Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Security Networking

Another 100 Gigabit DDoS Attack Strikes — This Time Unreflected 93

Posted by Soulskill
from the go-big-or-go-home dept.
darthcamaro writes "In March of this year, we saw the first ever 100 Gigabit DDoS attack, which was possible due to a DNS Reflection Amplification attack. Now word is out that a new 100 Gigabit attack has struck using raw bandwidth, without any DNS Reflection. 'The most outstanding thing about this attack is that it did not use any amplification, which means that they had 100 Gigabits of available bandwidth on their own,' Incapsula co-founder Marc Gaffan said. 'The attack lasted nine hours, and that type of bandwidth is not cheap or readily available.'"
This discussion has been archived. No new comments can be posted.

Another 100 Gigabit DDoS Attack Strikes — This Time Unreflected

Comments Filter:
  • by Anonymous Coward on Wednesday October 02, 2013 @01:05AM (#45011271)

    It was probably just one guy in Tokyo using his $9/month internet package ...

  • Incapsula (Score:5, Informative)

    by Anonymous Coward on Wednesday October 02, 2013 @01:10AM (#45011297)

    Seriously...this reads like a brochure for Incapsula's services lol

    • Re:Incapsula (Score:5, Interesting)

      by Joce640k (829181) on Wednesday October 02, 2013 @01:56AM (#45011453) Homepage

      They don't name the site, they don't name the attacker, the customers were "completely unaffected"....they could be making it up for all we know.

      • Re:Incapsula (Score:5, Informative)

        by lazybeam (162300) on Wednesday October 02, 2013 @05:16AM (#45012005) Homepage

        We are an Incapsula customer and I can tell you we were NOT "completely unaffected". We experienced about an hour total of complete down time and several hours of slow response. Our servers were unloaded - no problems when bypassing Incapsula. So I guess they protected us from "that" but in the meantime all sites were unreachable. Though different ISPs had different levels of slowness at different times (trying our two different office connections and three different mobile networks).

        • Re:Incapsula (Score:5, Interesting)

          by Joce640k (829181) on Wednesday October 02, 2013 @06:46AM (#45012333) Homepage

          We are an Incapsula customer and I can tell you we were NOT "completely unaffected".

          Maybe you could call Sean Michael Kerner at eWeek and tell them Marc Gaffan was lying.

          He's also on twitter: https://www.twitter.com/techjournalist [twitter.com]

        • Hi, I work for Incapsula. Our service is used by thousands yet - on the day of attack (Sep 25) you`ll find no downtime reports on twitter, facebook or public forums. I can't imagine any scenario in which a 60 minute long downtime of our services would have gone unnoticed yet this is the first time I hear about this... I`m sure that what you describe here is a localized issue, which is *not* Incapsula-related. Please reach out to our support. We will be happy to assist you to investigate further.
      • Hi I work for Incapsula. This is what happened: On Sep 25 we reported a 100Gbps DDoS attack (https://twitter.com/Incapsula_com/status/382945744593764353), as we often do with large DDoS events. To be perfectly honest, we didn't even know that this was news, until we were contacted by the reporter... Our initial report predates the coverage by almost a week so we couldn't make this up, at least not without planning this for weeks in advance. (we don't have time for such ploys) Also, we NEVER disclose our
    • Re:Incapsula (Score:5, Interesting)

      by Anachragnome (1008495) on Wednesday October 02, 2013 @03:35AM (#45011729)

      "....this reads like a brochure for Incapsula's services..."

      http://bgp.he.net/AS19551#_whois [he.net]

      Well, I imagine most US server farms are hurting pretty bad right now, what with all the NSA luvin' going around over here. Now imagine a company that has all of it's servers in the US, Israel and Germany (with a few in Japan)--in light of recent revelations regarding NSA spying--and maybe you'll understand why Incapsula is paying for ads/articles all over the damn place, including /.

      They are fucked, and this marketing blitz is a Hail-Mary attempt to save their ass from the fire that Snowden just lit under it. Personally, I love a good BBQ.

  • Is this an ad? (Score:5, Insightful)

    by Anonymous Coward on Wednesday October 02, 2013 @01:13AM (#45011307)

    TFA sure reads like one...

