How Cloudflare blocked a monumental 7.3 Tbps DDoS attack

(blog.cloudflare.com)

265 points methuselah_in | 1 comments | 20 Jun 25 18:34 UTC | HN request time: 0.319s | source

Show context

londons_explore ◴[24 Jun 25 13:40 UTC] No.44366154[source]▶

A DDoS gets some fraction of the entire internet to attack a single host.

As the internet gets more users and more devices connected, the ratio of DDoS volume to a single connections volume will only get larger.

Is there any kind of solution?

replies(8): >>44366248 #>>44366352 #>>44366379 #>>44366623 #>>44366811 #>>44366991 #>>44367206 #>>44369906 #

franga2000 ◴[24 Jun 25 19:18 UTC] No.44369906[source]▶

>>44366154 #

Banks have already figured out fraud detection through pattern recognition, ISPs can do the same. When a connection has never used more than 300/10 of a 1000/1000 link and 80% of that was TCP with dstport 80 or 443, then it starts doing /900 UDP to every possible dstport, maybe something is wrong?

"Your network is generating an extraordinary amout of traffic, which is likely the result of a virus-infected device. As a result, we have lowered your speed to 100/20. Please read the steps to check your devices and unlock your connection here: ____"

replies(4): >>44369970 #>>44370417 #>>44371799 #>>44372587 #

1. itake ◴[24 Jun 25 19:24 UTC] No.44369970[source]▶

>>44369906 #

Banks have way lower traffic and slower reaction times than what cf needs to support.

Lowering the speed means "good" traffic is also impacted, resulting in higher timeouts.

count the number of events isn't cheap either.

↑