of just dropping it into the "bitbucket". So for the cost of sending a malformed 8-byte UDP packet, you can get the amplifier to respond with a full-size "bad request" or "service denied" response.

Verifying source IP's is, as you stated, the real root of the issue.
But it's not nearly so easy as you might think to blacklist a rogue ASN, at least not without blacklisting entire regions of the world at the same time. You need to get ALL the ASN's which have ANY kind of path to the rogue one to get in on the blacklisting, and even if you got it done they'd already have a contingency plan... change the company name, transfer the IP's to a "new" company with a new ASN, and boom you're back in business. It really is trying to shoot at a moving target, and in the process you end up hitting a lot of people who aren't guilty of anything.

Re:And yet... (0)

Anonymous Coward | about 8 months ago | (#46215951)

"There really aren't that many vulnerable NTP servers out there, and those which exist rarely have much bandwidth to do much damage."

Well according to cloudflare there is about 400Gbps. You don't have to target published NTP servers, full ntpd clients with poor access control will respond as well. And the issue here is the amplification is huge, up to 206x for a full monlist of 600 IPs, compared with 8x for a DNS reflection.

Re:And yet... (1)

Calinous (985536) | about 8 months ago | (#46215865)

Home internet at 50 Mbps means 50 Mbps downlink and almost certainly less than 10 Mbps uplink (probably less than 5 Mbps) - and uplink is what matters in this case.

Re:And yet... (0)

Anonymous Coward | about 8 months ago | (#46216113)

What if your filter gets DDOS? That's what is happening. Bad traffic is being rerouted temporarily, but there are so many senders even this mechanism gets overloaded.

Re:And yet... (-1)

Anonymous Coward | about 8 months ago | (#46216255)

I wish my grandma had a 400gbit link.

Firstlook? NSA? (1)

Anonymous Coward | about 8 months ago | (#46215405)

I went to firstlook.org this morning to see Glenn Greenwald's latest NSA story, and was surprised to first see a page from cloudflare claiming to be checking if I was a legit visitor. Could this be related? Have the spooks struck again?

Re:Firstlook? NSA? (0)

Holi (250190) | about 8 months ago | (#46215583)

Why would you support a site that so flagrantly breaks the back button?

Sounds a lot like the slahshdot beta reviews (-1, Offtopic)

Anonymous Coward | about 8 months ago | (#46215413)

Dice wanted opinions and everyone hates it. Anyone that doesn't support it gets their comments deleted or modded down. The amount of response was overwhelming and a record at that. Why don't you listen? Well, the people that cared moved on to altslashdot's IRC so good luck. Nobody gives a crap about slashdot beta

Re:Sounds a lot like the slahshdot beta reviews (-1)

Anonymous Coward | about 8 months ago | (#46215521)

So you don't care but are complaining anyway, or you do care and haven't moved on to "altslashdot's IRC"?
Go away.

Re:Sounds a lot like the slahshdot beta reviews (-1, Offtopic)

JohnSearle (923936) | about 8 months ago | (#46215543)

Dice wanted opinions and everyone hates it. Anyone that doesn't support it gets their comments deleted or modded down.

I hate Slashdot Beta as much as the next guy... but you're off on the comment deletion or modding down bit. There has been a constant flood of hateful comments aimed at Beta, and pretty well anything that says "Fuck Beta" in it gets modded up.

Examples:
Fuck Beta [slashdot.org]
Slashdot BETA Sucks [slashdot.org]

Or go find the negative comment of your choice in the main hate thread [slashdot.org] . There are plenty of them marked as insightful

Re:Sounds a lot like the slahshdot beta reviews (-1)

Anonymous Coward | about 8 months ago | (#46216139)

You're confusing the comments on those posts and the ones on the new threads since saturday. People are getting banned, comments are being removed, -1 karma is the typical response tough. Dice doesn't want to hear anymore fuck beta bullshit because they don't care about the vast majority of their users.

Who'd they piss off? (0)

Anonymous Coward | about 8 months ago | (#46215427)

So which one of them got on IRC and dissed someone's mamma?