  • by ruir (2709173) on Wednesday October 02, 2013 @01:16AM (#45011315) Homepage
    If they haven't identified the attacker how can they say with 100% certainty it only came from one source, and was un-reflected? For I all I know, you could have a botnet fabricating packets with the same characteristics simultaneously.
    • by icebike (68054) on Wednesday October 02, 2013 @01:36AM (#45011393)

      The article suggests it was a "Distributed attack"

      the victim of the attack is remaining in the shadows, not wanting to be publicly identified. The target Website is protected by cloud security vendor Incapsula, which was able to withstand the massive distributed denial-of-service (DDoS) attack and keep the targeted Website up and running.
      which means it must have bounced off of some botnet used some means of amplifying the attack and make it appear to come from different targets. Had it not been so, they would know exactly where it came from.

      Perhaps judging from the number of different sources, and the type of packets, they can calculate the number of control packets needed.
      If they know it required a one-for-one ratio of control packets to target packets, that is what they mean by un-amplified.
      But it doesn't mean they came via the same route.

    • Hi I work for Incapsula. We use uptime monitoring for health checks + our reverse proxy technology ensures that every little bit of traffic comes through our cloud first. As a result we know if we have any downtime/spillage. Having said that, our multi-server data center are build in such a way that - in the even of DDoS - malicious traffic is quarantined and managed by filtered scrubbing servers. (which do not handle regular traffic)
  • by mveloso (325617) on Wednesday October 02, 2013 @01:17AM (#45011321)

    Is that 100 GB/sec, 100 Gbps/sec, 100 GiB/sec, or 100 GiB over 9 hours?

    • by Anonymous Coward on Wednesday October 02, 2013 @01:24AM (#45011345)

      It's probably not "100 Gbps/sec" since the seconds cancel out and thus isn't a measure of bandwidth (a 12MB attack would be pretty lame). And since TFS said "bits," not "bytes," all of those options with a capital "B" are also unlikely. So, the answer to your question is "no."

      • Re: (Score:3, Funny)

        by Anonymous Coward

        Seconds don't cancel... it gives you a 100Gbps^2 (aka, 100Gb.s^-2) which is a bandwidth acceleration...

      • Re: (Score:3, Informative)

        by Anonymous Coward

        The "p" in "Gbps" is "per", that is "/". Therefore "Gbps/s" is "Gb/s^2", which would be a data rate acceleration. "100Gbps/s" would mean that every second, another 100 Gb/s were added to the data stream. Doing that for 9 hours would be quite impressive.

        • by Anonymous Coward on Wednesday October 02, 2013 @01:56AM (#45011445)

          Using the perl "english words have lower priority than real operators" convention (see "and" v/s "&&"), the / binds more tightly than the "per" operator, and thus, it's Gb / (s/s). And the seconds therefore cancel. ;)

        • Wolfram Alpha says that 100Gb per second per second for 9 hours is about 10 times the estimated global IP data traffic rate in 2015.(1 ZB/year)
    • by TubeSteak (669689) on Wednesday October 02, 2013 @01:25AM (#45011347) Journal

      The attack peaked at 100 Gigabits per second
      The webhost (actually a CDN) had 400 Gigabits of total bandwidth available + various DDOS protections in place.

      RTFA

      • by Anonymous Coward

        Nowhere in that article is the word seconds, Gbps Gb/s or anything similar.

        I might be sloppy to say Gigiabit without the /s once or twice, but it's almost like a study in avoiding the qualifier.

        • He is right, I checked. For all we know, 100 Gigabits of data was transferred to the target over the course of 9 hours, and for some reason this was considered a DDoS attack. FYI: 100 Gigabits is only 12.5 Gigabytes... Exciting.
  • by Anonymous Coward on Wednesday October 02, 2013 @01:20AM (#45011331)

    A botnet with 10000 bots, each on a 10 MBit connection, will suffice.

    • by wonkey_monkey (2592601) on Wednesday October 02, 2013 @02:15AM (#45011495) Homepage
      Thank you Captain Multiplication.
    • 10 Mb/s upstream that is, not downstream.

      • by tempmpi (233132)

        10 Mb/s upstream is not that unusual these days. And many botnets are way bigger than 10000 bots. Even if each bot has just 2 Mb/s upstream, you only need 50000 Bots. And botnets are not limited to infecting computers on home user connections. Infecting 100 servers on 1 Gbit/s connections is also enough.

        • by isorox (205688)

          10 Mb/s upstream is not that unusual these days. And many botnets are way bigger than 10000 bots. Even if each bot has just 2 Mb/s upstream, you only need 50000 Bots. And botnets are not limited to infecting computers on home user connections. Infecting 100 servers on 1 Gbit/s connections is also enough.

