Cloudflare Stops New World's Largest DDoS Attack Over Labor Day Weekend (zdnet.com) 21
An anonymous reader quotes a report from ZDNet: Over the Labor Day weekend, Cloudflare says it successfully stopped a record-breaking distributed denial-of-service (DDoS) attack that peaked at 11.5 terabits per second (Tbps). This came only a few months after Cloudflare blocked a then all-time high DDoS attack of 7.3 Tbps. This latest attack was almost 60% larger.
According to Cloudflare, the assault was the result of a hyper-volumetric User Datagram Protocol (UDP) flood attack that lasted about 35 seconds. During that just more than half-minute attack, it delivered over 5.1 billion packets per second. This attack, Cloudflare reported, came from a combination of several IoT and cloud providers. Although compromised accounts on Google Cloud were a major source, the bulk of the attack originated from other sources.
The specific target of this attack has not been publicly disclosed, but we can be sure the intent was to overwhelm the victim's network and render online services inoperative. Cloudflare says its globally distributed, fully autonomous DDoS mitigation network detected and neutralized the threat in real time, without notable impact on customer services or requiring manual intervention. This operation highlights both the rising sophistication of attack methods and the resilience of modern internet infrastructure defenses, especially Cloudflare's use of real-time packet analysis, fingerprinting, and rapid threat intelligence sharing across its network.
According to Cloudflare, the assault was the result of a hyper-volumetric User Datagram Protocol (UDP) flood attack that lasted about 35 seconds. During that just more than half-minute attack, it delivered over 5.1 billion packets per second. This attack, Cloudflare reported, came from a combination of several IoT and cloud providers. Although compromised accounts on Google Cloud were a major source, the bulk of the attack originated from other sources.
The specific target of this attack has not been publicly disclosed, but we can be sure the intent was to overwhelm the victim's network and render online services inoperative. Cloudflare says its globally distributed, fully autonomous DDoS mitigation network detected and neutralized the threat in real time, without notable impact on customer services or requiring manual intervention. This operation highlights both the rising sophistication of attack methods and the resilience of modern internet infrastructure defenses, especially Cloudflare's use of real-time packet analysis, fingerprinting, and rapid threat intelligence sharing across its network.
Know what would be cool? (Score:4, Informative)
If every ISP blocked spoofed UDP packets from exiting their network.
Re: (Score:3)
provide the attackers' ISPs a list of attacker ip addresses, and get them disconnected from the internet.
It may very well have been your web enabled TV set participating in the attack. Your suggestion would just promulgate a secondary DDoS attack. Getting innocent households blocked from Internet service. The script kiddies would be laughing their asses off.
Re: Know what would be cool? (Score:4, Insightful)
That's probably worth doing anyway, and it might make sense for the FCC to enforce domestically. We have precedent for that, by the way, in the form of a literal TV emitting noise that was disrupting emergency communications, and the FCC telling the owner that he's not allowed to turn on his TV without fixing it. I believe the manufacturer ended up replacing it, but ultimate it was on the owner to take it up with the manufacturer.
The FCC also requires licensing for amateur radio station operators as well. While I don't believe licensing is necessary, I do believe that cutting off or else severely throttling negligent users is warranted. If they built or otherwise bought a system connected to the internet that was engineered with neglect, that should also be on the user as well. As for whether the manufacturer holds liability, that would belong in a separate law built around consumer protection that gives the consumer recourse.
As for operators abroad, that should come in the form of a treaty organization akin to WIPO.
Re: (Score:2, Informative)
reparse it
It's the (new) (world's largest ddos attack)
not (new world)'s (largest ddos attack)
You know what pisses me off ? (Score:2)
You know what pisses me off the most ?
It's not when they say "Nothing happened";
It's when they say "Something happened, but we're not telling you what !"
Internet infrastructure? (Score:2)
Cloudflare is not internet infrastructure ... it's the centralized, censorship prone band aid on the flaws of the internet infrastructure.
It didn't need to be this way, the internet could have been designed to not need DDOS protection.
Re: (Score:2)
the internet could have been designed to not need DDOS protection
How?
I can close an entire street by ordering five hundred pizzas to the same address at the same time (assuming I can find five hundred pizzerias within the delivery area). How would we design a street to prevent this kind of DDoS attack?
Likewise, I fail to understand how the Internet could be designed in such a way that would be impossible to overwhelm any given target with a volume of traffic it can't handle.
Re:Internet infrastructure? (Score:4, Informative)
Don't allow pizza deliverers to spoof their pizza place, allow the customer to put in a block at the pizza place for new deliveries.
https://datatracker.ietf.org/d... [ietf.org]
Re: (Score:2)
allow the customer to put in a block at the pizza place for new deliveries
Isn't that the physical equivalent of Cloudfare? It's proving the grandparent's statement about street design.
Re: (Score:3)
It accomplishes the same thing, but in a different way. Cloudflare just gives you massive amounts of distributed bandwidth and a good traffic filter, but the DDOS traffic is still there on the internet. This approach has massive costs, creating an ogliopoly of a handful of CDNs and clouds which can handle it, who become speech gatekeepers in the process.
Re: (Score:2)
The first only works if people are spoofing IP addresses. They're not bothering to these days - many routers have source filtering enabled.
DDoS attacks come from many places all at once by malware installed on the host computer. They're coming from legit sources.
As for blocking new places from delivery, how is that supposed to work? Everyone is supposed to consult a directory?
Re: (Score:2)
You make a law that if the pizza place sends a pizza after being told not to send any more pizzas, they will get shut down. The pizza places will put a system in place to very carefully account for these blocks.
I don't care about hundred percent accuracy, maybe my kid orders pizzas at a pizza place with an easily abused order process ... that will be my problem, but I want no more pizzas from that place and law should enforce that after proper notification. I'll worry about the false positives, by not worry
Re: (Score:2)
You make a law that if the pizza place sends a pizza after being told not to send any more pizzas, they will get shut down.
And therein lies the problem. On the Internet, Cloudflare is that law. Whom do you propose to replace them with, without also allowing the same problem to exist (that being, that Cloudflare can too easily act as a censor)?
Re: (Score:2)
US national law, any country which doesn't align gets their traffic to the US cut off.
They are somewhat bound by the first amendment and democratic mandate, unlike Cloudflare.
Even though it failed (Score:2)