←back to thread

How Cloudflare blocked a monumental 7.3 Tbps DDoS attack

(blog.cloudflare.com)
265 points methuselah_in | 1 comments | 20 Jun 25 18:34 UTC | HN request time: 0.237s | source
Show context
londons_explore ◴[24 Jun 25 13:40 UTC] No.44366154[source]
A DDoS gets some fraction of the entire internet to attack a single host.

As the internet gets more users and more devices connected, the ratio of DDoS volume to a single connections volume will only get larger.

Is there any kind of solution?

replies(8): >>44366248 #>>44366352 #>>44366379 #>>44366623 #>>44366811 #>>44366991 #>>44367206 #>>44369906 #
alyandon ◴[24 Jun 25 13:49 UTC] No.44366248[source]
Not a 100% solution but would help greatly if ISPs:

1) performed egress filtering to prevent spoofing arbitrary source addresses

2) temporarily shut off customers that are sending a large volume of malicious traffic

replies(2): >>44366275 #>>44366336 #
alberth ◴[24 Jun 25 13:58 UTC] No.44366336[source]
> sending a large volume of malicious traffic

How would an ISP determine egress is malicious? Genuinely curious.

replies(5): >>44366353 #>>44366415 #>>44366743 #>>44366790 #>>44366797 #
stackskipton ◴[24 Jun 25 14:41 UTC] No.44366790[source]
One simple way to do it is configure the customers routers to drop/reject all UDP/TCP packets where SRC address does not match Private IP/WAN Assigned Public IP.
replies(2): >>44367112 #>>44367143 #
Y_Y ◴[24 Jun 25 15:12 UTC] No.44367112[source]
The customer's router is for the customer to configure
replies(2): >>44367204 #>>44367275 #
__turbobrew__ ◴[24 Jun 25 15:21 UTC] No.44367204[source]
I think ideally the customers router shouldn’t be touched, but the ISP can still do packet filtering on the next hop to drop any packets which don’t have a src ip matching the assigned WAN address of the router.
replies(1): >>44368401 #
pedrocr ◴[24 Jun 25 17:09 UTC] No.44368401[source]
Wouldn't that need a huge amount of extra hardware to do that filtering when the routers in each customer's home are mostly idle? Just setting egress filtering as the default and letting users override that if they need to for some reason should be a good outcome. The few that do change the default hopefully know what they are doing and won't end up part of a DDoS but they'll be few anyway so the impact will still be small.
replies(2): >>44369273 #>>44371142 #
1. citrin_ru ◴[24 Jun 25 21:15 UTC] No.44371142[source]
> Wouldn't that need a huge amount of extra hardware to do that filtering

20 years ago Cisco (probably much longer) routers were able to do this without noticeable performance overhead (ip verify unicast reverse-path). I don't think modern routers are worse. Generally filtering is expensive if you need a lot of rules which is not needed here.