Most active commenters

    ←back to thread

    How Cloudflare blocked a monumental 7.3 Tbps DDoS attack

    (blog.cloudflare.com)
    265 points methuselah_in | 17 comments | 20 Jun 25 18:34 UTC | HN request time: 0.452s | source | bottom
    1. jakub_g ◴[24 Jun 25 14:48 UTC] No.44366870[source]
    > QOTD DDoS attack

    > How it works: Abuses the Quote of the Day (QOTD) Protocol, which listens on UDP port 17 and responds with a short quote or message.

    Does any reasonable operating system those days support this protocol? Sounds like "IP over Avian Carriers" to me.

    replies(7): >>44366952 #>>44366980 #>>44367259 #>>44367672 #>>44369421 #>>44370463 #>>44371825 #
    2. unilynx ◴[24 Jun 25 14:56 UTC] No.44366952[source]
    They're not an April fool's joke. A 90's linux might have these services enabled by default. I assume they were built to make network debugging slightly less boring
    replies(1): >>44366994 #
    3. toast0 ◴[24 Jun 25 14:58 UTC] No.44366980[source]
    Is it part of Microsoft Services for Unix? That seemed to be the primary source of chargen reflectors when I was getting hit by that; and it feels like a similar thing.
    4. NoboruWataya ◴[24 Jun 25 15:27 UTC] No.44367259[source]
    Huh, this sounds kind of cool, I like the idea of there being a few QOTD servers dotted around the internet. Shame that the first I'm heading about it is it being abused to launch a DDOS.
    replies(1): >>44367588 #
    5. msgodel ◴[24 Jun 25 15:57 UTC] No.44367588[source]
    You can always ssh to random hosts and read the netbanners.

    Of course nearly all of them are a long paragraph or two of legal jargon that more or less boils down to "fuck off."

    replies(2): >>44368822 #>>44372079 #
    6. viraptor ◴[24 Jun 25 16:04 UTC] No.44367672[source]
    Support - yes. Turn on without a bit of hassle - no. I'm not sure how they found that many active services. Honestly, at that small percentage I suspect misclassification instead.
    replies(1): >>44368566 #
    7. Eridrus ◴[24 Jun 25 17:25 UTC] No.44368566[source]
    Yeah, I think this is misclassification based on UDP port.

    If you take their random source ports (21,925), ~0.004% come from any single port, which lines up with what they said was "Other" traffic. The numbers don't quite work out right, but it seems like its within a factor of 2, so I wouldn't be surprised if it was something like udp source/dest port = 17 => QOTD.

    8. Retr0id ◴[24 Jun 25 17:48 UTC] No.44368822{3}[source]
    SSH banners come over TCP, requiring the 3-way handshake first, meaning you can't use it for traffic reflection (beyond the SYN-ACK itself).
    replies(1): >>44368937 #
    9. msgodel ◴[24 Jun 25 18:00 UTC] No.44368937{4}[source]
    Right, in general unless you're going to put a lot of care into the state machine to deal with network congestion/abuse it's better to stick with TCP.
    replies(1): >>44371460 #
    10. tedunangst ◴[24 Jun 25 18:44 UTC] No.44369421[source]
    I ran a qotd server for a while, only retired two months ago actually. It wasn't very popular.
    replies(1): >>44371722 #
    11. zzo38computer ◴[24 Jun 25 20:05 UTC] No.44370463[source]
    QOTD can also be used with TCP, which avoids a problem that it has if it is being used with UDP.
    12. johncolanduoni ◴[24 Jun 25 21:53 UTC] No.44371460{5}[source]
    I was glad to see QUIC did a pretty good job of limiting its usefulness for reflection attacks. Hopefully we’ll see more uses of UDP move to it
    13. Aachen ◴[24 Jun 25 22:31 UTC] No.44371722[source]
    Did you have some sort of rate limiting on it?
    14. immibis ◴[24 Jun 25 22:42 UTC] No.44371825[source]
    A lot of security is just making stuff up to sound smart, since the clients aren't very technical. Someone saw packets on port 17 and looked up port 17 and decided that meant the QOTD service was involved in the attack. Probably.
    15. coolcoder613 ◴[24 Jun 25 23:13 UTC] No.44372079{3}[source]
    While not a random server in the internet, here is the start of the ssh banner on my router (before the legal "fuck off")

      _______              __           __              __
 |_     _|.-----.----.|  |--.-----.|__|.----.-----.|  |.-----.----.
   |   |  |  -__|  __||     |     ||  ||  __|  _  ||  ||  _  |   _|
   |___|  |_____|____||__|__|__|__||__||____|_____||__||_____|__|
                 N E X T   G E N E R A T I O N   G A T E W A Y
 --------------------------------------------------------------------
 NG GATEWAY SIGNATURE DRINK
 --------------------------------------------------------------------
  * 1 oz Vodka          Pour all ingredients into mixing
  * 1 oz Triple Sec     tin with ice, strain into glass.
  * 1 oz Orange juice
 --------------------------------------------------------------------
    replies(1): >>44372653 #
    16. Gormo ◴[25 Jun 25 00:51 UTC] No.44372653{4}[source]
    Including a cocktail recipe in the login banner has been a signature of OpenWRT for a long time. Looks like Technicolor came up with their own recipe for their OpenWRT distribution.
    replies(1): >>44373273 #
    17. dikei ◴[25 Jun 25 02:56 UTC] No.44373273{5}[source]
    OpenWRT stopped doing this 10 years ago, as it was too much hassle to pick a drink that satisfy everyone.