Another 100 Gigabit DDoS Attack Strikes — This Time Unreflected

darthcamaro writes "In March of this year, we saw the first ever 100 Gigabit DDoS attack, which was possible due to a DNS Reflection Amplification attack. Now word is out that a new 100 Gigabit attack has struck using raw bandwidth, without any DNS Reflection. 'The most outstanding thing about this attack is that it did not use any amplification, which means that they had 100 Gigabits of available bandwidth on their own,' Incapsula co-founder Marc Gaffan said. 'The attack lasted nine hours, and that type of bandwidth is not cheap or readily available.'"

Is that all?

[Anonymous Coward]

It was probably just one guy in Tokyo using his $9/month internet package ...

Re:Is that all?

[goddidit]

On his mobile, to be exact.

Re:Is that all?

[Cryacin]

the guy mistyped the address on the page and hit refresh. Very Very quickly.

Re:Is that all?

[Yaotzin]

...For nine hours.

Re:

[aPoorBoy]

It must be a feature of windows phone

Re:

[saleenS281]

Can you blame him? It wasn't loading.

Re:

[Anubis IV]

Easily explained by the presence of a sleeping cat and the F5 key (oh, and he had some crazy Japanese phone that has an F5 key...).

Re:Is that all?

[wisnoskij]

It was a Korean professional Starcraft player.

Re:

[MatthiasF]

kekekekekeke

Re:

[BigLonn]

The irony :P

Re:first

[oldhack]

If you were a Japanese dude with $9/month internet package, you could have been the first. Loser.

Incapsula

[Anonymous Coward]

Seriously...this reads like a brochure for Incapsula's services lol

Re:Incapsula

[Joce640k]

They don't name the site, they don't name the attacker, the customers were "completely unaffected"....they could be making it up for all we know.

Re:Incapsula

[lazybeam]

We are an Incapsula customer and I can tell you we were NOT "completely unaffected". We experienced about an hour total of complete down time and several hours of slow response. Our servers were unloaded - no problems when bypassing Incapsula. So I guess they protected us from "that" but in the meantime all sites were unreachable. Though different ISPs had different levels of slowness at different times (trying our two different office connections and three different mobile networks).

Re:Incapsula

[Joce640k]

We are an Incapsula customer and I can tell you we were NOT "completely unaffected".

Maybe you could call Sean Michael Kerner at eWeek and tell them Marc Gaffan was lying.

He's also on twitter: https://www.twitter.com/techjournalist [twitter.com]

Re:

[Igal Zeifman]

Hi, I work for Incapsula. Our service is used by thousands yet - on the day of attack (Sep 25) you`ll find no downtime reports on twitter, facebook or public forums. I can't imagine any scenario in which a 60 minute long downtime of our services would have gone unnoticed yet this is the first time I hear about this... I`m sure that what you describe here is a localized issue, which is *not* Incapsula-related. Please reach out to our support. We will be happy to assist you to investigate further.

Re:

[davewoods]

Note: GBps !=Gbps. GB is 8 times larger than Gb.
You just said they withstood 2400 Gbps, which is incorrect. Also, it should be noted that the 300 Gbps quoted was only the peak, I think the average was only about 120 Gbps.

Re:

[Igal Zeifman]

Hi I work for Incapsula. This is what happened: On Sep 25 we reported a 100Gbps DDoS attack (https://twitter.com/Incapsula_com/status/382945744593764353), as we often do with large DDoS events. To be perfectly honest, we didn't even know that this was news, until we were contacted by the reporter... Our initial report predates the coverage by almost a week so we couldn't make this up, at least not without planning this for weeks in advance. (we don't have time for such ploys) Also, we NEVER disclose our

Re:Incapsula

[Anachragnome]

"....this reads like a brochure for Incapsula's services..."

http://bgp.he.net/AS19551#_whois [he.net]

Well, I imagine most US server farms are hurting pretty bad right now, what with all the NSA luvin' going around over here. Now imagine a company that has all of it's servers in the US, Israel and Germany (with a few in Japan)--in light of recent revelations regarding NSA spying--and maybe you'll understand why Incapsula is paying for ads/articles all over the damn place, including /.

They are fucked, and this marketing blitz is a Hail-Mary attempt to save their ass from the fire that Snowden just lit under it. Personally, I love a good BBQ.

Is this an ad?

[Anonymous Coward]

TFA sure reads like one...

I can't get one thing

[ruir]

If they haven't identified the attacker how can they say with 100% certainty it only came from one source, and was un-reflected? For I all I know, you could have a botnet fabricating packets with the same characteristics simultaneously.

Re:I can't get one thing

[icebike]

The article suggests it was a "Distributed attack"

the victim of the attack is remaining in the shadows, not wanting to be publicly identified. The target Website is protected by cloud security vendor Incapsula, which was able to withstand the massive distributed denial-of-service (DDoS) attack and keep the targeted Website up and running.
which means it must have bounced off of some botnet used some means of amplifying the attack and make it appear to come from different targets. Had it not been so, they would know exactly where it came from.

