How Cloudflare blocked a monumental 7.3 Tbps DDoS attack

(blog.cloudflare.com)

265 points methuselah_in | 1 comments | 20 Jun 25 18:34 UTC | HN request time: 0.228s | source

Show context

londons_explore ◴[24 Jun 25 13:40 UTC] No.44366154[source]▶

A DDoS gets some fraction of the entire internet to attack a single host.

As the internet gets more users and more devices connected, the ratio of DDoS volume to a single connections volume will only get larger.

Is there any kind of solution?

replies(8): >>44366248 #>>44366352 #>>44366379 #>>44366623 #>>44366811 #>>44366991 #>>44367206 #>>44369906 #

franga2000 ◴[24 Jun 25 19:18 UTC] No.44369906[source]▶

>>44366154 #

Banks have already figured out fraud detection through pattern recognition, ISPs can do the same. When a connection has never used more than 300/10 of a 1000/1000 link and 80% of that was TCP with dstport 80 or 443, then it starts doing /900 UDP to every possible dstport, maybe something is wrong?

"Your network is generating an extraordinary amout of traffic, which is likely the result of a virus-infected device. As a result, we have lowered your speed to 100/20. Please read the steps to check your devices and unlock your connection here: ____"

replies(4): >>44369970 #>>44370417 #>>44371799 #>>44372587 #

1. xyst ◴[24 Jun 25 22:39 UTC] No.44371799[source]▶

>>44369906 #

So many false positives can happen here.

Most ISPs are already a pain in the ass to deal with. (Fuck you Charter/Spectrum). I don’t trust them to do their due diligence and implement this correctly. Or worse, abuse it.

“hey you pay for 1000/300 package. We detected abnormal traffic. Now you get throttled to 100/100. But still pay 1000/30”. Then they will drag on the resolution process until you give up.

↑