Why are network providers allowing FORGED packets (5, Insightful)

Anonymous Coward | about 8 months ago | (#46215429)

Serious question. why are network providers allowing FORGED packets to leave their networks?

Re:Why are network providers allowing FORGED packe (0)

Anonymous Coward | about 8 months ago | (#46215505)

Laziness Syndrome.

Re:Why are network providers allowing FORGED packe (5, Informative)

Anonymous Coward | about 8 months ago | (#46215531)

It's not always laziness. I added outgoing filters to my routers so that it only allowed source addresses from my network. That was great at stopping DOS attacks, but as I found-out the hard way, several of my customers were sending outbound traffic with source addresses not on my network. That was in 1997. For the next several years, it was a huge hassle to keep adding additional source address ranges for customers. An ISP selling a high speed connection has to allow outgoing traffic from addresses they don't own. That's the entire point of selling transit.

Re:Why are network providers allowing FORGED packe (0)

Anonymous Coward | about 8 months ago | (#46215551)

For the next several years, it was a huge hassle to keep adding additional source address ranges for customers.

So you became lazy.

Re:Why are network providers allowing FORGED packe (1)

Anonymous Coward | about 8 months ago | (#46215607)

So you became lazy.

Because hiring people that can update cisco IOS configs are cheap and the updates are risk free. Also, customers are very understanding and patient when they can't send traffic after they change addresses. The GP is right that it is a huge hassle.

Re:Why are network providers allowing FORGED packe (0)

Anonymous Coward | about 8 months ago | (#46215631)

So that's why there's unemployment. Lazy job creators refuse to hire people because it's a huge hassle.

Re: Why are network providers allowing FORGED pack (1)

Anonymous Coward | about 8 months ago | (#46215623)

I would not call that lazy. Altruism only goes so far in the REAL world. If someone pays you for the effort, or legislation demands it of everybody, you will probably keep doing it. But if it only out of the goodness of my heart, eventually everybody will say fuck it.

Re: Why are network providers allowing FORGED pack (0)

Anonymous Coward | about 8 months ago | (#46215639)

Fuck the real world and the legislation it rode in on.

Re:Why are network providers allowing FORGED packe (1)

justanothersysadmin (1750776) | about 8 months ago | (#46215599)

And RPF would not work in your setup?

Re:Why are network providers allowing FORGED packe (0)

Anonymous Coward | about 8 months ago | (#46215831)

While I agree that it's almost impossible to implement those kind of filters in a complex ISP core network, it's also not the location where it should be done. You want to do this as close as possible near where it happens. So, the filtering of bogus sources should happen at the ISPs access routers and BRASes. The nice thing is, most ISPs fully automate the configuration of those devices, so it shouldn't be that hard to automate filters too.

Once this stuff seeps into the core network of an ISP, it is very hard to determine where it actually comes from and filtering it will become an even harder task.

Re:Why are network providers allowing FORGED packe (1)

rmstar (114746) | about 8 months ago | (#46215921)

It's not always laziness. I added outgoing filters to my routers so that it only allowed source addresses from my network. That was great at stopping DOS attacks, but as I found-out the hard way, several of my customers were sending outbound traffic with source addresses not on my network.

Interesting. What where they doing?

Re:Why are network providers allowing FORGED packe (0)

Anonymous Coward | about 8 months ago | (#46215937)

The business was offering RESTful DDOS, as a service.

Re:Why are network providers allowing FORGED packe (1)

pe1chl (90186) | about 8 months ago | (#46216007)

"I found-out the hard way, several of my customers were sending outbound traffic with source addresses not on my network."

You should lose those customers! Really.
No-one, I repeat no-one, has business sending packets with forged source addresses.
Refer them to a book on policy routing when they don't know how to route in a multihomed enviroment.

Re: Why are network providers allowing FORGED pack (0)

Anonymous Coward | about 8 months ago | (#46216107)

I think you are confusing addresses not part of the originating network's IP blocks with spoofed, when the customer might have legitimate rights to the IP range through another provider. it is quite common to do this for redundancy/qos reasons that are 100% legitimate. For example link redundancy with a preferred route (higher bandwidth/lower cost).