Perhaps judging from the number of different sources, and the type of packets, they can calculate the number of control packets needed.
If they know it required a one-for-one ratio of control packets to target packets, that is what they mean by un-amplified.
But it doesn't mean they came via the same route.

Re:I can't get one thing

[malacandrian]

That is the point of using a botnet to run a DDoS, yes. A single control signal issues a huge surge in traffic. That doesn't make it an amplified attack though. An amplified attack is when the zombies trick a third party (such as a DNS server) to reply to the victim with more information than you sent them. This can up the size of the attack 100-fold.

Re:I can't get one thing

[skids]

This, and you can easily distinguish a reflected attack by the type of packet, which will be an unsolicited reply to an application level request.

I just wish the stupid script kiddies would realize that not every SNMPv2/SNMPv3 client that responds actually amplifies traffic or gives maybe a 30% gain (because what you're getting back is an "access denied") and so isn't worth it, and stop trying to reflect off the printers here. I'm sick of chasing around the people who are supposed to lock them down, and banning entire protocols that don't really, really deserve it just fills me with ick.

Re:

[Igal Zeifman]

Hi I work for Incapsula. We use uptime monitoring for health checks + our reverse proxy technology ensures that every little bit of traffic comes through our cloud first. As a result we know if we have any downtime/spillage. Having said that, our multi-server data center are build in such a way that - in the even of DDoS - malicious traffic is quarantined and managed by filtered scrubbing servers. (which do not handle regular traffic)

How much bandwidth is that?

[mveloso]

Is that 100 GB/sec, 100 Gbps/sec, 100 GiB/sec, or 100 GiB over 9 hours?

Re:How much bandwidth is that?

[Anonymous Coward]

It's probably not "100 Gbps/sec" since the seconds cancel out and thus isn't a measure of bandwidth (a 12MB attack would be pretty lame). And since TFS said "bits," not "bytes," all of those options with a capital "B" are also unlikely. So, the answer to your question is "no."

Re:

[Anonymous Coward]

Seconds don't cancel... it gives you a 100Gbps^2 (aka, 100Gb.s^-2) which is a bandwidth acceleration...

Re:

[Anonymous Coward]

The "p" in "Gbps" is "per", that is "/". Therefore "Gbps/s" is "Gb/s^2", which would be a data rate acceleration. "100Gbps/s" would mean that every second, another 100 Gb/s were added to the data stream. Doing that for 9 hours would be quite impressive.

Re:How much bandwidth is that?

[Anonymous Coward]

Using the perl "english words have lower priority than real operators" convention (see "and" v/s "&&"), the / binds more tightly than the "per" operator, and thus, it's Gb / (s/s). And the seconds therefore cancel. ;)

Re:

[davewoods]

Wolfram Alpha says that 100Gb per second per second for 9 hours is about 10 times the estimated global IP data traffic rate in 2015.(1 ZB/year)

Re:How much bandwidth is that?

[TubeSteak]

The attack peaked at 100 Gigabits per second
The webhost (actually a CDN) had 400 Gigabits of total bandwidth available + various DDOS protections in place.

RTFA

Re:

[Anonymous Coward]

Nowhere in that article is the word seconds, Gbps Gb/s or anything similar.

I might be sloppy to say Gigiabit without the /s once or twice, but it's almost like a study in avoiding the qualifier.

Re:

[davewoods]

He is right, I checked. For all we know, 100 Gigabits of data was transferred to the target over the course of 9 hours, and for some reason this was considered a DDoS attack. FYI: 100 Gigabits is only 12.5 Gigabytes... Exciting.

Re:

[AHuxley]

It will be interesting to see how some ISP move from adsl1/2, VDSL2, HFC to optical while considering security challenged consumer operating systems.
A clause about deep packet inspection, ongoing monitoring and the option for dynamic ISP speed reductions?

100 GBit isn't large

[Anonymous Coward]

A botnet with 10000 bots, each on a 10 MBit connection, will suffice.

Re:100 GBit isn't large

[wonkey_monkey]

Thank you Captain Multiplication.

Re:

[thegoldenear]

10 Mb/s upstream that is, not downstream.

Re:

[tempmpi]

10 Mb/s upstream is not that unusual these days. And many botnets are way bigger than 10000 bots. Even if each bot has just 2 Mb/s upstream, you only need 50000 Bots. And botnets are not limited to infecting computers on home user connections. Infecting 100 servers on 1 Gbit/s connections is also enough.

Re:

[isorox]

10 Mb/s upstream is not that unusual these days. And many botnets are way bigger than 10000 bots. Even if each bot has just 2 Mb/s upstream, you only need 50000 Bots. And botnets are not limited to infecting computers on home user connections. Infecting 100 servers on 1 Gbit/s connections is also enough.