          Certainly isn't, I've got that in my office in South Africa, which as far as the internet goes is about as backwater as you can get in a G20.

        • by wvmarle (1070040)

          The bigger the upload available, the more tightly those servers will be managed. Making not only infection harder, but also detection and losing the bot-server more likely.

          If I were a botnet owner I'd be reluctant to use more than say 10% of available upstream, especially where you're on 1 Gb/s you're sure to be noticed if you're using 1 Gb/s but you may get away with 100 Mb/s for a while (that shouldn't affect other services on that network too much). People that have this much bandwidth have it for a reas

    • Hang on.
      *scribbles on notepad*
      I'm just checking your math on that. Yes, I got the same thing.

  • by YesIAmAScript (886271) on Wednesday October 02, 2013 @01:21AM (#45011339)

    The worst example of advertisement through press release in recent memory.

    At least on slashdot.

  • why not use it ebay for that item you sooo wanted.... get rid of those sniper bids.
    i see no profit or gain doing it to a CDN since they tend to have a distributed infrastructure...
    possibly a poker/gambling site
    • by Anonymous Coward

      why not use it ebay for that item you sooo wanted.... get rid of those sniper bids.

      i see no profit or gain doing it to a CDN since they tend to have a distributed infrastructure...

      possibly a poker/gambling site

      A) This was a test, and the real attack has yet to come.

      B) This was a test, and the real attack happened while we were staring at this distraction as if it were some kind of voodoo.

      C) All the above.

      Perhaps we should hold judgement on those who can execute something like this until it is determined the purpose or intent. eBay and gambling is chicken shit compared to attacking banking or stock market.

      • Re: (Score:3, Insightful)

        by Anonymous Coward

        You missed a possibility:

        D) None of the above, it's just Incapsula's anti-DDoS services ad.

        The article goes all how attack was "unknown to many" and "victim remains in shadows" (read: we can't even know whether it all took place), and then goes into something that reads like sales brochure.

        • by wvmarle (1070040)

          I too really wonder who that target may have been. It must be a pretty high profile or valuable site, for an attacker to throw that big an attack against them.

  • by OhANameWhatName (2688401) on Wednesday October 02, 2013 @02:58AM (#45011615)

    other than Incapsula and its own service providers that were on the receiving end—no one seemed to notice

    Thanks a bunch for saving the internets Marc. I'll be sure not to notice again soon.

    • :) You are correct. Remind me of a movie quote (not sure which)... "When you do things right, people won't be sure you've done anything at all..."
  • I am not saying that it is what happened this time, but we have to expect that the various governments that are tooling up for ''cyber warfare'' are going to want to try out their toys. A DOS is one of the ''cyber weapons'' that they will use, in addition to cracking web sites, virus infection, ... For a government 100 Gbps is not going to be expensive.

    I wonder how far they have progressed on cyber alliances, so, perhaps, 10 NATO countries could each contribute their 10 Gbps DOS asset to create a 100 Gbps D

  • by Lieutenant_Dan (583843) on Wednesday October 02, 2013 @07:45AM (#45012655) Homepage Journal

    I once experienced an DoS MitM LTE XSS attack that lasted 42 hours and had a steady stream of 105TB/ms using NetBIOS Saturation over AppleTalk techniques that spread over a redundant cluster of MBR using HPFS. Of course the victim wishes to remain in the shadows as sharing the company's identity would either harm their reputation or allow you to verify the plausibility of the incident.

    • 105TB/ms over 42 hours (15.88ZB) Means you could copy the estimated information content of all human knowledge (about 12EB as of mid-1999) in about 2.52 minutes. Source: Wolfram Alpha.
  • by Anonymous Coward

    BULLSHIT!

    An unbeknownst 100Gbps DDoS attack from a single source (that is somehow unknown), against an undisclosed target(!), that was miraculously defended against by this unknown company, who would have us believe that they are capable of doing this because of their shear might and use of magical incantations(?).

    Bullshit! This entire and UTTERLY FICTITIOUS story is a thoroughly deceitful marketing campaign!

  • by bored (40072)

    Is what, 100 google users in kansas with compromised machines?

    Or 1000 FIOS users...

Loan-department manager: "There isn't any fine print. At these interest rates, we don't need it."

Working...