Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


601 posts

Ultimate Geek
+1 received by user: 26


Topic # 115507 28-Mar-2013 07:29
Send private message

Not sure if this is the right place to post this article I have just come across: http://www.bbc.co.uk/news/technology-21954636

Create new topic
BDFL - Memuneh
61314 posts

Uber Geek
+1 received by user: 12060

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 788387 28-Mar-2013 08:51
Send private message

The BBC is about ten days late with this story. The whole thing started on the 18th March.

Also, it appears that Spamhaus moved to Cloudflare and this absorbed the attack, this on the 22nd.

This article comes almost after the event and I can bet people using other providers barely noticed anything anyway.

Reading the article it sounds to me like some DDoS mitigation technology companies wanted to have their voices heard - and ride the wave of marketing.





xpd

Chief Trash Bandit
8980 posts

Uber Geek
+1 received by user: 1381

Mod Emeritus
Trusted
Lifetime subscriber

  Reply # 788403 28-Mar-2013 09:21
Send private message

From Ars Technica...

"When the attack started, on March 18, it measured around 10 Gb/s. On March 19, it hit 90 Gb/s, on March 22 it reached 120 Gb/s. This still wasn't enough to knock CloudFlare or Spamhaus offline. So the attackers escalated.Today, CloudFlare wrote that one of the Internet's big bandwidth providers is seeing 300 gigabits per second of traffic related to this attack, making it one of the largest ever reported."




XPD / Gavin / DemiseNZ

 

For Free Games, Geekiness and Reviews, visit :

 

Home Of The Overrated Raccoons

 

Battlenet : XPD#11535    Origin/Steam/Epic/Uplay : xpdnz


254 posts

Ultimate Geek
+1 received by user: 16


  Reply # 788425 28-Mar-2013 09:49
Send private message

Must be running pretty powerful systems or have a massive botnet to launch such attacks?





14140 posts

Uber Geek
+1 received by user: 2546

Trusted
Subscriber

  Reply # 788428 28-Mar-2013 09:52
Send private message

The blog post by Cloudflare says it would take only a small amazon cluster to generate the traffic due to the multiplication of request/reply size.




AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer


BDFL - Memuneh
61314 posts

Uber Geek
+1 received by user: 12060

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 788434 28-Mar-2013 10:05
Send private message

c3rn: Must be running pretty powerful systems or have a massive botnet to launch such attacks?


It's a DNS amplification type attack. A good number of machines sending out DNS requests with the return IP pointing to the victims servers. Open DNS servers around the world reply to the response going back to the victimis.





3409 posts

Uber Geek
+1 received by user: 404

Trusted

  Reply # 788449 28-Mar-2013 10:23
Send private message

Another reason to check your DNS servers to make sure they aren't open relays!





BDFL - Memuneh
61314 posts

Uber Geek
+1 received by user: 12060

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 788456 28-Mar-2013 10:26
Send private message

There are enough stupid people that run their own DNS at home (and some businesses) on the DMZ or not bound to LAN only...





BDFL - Memuneh
61314 posts

Uber Geek
+1 received by user: 12060

Administrator
Trusted
Geekzone
Lifetime subscriber

BDFL - Memuneh
61314 posts

Uber Geek
+1 received by user: 12060

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 789123 29-Mar-2013 10:10
Send private message

Let me put this another way after looking at how things worked...

There's an interesting book called Trust Me, I'm Lying.

The guy works in marketing and explains how companies can "amplify" their marketing efforts by using blogs and mainstream media.

In one example someone posts a blog entry about a product. He sends the tips up to a bigger blog, and then after a few days the story shows up on The New York Time or Washing Post. From there the marketing folks can easily add that information to Wikipedia for example because even though a blog is not a "source" for some articles on Wikipedia, those other newspapers are - and the marketing folks got the "credible source" now to make their story/product page on Wikipedia.