Re: Why are network providers allowing FORGED pack (2)

pe1chl (90186) | about 8 months ago | (#46216163)

Users of the internet should send traffic from their assigned address.
When they have multiple addresses they should use the address that belongs to the interface they send it on.
Either they route the traffict to the interface that belongs to an address, or they assign the source address depending
on the interface they want to route on.
Don't adhere to this rule and you face blacklisting of your traffic.

It is similar to open SMTP servers. Used to be no problem, used to be common practice, is not acceptible anymore today.

Re: Why are network providers allowing FORGED pack (0)

Anonymous Coward | about 8 months ago | (#46216507)

Many people who have redundant connections will do load balancing. After all they are paying for two (or more) connections, why not use them. Not to mention, your rules would break their redundant connection... their primary connection goes down and they have to use their 2nd connection. Boom, they are down... so much for a backup connection :P "Thanks sucky ISP!" Posting anon to keep moderation.

Re:Why are network providers allowing FORGED packe (1)

jones_supa (887896) | about 8 months ago | (#46216033)

It's not always laziness. I added outgoing filters to my routers so that it only allowed source addresses from my network. That was great at stopping DOS attacks, but as I found-out the hard way, several of my customers were sending outbound traffic with source addresses not on my network.

I'm not a networking wizard so I ask...why did the customers need to send outbound traffic using modified source addresses? Why should that be allowed as part of your service?

Same as email spam (0)

Anonymous Coward | about 8 months ago | (#46215517)

PP: "Serious question. why are network providers allowing FORGED packets to leave their networks?"

Because: the Not My Problem syndrome.

They only care when lawyers come knocking re: piracy,
or customers get so clogged in a zombie state that they must call threatening to leave since total speeds feel slower.

The latter results in plan upsell opportunities for a pricier highspeed tier. Guess the ISP benefits from that last one huh?

Re:Why are network providers allowing FORGED packe (1)

Anonymous Coward | about 8 months ago | (#46215587)

good question.. this is like classifier rule #1(or damm near #1) at the ISP i work for. If its not in our block it doesn't leave.

Re: Why are network providers allowing FORGED pack (1)

Anonymous Coward | about 8 months ago | (#46215649)

A better question is why are ISP's allowing forged traffic ENTER their network from end users? If they drop grandma's traffic that doesn't have grandma's srcip then grandma won't complain and the WWW would be a little safer. Of course their will always be end users who transit legit traffic.

Re: Why are network providers allowing FORGED pack (3, Insightful)

DarwinSurvivor (1752106) | about 8 months ago | (#46216073)

Because it is VERY difficult to ascertain whether the source of an inbound packet is forged unless it is very obvious (like an IP that should be inside your network or on a private subnet). Outbound traffic on the other hand should almost always have a source IP that belongs to your assigned ranges (or configured private subnets).

Re:Why are network providers allowing FORGED packe (1)

Anonymous Coward | about 8 months ago | (#46215935)

I had that attack in my network last week. It's not based on ip spoofing. It simply expoilts open ntpd servers and send them the payload which targets many more servers (reflection and amplification). I had to mitigate the attack by filtering ntp port just to few credible servers from pool.ntp.org.

Re:Why are network providers allowing FORGED packe (1)

pe1chl (90186) | about 8 months ago | (#46216011)

That is called ip spoofing. They send a request with a sender address of a victim, and the server sends the reply to the victim.
This would not be possible when the attacker's ISP would not allow source address spoofing.

Re:Why are network providers allowing FORGED packe (1)

Anonymous Coward | about 8 months ago | (#46216067)

You are right. But i can't beleive that there are still ISP's out there which do not put filters based on their routing objects on their border routers. It's insane. And on the other hand their upstream providers allowing it. What is BGP good for then? Are network guys that lazy?

