Most active commenters
  • motorest(4)
  • NoPicklez(3)

←back to thread

How Cloudflare blocked a monumental 7.3 Tbps DDoS attack

(blog.cloudflare.com)
265 points methuselah_in | 25 comments | 20 Jun 25 18:34 UTC | HN request time: 0.014s | source | bottom
Show context
losthobbies ◴[24 Jun 25 13:52 UTC] No.44366283[source]
Dodgy IoT devices will be the end of us all.
replies(1): >>44366592 #
1. bearjaws ◴[24 Jun 25 14:22 UTC] No.44366592[source]
It's wild to think with the proliferation of 1gbps fiber internet, even a modern pi board or old desktop is a potential 1gbps bot host.
replies(3): >>44366877 #>>44369703 #>>44376673 #
2. franga2000 ◴[24 Jun 25 19:02 UTC] No.44369703[source]
When your IP is found to have been part of a botnet, I think ISPs should just limit you to like 20Mbps for at least a year, so you think twice about buying that 10$ wifi baby monitor next time.
replies(6): >>44370378 #>>44370602 #>>44371379 #>>44380821 #>>44384044 #>>44392890 #
3. bogdan ◴[24 Jun 25 19:57 UTC] No.44370378[source]
That's quite harsh. Good thing you're not in charge of making decisions.
replies(2): >>44371577 #>>44372154 #
4. hooverd ◴[24 Jun 25 20:20 UTC] No.44370602[source]
Thanks to CGNAT you, obviously an upstanding digital citizen, will also have to pay for your neighbor purchasing an IoT toaster.
replies(2): >>44371662 #>>44372263 #
5. NoMoreNicksLeft ◴[24 Jun 25 21:41 UTC] No.44371379[source]
If that could make people think about it, I'd be all for it. But the people buying that junk are absolutely clueless, and would remain so even after the punishment was well-underway.
replies(1): >>44373062 #
6. ◴[24 Jun 25 22:09 UTC] No.44371577{3}[source]
7. BenjiWiebe ◴[24 Jun 25 22:20 UTC] No.44371662{3}[source]
Your ISP can tell you apart from your neighbor since they are the ones doing the CGNAT.
8. mschuster91 ◴[24 Jun 25 23:25 UTC] No.44372154{3}[source]
When you get caught speeding on the road or being a nuisance otherwise you can and will get punished by the courts, including temporary restrictions on your driver license. When you money mule for others, even if you don't know that you actually fell victim to a scam, you get punished as well. When you litter in Singapore, you can get ordered to work community service.

I see no issue in handing out similar punishments in the digital space. The Internet is a shared medium, everyone who connects to it has a responsibility to not be a nuisance to others.

replies(2): >>44372649 #>>44392878 #
9. ycombinatrix ◴[24 Jun 25 23:45 UTC] No.44372263{3}[source]
That doesn't make any sense. Who do you think is doing the CGNAT?
replies(1): >>44373735 #
10. xwolfi ◴[25 Jun 25 00:50 UTC] No.44372649{4}[source]
On the road you could have killed someone. Your 20$ baby monitor bought from an authorized store you know... whatever happens, it's not gonna kill anyone very directly ...

The main ingredient of crime is intent, whatever you say. A smaller ingredient can be recklessness, but maybe it's the ISPs sending all those millions of empty packets to a single server that should start feeling some heat ?

replies(1): >>44376237 #
11. philipallstar ◴[25 Jun 25 02:09 UTC] No.44373062{3}[source]
Obviously they are - everyone's clueless about everything except the one thing they know about. I imagine for the clothes you're wearing you're clueless about the conditions of the people who made them.
replies(1): >>44373715 #
12. NoMoreNicksLeft ◴[25 Jun 25 04:51 UTC] No.44373715{4}[source]
No, I'm aware of their conditions I just don't care.
13. hooverd ◴[25 Jun 25 04:55 UTC] No.44373735{4}[source]
Yea, it would be bad practice to nuke an IP just because it was implicated in a botnet.
14. mschuster91 ◴[25 Jun 25 11:55 UTC] No.44376237{5}[source]
> Your 20$ baby monitor bought from an authorized store you know... whatever happens, it's not gonna kill anyone very directly ...

Yeah, not kill, but participating in a DDoS against a heavily frequented commercial site that makes hundreds of thousands of dollars of revenue a minute, that's still some substantial damage.

In the end it should boil down to the ability of holding the seller of the product with security issues accountable for the damages, and the seller in turn can hold the manufacturer accountable. Maybe that will lead to some substantial change.

replies(2): >>44377559 #>>44384067 #
15. lostlogin ◴[25 Jun 25 12:46 UTC] No.44376673[source]
> the proliferation of 1gbps fibre internet

And increasingly, 2gbps, 4gbps and 8gbps.

It’s great, mostly.