If you look at the Cloudflare blog, they link to The New York Times, which is a story about themselves saving Spamhaus.

They can clearly say in their blog that TNYT is a credible source. They aren't saying the attack was the largest in the world. TNYT is saying it. They aren't saying they saved the Internet, TNYT is saying it. And we all trust mainstream journalism.

But what if someome in the inside sent a tip to TNYT and the journalist wasn't very thorough at investigating?

Have you personally felt affected by this "massive attack" that "almost broke the Internet"? No, me neither.

As found on Gizmodo (which is another non-reliable blog sometimes, but at least here we have credible sources).

This is from NTT:


I'm afraid that we don't have anything we can share that substantiates global effects. I'm sure you read the same 300gbps figure that I did, and while that's a massive amount of bandwidth to a single enterprise or service provider, data on global capacities from sources like TeleGeography show lit capacities in the tbps range in most all regions of the world. I side with you questioning if it shook the global internet.


This is from Renesys:


We believe that the DDOS attack potentially had severe impacts on the websites it was directed at, however, according to our data, the Internet as a whole did not experience a wide spread disruption.

Just to put it in perspective the traffic estimates for the DDOS attack were as high as 300 Gbps at the target. That would easily overwhelm the average hosting center, but not a core component of the Internet. For example, DECIX, the German Internet exchange in Frankfurt, regularly handles 2.5 Tbps at peak on any given day: http://www.de-cix.net/about/statistics/

While it may have severely affected the websites it was targeted at, the global Internet as a whole was not impacted by this localized incident.


So at best a regional problem, at worst a marketing attack on corporates to convince them there's a monster at large and there's a solution at hand.

Or just read The Guardian Spamhaus Internet attack: was it all a PR stunt?.

But, wait... The Guardian is quoting Gizmodo, which now amplifies and perhaps even "legitimises" the blog post.

You see how things go around?





BDFL - Memuneh
61314 posts

Uber Geek
+1 received by user: 12060

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 789301 29-Mar-2013 16:07
Send private message

And NetworkWorld says this was hyped:

"The hundreds of websites that Keynote monitors showed no performance changes that were out of the ordinary at all, says Aaron Rudger, senior market manager at Keynote, which went back and closely compared U.S. Web performance to European performance to see if it could find evidence to support all these Internet slowdown assertions heard in both the European and U.S. the media."




600 posts

Ultimate Geek
+1 received by user: 5

Trusted

  Reply # 789464 29-Mar-2013 23:50
Send private message

A response from one of CloudFlare's upstream providers.

http://cluepon.net/ras/gizmodo

First off I can confirm a few basic facts, namely that we really did 
receive a ~300 Gbps attack directed at Cloudflare, and later
specifically targeted at pieces of our core infrastructure. This is
definitely on the large end of the scale as far as DoS attacks go, but
I wouldn't call it "record smashing" or "game changing" in any special
way. It's just another large attack, maybe 10-15% larger than other
similar ones we've seen in the past, and I'm certain we will continue
to see even larger ones in the future as global traffic levels
increase. What made this particular attack notable is where it was
targeted, which greatly increased the number of people who noticed it.
 

It's a really good post, full of information on what happened.

Still, we've got a list of NZ companies which are operating systems in an insecure fashion which is impacting other organisations.  How do we effect a change in their behaviour?






BDFL - Memuneh
61314 posts

Uber Geek
+1 received by user: 12060

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 790564 2-Apr-2013 11:46
Send private message

Try Orcon:








304 posts

Ultimate Geek
+1 received by user: 58

Trusted
Vocus

  Reply # 790594 2-Apr-2013 12:26
Send private message

Wide-open is a little exaggerated. If you turn the firewall off, on some firmware there is a risk of an exploit – although too few devices to be a serious target for exploitation perhaps. Thanks for spotting it Steve – the guys are fixing it as we speak.




Head of Brand and Communications
Vocus NZ
[Slingshot, Orcon and Flip]


Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.