Re:Why are network providers allowing FORGED packe (1)

GeekWithAKnife (2717871) | about 8 months ago | (#46216159)


Forgive me if I'm wrong but given large volumes of traffic that are sold at the lowest rate, providers are not about to add hassle and overhead to their filtering...

So it's a "business decision" really. After all, is there anything to penalize network providers from not adding filters?

Personally I think this should really be in everyone's best interest given the implications of inaction, but how to start the ball rolling?

Re:Why are network providers allowing FORGED packe (0)

Anonymous Coward | about 8 months ago | (#46216317)

Because UDP is broken, by design.

Win. (-1)

Anonymous Coward | about 8 months ago | (#46215435)

That's fucking sick.

#STOPTHEBETA (-1)

Anonymous Coward | about 8 months ago | (#46215537)

#STOPTHEBETA

Re:#STOPTHEBETA (-1)

Anonymous Coward | about 8 months ago | (#46215561)

Beta is your Master Master Beta

Re: #STOPTHEBETA (0)

Anonymous Coward | about 8 months ago | (#46216001)

Don't know if it can be stopped. We can still hope...

Avoiding Slashdot this week (0)

jandjmh (66714) | about 8 months ago | (#46215557)

Carefully not clicking on any links - not reading any of the fine articles

Re:Avoiding Slashdot this week (0)

Anonymous Coward | about 8 months ago | (#46215579)

not reading any of the fine articles

So no different from any other week then?

Re:Avoiding Slashdot this week (1)

aliquis (678370) | about 8 months ago | (#46215603)

How did you got here?

Re:Avoiding Slashdot this week (1)

jones_supa (887896) | about 8 months ago | (#46216037)

Then why are you here?

Wonder what was affected (1)

SuperKendall (25149) | about 8 months ago | (#46215575)

I did have one site I normally visit (DPReview) get really slow, and then eventually go offline for a short time, I wonder if that was due to the attack.

At this point it seems like even massive attacks are not really doing much of a job in slowing down companies using something like CloudFlare or other distributed CDN's. I wonder how much longer it is before people will give up on DDOS attacks as ineffective.

Re:Wonder what was affected (0)

Anonymous Coward | about 8 months ago | (#46215591)

Nothing is ever a coincidence! Aliens teamed up with Vampires and Zombie Jesus at Area 51 to make your favorite sites slow deliberately to annoy you.

Re:Wonder what was affected (0)

Anonymous Coward | about 8 months ago | (#46215647)

Nothing is ever a coincidence! Aliens teamed up with Vampires and Zombie Jesus at Area 51 to make your favorite sites slow deliberately to annoy you.

What the fuck are you even talking about? Idiot.

Where are (1)

Max_W (812974) | about 8 months ago | (#46215585)

NSA and GCHQ when you need them?

Re:Where are (0)

Anonymous Coward | about 8 months ago | (#46215615)

They're busy having more sex than you. But feel free to jack off to erotic images of Snowden. He's a hottie.

Re:Where are (0)

Anonymous Coward | about 8 months ago | (#46215641)

That doesn't even make any sense. Forget to take your meds today?

Re:Where are (-1)

Anonymous Coward | about 8 months ago | (#46215733)

I don't need any Viagra today because I have a selfie from Snowden and he's a hot piece of meat.

As many as 4 ... (0)

Anonymous Coward | about 8 months ago | (#46215687)

As many as 4 $9/month residential connections in Tokyo were taken over in this remarkable exploit.

They need to get better at tracking these things (1)

Karmashock (2415832) | about 8 months ago | (#46215701)

Why does it always take a team of tech to manually block the spamming IP numbers? Why isn't this automated? When this sort of flooding action takes place it should be pretty obvious... respond.

Re: They need to get better at tracking these thin (2, Insightful)

Anonymous Coward | about 8 months ago | (#46215747)

Our last inbound attack appeared to come from over 50 million very well spread out different IPs. Of course those are all spoofed IPs but either way you can't effectively block that many without blocking larger amounts of legit traffic.

Re:They need to get better at tracking these thing (0)

Anonymous Coward | about 8 months ago | (#46215775)

Why does it always take a team of tech to manually block the spamming IP numbers? Why isn't this automated? When this sort of flooding action takes place it should be pretty obvious... respond.

