Most active commenters
  • __turbobrew__(3)
  • SoftTalker(3)

←back to thread

How Cloudflare blocked a monumental 7.3 Tbps DDoS attack

(blog.cloudflare.com)
265 points methuselah_in | 16 comments | 20 Jun 25 18:34 UTC | HN request time: 2.381s | source | bottom
Show context
londons_explore ◴[24 Jun 25 13:40 UTC] No.44366154[source]
A DDoS gets some fraction of the entire internet to attack a single host.

As the internet gets more users and more devices connected, the ratio of DDoS volume to a single connections volume will only get larger.

Is there any kind of solution?

replies(8): >>44366248 #>>44366352 #>>44366379 #>>44366623 #>>44366811 #>>44366991 #>>44367206 #>>44369906 #
alyandon ◴[24 Jun 25 13:49 UTC] No.44366248[source]
Not a 100% solution but would help greatly if ISPs:

1) performed egress filtering to prevent spoofing arbitrary source addresses

2) temporarily shut off customers that are sending a large volume of malicious traffic

replies(2): >>44366275 #>>44366336 #
alberth ◴[24 Jun 25 13:58 UTC] No.44366336[source]
> sending a large volume of malicious traffic

How would an ISP determine egress is malicious? Genuinely curious.

replies(5): >>44366353 #>>44366415 #>>44366743 #>>44366790 #>>44366797 #
1. stackskipton ◴[24 Jun 25 14:41 UTC] No.44366790[source]
One simple way to do it is configure the customers routers to drop/reject all UDP/TCP packets where SRC address does not match Private IP/WAN Assigned Public IP.
replies(2): >>44367112 #>>44367143 #
2. Y_Y ◴[24 Jun 25 15:12 UTC] No.44367112[source]
The customer's router is for the customer to configure
replies(2): >>44367204 #>>44367275 #
3. __turbobrew__ ◴[24 Jun 25 15:15 UTC] No.44367143[source]
I cannot believe this is still not commonly done. I remember discussing this with some people in the industry over ten years ago and the sentiment was “if ISPs just stopped IP spoofing that would solve most problems”.
replies(2): >>44367848 #>>44385957 #
4. __turbobrew__ ◴[24 Jun 25 15:21 UTC] No.44367204[source]
I think ideally the customers router shouldn’t be touched, but the ISP can still do packet filtering on the next hop to drop any packets which don’t have a src ip matching the assigned WAN address of the router.
replies(1): >>44368401 #
5. rolandog ◴[24 Jun 25 15:28 UTC] No.44367275[source]
Indeed, though we're at the mercy of the tyranny of the default.
6. bombcar ◴[24 Jun 25 16:22 UTC] No.44367848[source]
It would solve a ton of other people’s problems, but cause a few for you, so it won’t be done until required by law.

E.g., customer does something stupid with addresses but the “wrong address” is something they control on another network, so it works. Egress filtering breaks it, support call and crying.

7. pedrocr ◴[24 Jun 25 17:09 UTC] No.44368401{3}[source]
Wouldn't that need a huge amount of extra hardware to do that filtering when the routers in each customer's home are mostly idle? Just setting egress filtering as the default and letting users override that if they need to for some reason should be a good outcome. The few that do change the default hopefully know what they are doing and won't end up part of a DDoS but they'll be few anyway so the impact will still be small.
replies(2): >>44369273 #>>44371142 #
8. remram ◴[24 Jun 25 18:34 UTC] No.44369273{4}[source]
The router in the customer's home cannot be trusted. With cable at least, you are able to bring in your own modem and router. Even if not, swapping it is easy, you just have to clone the original modem's MAC. In practice this is probably quite common to save money if nothing else (cable box rental is $10+/mo).

Note that spoofing source IPs is only needed by the attacker in an amplification attack, not for the amplyfing devices and not for a "direct" botnet DDOS.

replies(1): >>44370363 #
9. SoftTalker ◴[24 Jun 25 19:55 UTC] No.44370363{5}[source]
I would in fact guess that it's not common at all. Setting up your own cable modem and router is going to be intimidating for the average consumer, and the ISP's answer to any problems is going to be "use our box instead" and they don't want to be on their own that way. I don't know anyone outside of people who work in IT who runs their own home router, and even many of them just prefer to let the ISP take care of it.
replies(2): >>44370790 #>>44371168 #
10. __turbobrew__ ◴[24 Jun 25 20:40 UTC] No.44370790{6}[source]
I think it is less common now, but ISP routers on average used to be trash with issues — bufferbloat, memory leaks, crashes — so a number of people bought a higher end router to replace the ISP provided one. Mostly tech savvy people who were not necessarily in IT.

Nowadays my ISP just uses dhcp to assign the router an address so you can plug any box into it which talks ethernet and respects dhcp leases to be a router which is nice, albiet 99.9% of people probably leave the router alone.

11. citrin_ru ◴[24 Jun 25 21:15 UTC] No.44371142{4}[source]
> Wouldn't that need a huge amount of extra hardware to do that filtering

20 years ago Cisco (probably much longer) routers were able to do this without noticeable performance overhead (ip verify unicast reverse-path). I don't think modern routers are worse. Generally filtering is expensive if you need a lot of rules which is not needed here.

12. chainingsolid ◴[24 Jun 25 21:18 UTC] No.44371168{6}[source]
Common no, very easy to proliferate though as people become aware of the savings possible. And the 2 cases I've seen where litteraly order the same model online and swap it, no configuring required. And it wasn't even the family tech support guy(me) who came up with the idea. The ISPs incuding the router as a monthly line item on the bill are litteraly indirectly asking you to do this.
replies(1): >>44371254 #
13. SoftTalker ◴[24 Jun 25 21:27 UTC] No.44371254{7}[source]
Comcast/Xfinity in fact gives me a discount for using their router. Probably because (a) it lowers their support burden and (b) they are logging and selling my web traffic or at least DNS lookups.
replies(1): >>44373185 #
14. remram ◴[25 Jun 25 02:36 UTC] No.44373185{8}[source]
That's surprising to me, it was when I used Comcast (2016) that I first purchased a cable modem. It did save me money.
replies(1): >>44379912 #
15. SoftTalker ◴[25 Jun 25 17:40 UTC] No.44379912{9}[source]
Oh I also forgot that connection sharing thing they do where they broadcast a second SSID called "Xfinity WiFi" or something like that so that anyone with an Comcast login can use your connection.
16. citrin_ru ◴[26 Jun 25 10:24 UTC] No.44385957[source]
It is commonly done in a sense that probably about 50% of end users cannot spoof source IP but even if 10% (I don't know exact numbers) of end users allowed to spoof IP (due to ISP neglegence) and 1% of them are compromised (one way or another - useful software with hidden "functions" seems to be a common way) it is more than enough for a huge DDoS attack.