Forgot your password?
Close
typodupeerror
Networking Botnet Security

200-400 Gbps DDoS Attacks Are Now Normal 92

Posted by Soulskill
from the distributed-denial-of-sherbet dept.
An anonymous reader writes "Brian Krebs has a followup to this week's 400 Gbps DDoS attack using NTP amplification. Krebs, as a computer security writer, has often been the target of DDoS attacks. He was also hit by a 200Gbps attack this week (apparently, from a 15-year-old in Illinois). That kind of volume would have been record-breaking only a couple of years ago, but now it's just normal. Arbor Networks says we've entered the 'hockey stick' era of DDoS attacks, as a graph of attack volume spikes sharply over the past year. CloudFlare's CEO wrote, 'Monday's DDoS proved these attacks aren't just theoretical. To generate approximately 400Gbps of traffic, the attacker used 4,529 NTP servers running on 1,298 different networks. On average, each of these servers sent 87Mbps of traffic to the intended victim on CloudFlare's network. Remarkably, it is possible that the attacker used only a single server running on a network that allowed source IP address spoofing to initiate the requests. An attacker with a 1 Gbps connection can theoretically generate more than 200Gbps of DDoS traffic.' In a statement to Krebs, he added, 'We have an attack of over 100 Gbps almost every hour of every day.'"
This discussion has been archived. No new comments can be posted.

200-400 Gbps DDoS Attacks Are Now Normal More

200-400 Gbps DDoS Attacks Are Now Normal

Comments Filter:

  • Root issue is lack of URPF and similar (Score:5, Informative)

    by silas_moeckel (234313) <silas&dsminc-corp,com> on Saturday February 15, 2014 @12:42PM (#46254873) Homepage

    Hosting/Colo/Transit providers are the real core issue. There is absolutely no reason that URPF or similar or at least ingress ACL's are not in place. Lets face it if your limiting the prefixes announced you should be filtering on them as well. Anything even close to core can do this in hardware, URPF and similar there is generally no config required more than turning it on. At Hosting/Colo levels do you still have something on the public side that can not do at least ACL's in hardware? Plenty of automation packages can do this stuff in an automated fashion. The root cause is lazy and broken providers that just do not care, DDOS traffic can make some of them piles of cash directly in transit billing or indirectly as the only people with a big enough pipe to do ddos protection.

Do not underestimate the value of print statements for debugging.

Close