16. Spivak ◴[25 Jun 25 14:11 UTC] No.44377559{6}[source]
You are ignoring the fact that the criminal in question bought a baby monitor. that is the full extent of their crime.

A person who buy all reason has absolutely no idea how any of this shit works. If you wanna go after somebody go after the manufacturer of said baby monitor.

replies(1): >>44383745 #
17. yupyupyups ◴[25 Jun 25 19:06 UTC] No.44380821[source]
Or you go after the producers and retailers of these devices. This way you wont have to harm tech-illiterate people.
replies(1): >>44384086 #
18. Khaine ◴[26 Jun 25 02:33 UTC] No.44383745{7}[source]
A person who buys a Tesla has no idea how any of it works.

Look at the moment, the owner of devices that participate in DDoSes are not head liable, and neither are manufacturers who don't secure their shit.

This needs to change.

replies(2): >>44384077 #>>44392924 #
19. motorest ◴[26 Jun 25 03:53 UTC] No.44384044[source]
> When your IP is found to have been part of a botnet, I think ISPs should just limit you to like 20Mbps for at least a year, so you think twice about buying that 10$ wifi baby monitor next time.

You're talking as if people can't just get another account or change ISPs.

Also, it seems you're mainly interested in gratuitously punish people who are powerless about issues instead of thinking about very basic approaches such as rate-limiting policies.

20. motorest ◴[26 Jun 25 03:57 UTC] No.44384067{6}[source]
> Yeah, not kill, but participating in a DDoS against a heavily frequented commercial site that makes hundreds of thousands of dollars of revenue a minute, that's still some substantial damage.

It sounds like that hypothetical site has an interest in not going down if a random baby monitor sends traffic their way.

Also, to underline how silly and poorly thought through your idea is, are you aware that there are nearly 200 countries out there, each of them with many people with their own internet connections? Or are you expecting DDoS botnets to be comprised exclusively of devices in your jurisdiction?

21. motorest ◴[26 Jun 25 04:00 UTC] No.44384077{8}[source]
Please explain in your own words why I should be liable for a third party misappropriating a product I own.
22. motorest ◴[26 Jun 25 04:02 UTC] No.44384086{3}[source]
> This way you wont have to harm tech-illiterate people.

What leads you to believe this is a tech illiteracy issue? Do you believe that only consumer IoT devices are unwitting participants in DDoS attacks?

23. NoPicklez ◴[27 Jun 25 00:46 UTC] No.44392878{4}[source]
Bit of a silly take, the difference is that you're the only one control of that car, whereas the item you bought off of Amazon could be controlled by someone else.

If someone broke into my car and drove it into a wall, I highly doubt I'd be found at fault. If someone broke into my IoT device and used it in an attack I highly doubt I should be found at fault.

At the end of the day it is very difficult to impose security management across consumers. You cannot expect the average consumer to pen test their home network and have active vulnerability scanning software to mitigate potential vulnerabilities that result in Botnets.

It is difficult to hold people liable when someone else misappropriates their assets in a way that was not its original intended purpose. When its difficult to capture the perpetrator people start to blame everything else, that doesn't mean we should just shift liability to the buyer who is just simply an easier target to place the blame on than a random unidentified person in another country.

That may sound like a solution but its not the right one. Now someone has the ability to misappropriate your assets from the other side of the world and you become charged with the crime, when all you did was buy a new Samsung TV. Heck knowing that, maybe someone would target you knowing full well you'd be in trouble for it.

24. NoPicklez ◴[27 Jun 25 00:49 UTC] No.44392890[source]
Okay and when your brand new Samsung TV is used in a botnet you should have your internet limited to 20Mbps as well? It's not just $10 pieces of crap of Amazon that fall victim to Botnet's.
25. NoPicklez ◴[27 Jun 25 00:56 UTC] No.44392924{8}[source]
A person who buys a Tesla has no idea how any of it works, but if someone breaks into that car and drives it (non-autonomously) into pedestrians how would I be held liable for that? I wouldn't be and shouldn't be. The person who broke into the car and drove it would be, the difference here is that the perpetrator is harder to catch so people look to blame something else.

At the end of the day it is very difficult to impose security management across consumers. You cannot expect the average consumer to pen test their home network and have active vulnerability scanning software to mitigate potential vulnerabilities that result in Botnets.

It is difficult to hold people liable when someone else misappropriates their assets in a way that was not its original intended purpose. When its difficult to capture the perpetrator people start to blame everything else, that doesn't mean we should just shift liability to the buyer who is just simply an easier target to place the blame on than a random unidentified person in another country.

That may sound like a solution but its not the right one. Now someone has the ability to misappropriate your assets from the other side of the world and you become charged with the crime, when all you did was buy a new Samsung TV. Heck knowing that, maybe someone would target you knowing full well you'd be in trouble for it.