Yeah, CloudFlare [cloudflare.com] should learn how set up a Linux box with iptable in front of their server.. How hard can this be?

Re:They need to get better at tracking these thing (1)

Andtalath (1074376) | about 8 months ago | (#46215905)

IPS is sometimes great.

However, if an attack occurs from thousands of IP-adresses and with random requests.
Well, they fail and you fail.

DDOS is terrible to defend against.

DOS otoh is simple, just block the IP.

Re:They need to get better at tracking these thing (1)

Karmashock (2415832) | about 8 months ago | (#46215963)

There has to be some sort of pattern. It can't be entirely random.

Asshole beta title line (0)

Anonymous Coward | about 8 months ago | (#46216553)

Why not? They obviously use hijacked/trojan/virus infested PCs which will be distributed quite randomly.

Keep the Slashcot going! (-1)

Anonymous Coward | about 8 months ago | (#46215711)

Notice how much nicer Slashdot has become now that all the leftists have decided to Stick It To The Man and left? Slashdot hasn't been this pleasant in about 15 years!

Keep the Slashcot going!

Re:Keep the Slashcot going! (-1)

Anonymous Coward | about 8 months ago | (#46215751)

Obama walks into Chase Bank and says to the teller, “Good morning, could you cash this check for me”? “It would be my pleasure sir. Could you please show me your ID?” She replies. Obama says, “sorry, I didn’t think I needed to bring it with me after all I am the president!” The teller tells him, “yes sir, I know who you are but with all the government regulations I need that ID. But look, this is what we can do: One day Tiger Woods came into the bank without ID. To prove he was Tiger Woods he pulled out his putting iron and made a beautiful shot across the bank lobby into a cup. With that shot we knew him to be Tiger Woods and we cashed his check. So, what can you do to prove that it is you, and only you?” Obama stood there thinking, and thinking and finally says,”honestly, nothing comes to mind. I can’t think of a single thing I can do.” The teller turns to him and says, ”great, will that be large or small bills, Mr. President?”

I guess they tried the Beta (-1)

Anonymous Coward | about 8 months ago | (#46215783)

And the beta won! Doom faces us!

Re:I guess they tried the Beta (-1)

Anonymous Coward | about 8 months ago | (#46215819)

USE CLASSIC. It's classy.

Stop dumbing down summaries, please. (3, Interesting)

andyn (689342) | about 8 months ago | (#46215849)

a timing mechanism that underpins a way the Internet works

But how many LOCs is that? Joking aside, I would have thought that nobody had to dumb down things that much before posting to Slashdot.

Update your NTP sw! (5, Informative)

Terje Mathisen (128806) | about 8 months ago | (#46215895)

I've been a member of the NTP Hackers team for more than a decade, the mechanism that is being abused for these attacks is in fact a very useful debugging/monitoring facility:

You can ask an ntpd server about how many clients it has and how often each of them have been accessing the server. On old/stable ntpd versions this facility was accessed using a single pure UDP packet (ntpdc -c monlist), and in reply you got back information about up to 602 clients (the size of the monlist buffer), sent as a big burst of UPD packets.

Researchers have developed maps of the entire publicly accessible NTP networks using this facility, I have personally used it to map the status of our fairly big corporate network. I.e. it can be extremely useful!

A few years ago the development version of ntpd switched to a different protocol and method to query this information, using a nonce which meant that you can no longer spoof the source address: (ntpq -c mrulist). Since the mrulist buffer is configurable, I have setup my public ipv6 pool server (ntp2.tmsw.no [2001:16d8:ee97::1]) to keep monitoring info for the last 10K clients.

Today we recommend that you either upgrade to ntpd v2.4.7, or if you really cannot do this, insert a 'restrict default noquery' option in the ntp.conf configuration file. The 'noquery' indicates that clients can still use the server for regular time requests, but the monitoring facility is disabled.

