←back to thread

How Cloudflare blocked a monumental 7.3 Tbps DDoS attack

(blog.cloudflare.com)
265 points methuselah_in | 2 comments | 20 Jun 25 18:34 UTC | HN request time: 0.461s | source
Show context
jakub_g ◴[24 Jun 25 14:48 UTC] No.44366870[source]
> QOTD DDoS attack

> How it works: Abuses the Quote of the Day (QOTD) Protocol, which listens on UDP port 17 and responds with a short quote or message.

Does any reasonable operating system those days support this protocol? Sounds like "IP over Avian Carriers" to me.

replies(7): >>44366952 #>>44366980 #>>44367259 #>>44367672 #>>44369421 #>>44370463 #>>44371825 #
1. viraptor ◴[24 Jun 25 16:04 UTC] No.44367672[source]
Support - yes. Turn on without a bit of hassle - no. I'm not sure how they found that many active services. Honestly, at that small percentage I suspect misclassification instead.
replies(1): >>44368566 #
2. Eridrus ◴[24 Jun 25 17:25 UTC] No.44368566[source]
Yeah, I think this is misclassification based on UDP port.

If you take their random source ports (21,925), ~0.004% come from any single port, which lines up with what they said was "Other" traffic. The numbers don't quite work out right, but it seems like its within a factor of 2, so I wouldn't be surprised if it was something like udp source/dest port = 17 => QOTD.