Certainly isn't, I've got that in my office in South Africa, which as far as the internet goes is about as backwater as you can get in a G20.

Re:

[isorox]

Not our fault your office is located in South Africa.

I have many offices. Some have 100mbit connections coming out their ears (Tokyo, HK, Singapore, Washington). Others struggle to get 10 (Kabul, Nairobi)

Beiruit is probably the only office which can't get 10mbit connection. The average is far higher.

Re:

[wvmarle]

The bigger the upload available, the more tightly those servers will be managed. Making not only infection harder, but also detection and losing the bot-server more likely.

If I were a botnet owner I'd be reluctant to use more than say 10% of available upstream, especially where you're on 1 Gb/s you're sure to be noticed if you're using 1 Gb/s but you may get away with 100 Mb/s for a while (that shouldn't affect other services on that network too much). People that have this much bandwidth have it for a reas

Re:

[Flere Imsaho]

Hang on.
*scribbles on notepad*
I'm just checking your math on that. Yes, I got the same thing.

no real verifiable info but plenty of product plug

[YesIAmAScript]

The worst example of advertisement through press release in recent memory.

At least on slashdot.

Re:

[davewoods]

FTFA:

The target Website is protected by cloud security vendor Incapsula, which was able to withstand the massive distributed denial-of-service (DDoS) attack and keep the targeted Website up and running.

There are a total of 8 mentions of Incapsula and how fantastic their services are.

worst use of a DDoS

[muphin]

why not use it ebay for that item you sooo wanted.... get rid of those sniper bids.
i see no profit or gain doing it to a CDN since they tend to have a distributed infrastructure...
possibly a poker/gambling site

Re:

[Anonymous Coward]

why not use it ebay for that item you sooo wanted.... get rid of those sniper bids.

i see no profit or gain doing it to a CDN since they tend to have a distributed infrastructure...

possibly a poker/gambling site

A) This was a test, and the real attack has yet to come.

B) This was a test, and the real attack happened while we were staring at this distraction as if it were some kind of voodoo.

C) All the above.

Perhaps we should hold judgement on those who can execute something like this until it is determined the purpose or intent. eBay and gambling is chicken shit compared to attacking banking or stock market.

Re:

[Anonymous Coward]

You missed a possibility:

D) None of the above, it's just Incapsula's anti-DDoS services ad.

The article goes all how attack was "unknown to many" and "victim remains in shadows" (read: we can't even know whether it all took place), and then goes into something that reads like sales brochure.

Re:

[wvmarle]

I too really wonder who that target may have been. It must be a pretty high profile or valuable site, for an attacker to throw that big an attack against them.

Re:

[faffod]

Yes, usda.gov is down because of a DOS attack. But I don't think this attack can be measured in Gbits, GB/sec, GB/sec^2... In this case the attack is coming from a well known zombie botnet called congress. They measure bandwidth in tubes.

Re:

[X0563511]

You could probably measure congressional (in)activity in bitches per second?

I know what happened

[OhANameWhatName]

other than Incapsula and its own service providers that were on the receiving end—no one seemed to notice

Thanks a bunch for saving the internets Marc. I'll be sure not to notice again soon.

Re:

[Igal Zeifman]

:) You are correct. Remind me of a movie quote (not sure which)... "When you do things right, people won't be sure you've done anything at all..."

A government playing war games ?

[Alain Williams]

I am not saying that it is what happened this time, but we have to expect that the various governments that are tooling up for ''cyber warfare'' are going to want to try out their toys. A DOS is one of the ''cyber weapons'' that they will use, in addition to cracking web sites, virus infection, ... For a government 100 Gbps is not going to be expensive.

I wonder how far they have progressed on cyber alliances, so, perhaps, 10 NATO countries could each contribute their 10 Gbps DOS asset to create a 100 Gbps D

That's nothing

[Lieutenant_Dan]

I once experienced an DoS MitM LTE XSS attack that lasted 42 hours and had a steady stream of 105TB/ms using NetBIOS Saturation over AppleTalk techniques that spread over a redundant cluster of MBR using HPFS. Of course the victim wishes to remain in the shadows as sharing the company's identity would either harm their reputation or allow you to verify the plausibility of the incident.

Re:

[davewoods]

105TB/ms over 42 hours (15.88ZB) Means you could copy the estimated information content of all human knowledge (about 12EB as of mid-1999) in about 2.52 minutes. Source: Wolfram Alpha.

Bullshit!

[Anonymous Coward]

BULLSHIT!

An unbeknownst 100Gbps DDoS attack from a single source (that is somehow unknown), against an undisclosed target(!), that was miraculously defended against by this unknown company, who would have us believe that they are capable of doing this because of their shear might and use of magical incantations(?).

Bullshit! This entire and UTTERLY FICTITIOUS story is a thoroughly deceitful marketing campaign!

100Gbit

[bored]

Is what, 100 google users in kansas with compromised machines?

Or 1000 FIOS users...