Terje

Re:Update your NTP sw! (4, Informative)

lowlands (463021) | about 8 months ago | (#46216115)

Thank you for pointing that out. It would be great if sysadmins and vendors fixed their NTP config. Unfortunately i's not only NTP that gets abused. The script kiddies also use open DNS servers that do recursive searches. And I'm sure there are more ways kindly offered by ignorant sysadmins and vendors who just don't care. Just google for "TP-Link recursive DNS" to get an idea. The solution is to force vendors to fix recursive DNS and NTP on their Internet facing boxes (why stop there, just "disallow anything from WAN" by default) and make them liable for the default config. Educate and poke sysadmins to fix their badly configured crap if they do not want to get blocked by their ISP or upstream. Force local ISPs to drop packets with a non-local src IP address and block the idiot that sends those packets. And finally add to Spamhaus the IP addresses/ranges of idiots who just don't care. Let's see how quickly they fix their crap once their boss figures out he can no longer send email to the cute-cat-pic mailing list.

Re:Update your NTP sw! (2, Interesting)

Anonymous Coward | about 8 months ago | (#46216287)

Two key corrections:

1. It's UDP (the protocol) not UPD. Contextually I understood though, and assumed typo until I saw...

2. It's ntpd v4.2.7 not ntpd v2.4.7.

Also, the recommended solution is not just to limit noquery, but others as well. This comes straight from the FreeBSD stable/9 ntp.conf as of 2013/12/27 [freebsd.org] :

restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery

restrict 127.0.0.1
restrict -6 ::1
restrict 127.127.1.0

Last 3 lines are effectively "allow". For what these all do, refer to the ntp.conf man page.

Re:Update your NTP sw! (0)

Anonymous Coward | about 8 months ago | (#46216525)

I hope this is now the new default for ntpd. If it isn't, it should be. IMHO

Microsoft DDoS © (1)

Anonymous Coward | about 8 months ago | (#46215901)

"Reflection attack exploits a timing mechanism that underpins a way the Internet works to greatly amplify the power of what would otherwise be a small and ineffective assault

I would have thought the DDOS attack were facilitated by all those compromised Microsoft Windows desktop computers out there on the Intertubes ..

Un-named customer (0)

Anonymous Coward | about 8 months ago | (#46215979)

CloudFlare don't mention who was targeted. I think it was a music torrent site. I know this because I use them and they have been suffering denial of service attacks for a while. If they are the target I wonder who is paying for this DDoS attack - disgruntled user, or music industry?

Not only NTP (2)

pe1chl (90186) | about 8 months ago | (#46216025)

This case mentions the use of NTP, but the idea of reflection attacks by now has propagated to TCP as well, even without amplification it seems worthwile.
Right now an attack is running on many webservers that sends SYN packets with source port 80 and 443 and destination port 80 from spoofed source address.
Apparently they want to overwhelm the victim with SYN ACK packets from reflectors.
However, those are the same size as the SYN packets sent by the attackers. Probably no issue, those attacks are likely sent from compromised systems and botnets as well.

It is about time that a blacklisting system is setup for providers that allow source address spoofing, similar to how providers running open SMTP servers were tarred and feathered until they fixed it.

Re:Not only NTP (3, Interesting)

ledow (319597) | about 8 months ago | (#46216585)

Yep.

Source-address spoofing just shouldn't be happening. Whether on the smallest or largest networks, why would you let someone fabricate any IP address and pass it along as if it were part of your network?

First rule on almost all firewalls is to block all such "foreign" packets.

The big carriers are really the problem here - they should just turn off network access to anyone who provides traffic to/from systems that they are not registered in their AS for. After an hour of being offline, they'll soon push the message to clean up what IP's are talking out from your networks all the way down to individual leased line customers.

Live DDoS attacks (0)

Anonymous Coward | about 8 months ago | (#46216199)

You can watch DDoS attacks live as they are happening all over the world, including this recent attack from this website: http://www.digitalattackmap.com/#anim=1&color=0&country=ALL&time=16065&view=map

Absolutely love that website, ever since I've found it on Slashdot a year or so ago.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?