←back to thread

How Cloudflare blocked a monumental 7.3 Tbps DDoS attack

(blog.cloudflare.com)
265 points methuselah_in | 8 comments | 20 Jun 25 18:34 UTC | HN request time: 1.222s | source | bottom
Show context
londons_explore ◴[24 Jun 25 13:40 UTC] No.44366154[source]
A DDoS gets some fraction of the entire internet to attack a single host.

As the internet gets more users and more devices connected, the ratio of DDoS volume to a single connections volume will only get larger.

Is there any kind of solution?

replies(8): >>44366248 #>>44366352 #>>44366379 #>>44366623 #>>44366811 #>>44366991 #>>44367206 #>>44369906 #
alyandon ◴[24 Jun 25 13:49 UTC] No.44366248[source]
Not a 100% solution but would help greatly if ISPs:

1) performed egress filtering to prevent spoofing arbitrary source addresses

2) temporarily shut off customers that are sending a large volume of malicious traffic

replies(2): >>44366275 #>>44366336 #
alberth ◴[24 Jun 25 13:58 UTC] No.44366336[source]
> sending a large volume of malicious traffic

How would an ISP determine egress is malicious? Genuinely curious.

replies(5): >>44366353 #>>44366415 #>>44366743 #>>44366790 #>>44366797 #
1. zokier ◴[24 Jun 25 14:41 UTC] No.44366797[source]
Hundreds of Gbps of UDP traffic to random ports of a single destination IP from residental (?) network should be pretty easy pattern to automatically detect and throttle.

More advanced attacks are more tricky to detect, but plain dumb UDP flood should be easily detectable.

replies(1): >>44367147 #
2. quotemstr ◴[24 Jun 25 15:15 UTC] No.44367147[source]
> Hundreds of Gbps of UDP traffic to random ports of a single destination IP from residental (?) network

You mean my legitimate QUIC file transfer?

replies(1): >>44367473 #
3. BenjiWiebe ◴[24 Jun 25 15:46 UTC] No.44367473[source]
Have you ever uploaded 100's of Gbps over QUIC from your residential connection to a single IP?

And the aggregate across the ISP's network could in theory be monitored - so if you were uploading 1Gbps, yes, it could be legitimate. If you and 582 others were all uploading 1Gbps to the same IP at the same time, much less likely legitimate.

replies(3): >>44367704 #>>44369004 #>>44384111 #
4. quotemstr ◴[24 Jun 25 16:07 UTC] No.44367704{3}[source]
> Have you ever uploaded 100's of Gbps over QUIC from your residential connection to a single IP?

Yes actually --- migration between cloud bulk storage providers.

Edit: I misread Gbps as Mbps above.

replies(1): >>44367842 #
5. zokier ◴[24 Jun 25 16:21 UTC] No.44367842{4}[source]
Which residential ISP offers >100Gbps service?
6. ongy ◴[24 Jun 25 18:09 UTC] No.44369004{3}[source]
My homenet is 1GBit, so is my Internet

I.e. no traffic beyond my legitimate saturation can reach the ISP

I have saturated my link with quic or wireguard (logical or) plenty of times.

The lack of any response on high data rates would be an indicator I've only tried that once and it failed gloriously due to congestion. I don't think there's many real protocols that are unidirectional without even ACKs

7. motorest ◴[26 Jun 25 04:08 UTC] No.44384111{3}[source]
> Have you ever uploaded 100's of Gbps over QUIC from your residential connection to a single IP?

I upload files to a single location, and I expect to use the max bandwidth I can whenever I do it. What's your point?

replies(1): >>44392378 #
8. BenjiWiebe ◴[26 Jun 25 23:16 UTC] No.44392378{4}[source]
My point is that you don't have 100's of Gbps of bandwidth on a residential connection. In the future you might, but in the future it'll be 10's or 100's of Tbps for a large DDoS, or something.