←back to thread

How Cloudflare blocked a monumental 7.3 Tbps DDoS attack

(blog.cloudflare.com)
265 points methuselah_in | 8 comments | 20 Jun 25 18:34 UTC | HN request time: 0.001s | source | bottom
Show context
londons_explore ◴[24 Jun 25 13:40 UTC] No.44366154[source]
A DDoS gets some fraction of the entire internet to attack a single host.

As the internet gets more users and more devices connected, the ratio of DDoS volume to a single connections volume will only get larger.

Is there any kind of solution?

replies(8): >>44366248 #>>44366352 #>>44366379 #>>44366623 #>>44366811 #>>44366991 #>>44367206 #>>44369906 #
alyandon ◴[24 Jun 25 13:49 UTC] No.44366248[source]
Not a 100% solution but would help greatly if ISPs:

1) performed egress filtering to prevent spoofing arbitrary source addresses

2) temporarily shut off customers that are sending a large volume of malicious traffic

replies(2): >>44366275 #>>44366336 #
alberth ◴[24 Jun 25 13:58 UTC] No.44366336[source]
> sending a large volume of malicious traffic

How would an ISP determine egress is malicious? Genuinely curious.

replies(5): >>44366353 #>>44366415 #>>44366743 #>>44366790 #>>44366797 #
1. alyandon ◴[24 Jun 25 14:06 UTC] No.44366415[source]
If someone is reporting malicious traffic coming from the ISP's network then an ISP should be obligated to investigate and shut off the offending customer if necessary until they've resolved the problem.
replies(1): >>44366561 #
2. cyral ◴[24 Jun 25 14:19 UTC] No.44366561[source]
How would this ever work at scale? These attacks come from thousands of compromised devices usually. e.g. Someone's smart fridge with 5 year old firmware gets exploited
replies(6): >>44366665 #>>44366824 #>>44367225 #>>44367724 #>>44372179 #>>44384126 #
3. alyandon ◴[24 Jun 25 14:29 UTC] No.44366665[source]
I don't have a specific answer for that but it is really a problem that residential ISPs are going to have to solve now that gigabit or faster symmetric internet connections are becoming the norm.
4. nhecker ◴[24 Jun 25 14:44 UTC] No.44366824[source]
As dijit (above this comment) has noted, this is somewhat possible and automated today.

For example, one method has the attacked IP get completely null-routed, and the subsequent route is advertised. Upstream routers will pick up the null-route advertisement and drop the traffic ever closer to the source(s). The effect of the null route is that the attacked IP is unreachable by anyone until the null-route is lifted... so the aim of the DDoS isn't averted, but at least the flood of traffic won't pummel any network paths except for (ideally) the paths between the attacker(s) and the first router respecting the null-route. In my experience the DDoS tends to stop more quickly and shift away to other targets if the folks directing the attack can no longer reach the target (because: null-route) and then the null-route can be lifted sooner relative to a long-running DDoS that hasn't shifted away to other targets.

5. whstl ◴[24 Jun 25 15:23 UTC] No.44367225[source]
With SMTP there are services who provide a list of malicious servers so that they can be blocked at the receiving end.

I wonder if this would work in reverse, having a standardised, automated protocol that allow providers like Cloudflare to notify upstream networks of attacks in real time, so malicious traffic can be blocked closer to the source.

Genuinely curious, I'm not an expert in low-level networking ops.

6. viraptor ◴[24 Jun 25 16:09 UTC] No.44367724[source]
Your ISP likely knows you're part of a botnet quite early. For example many of them use magic domains as either shutoff switches or CC endpoints, so could be detected. But when was the last time anyone's ISP ever told them "hey one of your hosts is infected"?
7. mschuster91 ◴[24 Jun 25 23:29 UTC] No.44372179[source]
> How would this ever work at scale?

We pay internet providers healthy amounts of money each month. Surely they can afford to hire some staff to monitor the abuse mailbox and react on it - we know they can when the MAFIAA comes knocking for copyright violations, because if they don't comply they might end up getting held liable for infractions.

8. motorest ◴[26 Jun 25 04:13 UTC] No.44384126[source]
> How would this ever work at scale?

- ISP has terms of service preventing abuse,

- ISP provides an email address to receive complains about abuse

- once a ISP receives a complain, their check if a customer abused their terms of service

- once a ISP spots a customer abusing terms of service, they act upon it.

ISPs have been doing this since the time ISPs exist.