Over a decade of DDOS--any progress yet?

Fri Dec 10 20:30:28 UTC 2010

Ah,

Honestly we can usually point to the exact cause of the attacks once we have time to triage the situation.

Recently it has been stuff like:

-Made someone in Asia angry.
-Running a runescape server and made someone angry
-Made someone on IRC angry

It has been pretty rare to see an attack that wasn't just the end result of a pissing contest.

and like I said most of the ones I have seen recently are either UDP 80 floods which is probably the result of one of the UDP.PL variants or fragments (UDP DST 0) attacks which kind of indicates at least in part that the 'attacker' simply downloaded the first thing they could find that said 'DDoS' on it and didn't spend too much time worrying about it.

This is probably mainly because of how easy it is now to acquire dedicated servers (that arent properly monitored) and have 1Gbps (and now) 10Gbps connections to the Internet.

How many organizations are using 10G connections to the Internet these days?

-Drew

-----Original Message-----
From: Matthew Petach [mailto:mpetach at netflight.com] 
Sent: Wednesday, December 08, 2010 1:35 PM
To: jay at prolexic.com
Cc: nanog at nanog.org
Subject: Re: Over a decade of DDOS--any progress yet?

On Wed, Dec 8, 2010 at 8:47 AM, Jay Coley <jay at prolexic.com> wrote:
> On 08/12/2010 16:14, Drew Weaver wrote:
>> I would say that > 99% of the attacks that we see are 'link fillers' with < 1% being an application attack.
>>
>> thanks,
>> -Drew
>
> This has been our recent experience as well.  There are some pure app
> attacks, to be sure, but we many blended attacks also.  Bandwidth
> (UDP/ICMP/SYN Flood) attack to distract with a app attack (GET/PUSH
> floods) attempting to run underneath the radar.  We regularly see SYN
> floods these days > 20 Gb/s.

Another thing to be aware of--when you get hit with what seems to be
a "simple" flooding attack aimed at one point of your infrastructure...
start checking your logs at _other_ places in your network very, VERY
carefully.

There seems to be a trend of using larger-scale flooding, or other
simple types of attacks to get all the network people at an organization
rushing over to throw resources and energy at it...while the real target
of the attack is something completely different, on a different subnet, in
a different part of the company; and that attack is small, carefully focused
at its target, and is designed to be relatively quiet.  The "big" attack is used
simply to ensure all the human energy is focused on the wrong place,
increasing the chance that what otherwise might caused raised eyebrows
and double-checking of logs/IDS alerts, etc. gets missed while everyone
is focusing on the"big" attack.

> The thing to bear in mind is that app attacks *are* difficult to detect
> as they are low bandwidth and make a full TCP connection.  As a result
> many IDS/Firewalls etc regularly miss these attacks.
>
> Lastly there is usually always someone at the other end of these attacks
> watching what is working and what is not.  If the attack doesn't work
> they will simply round up more bots to increase the attack bandwidth or
> change the attack vector.

And, in what seems to be an increasing trend, what they are watching
for is *not* necessarily the result of the large botnet attack; they're checking
on the results of their targeted probes elsewhere in the network, or on the
outbound set of connections from a compromised machine within an
organization; after all, during a huge DDoS attack, with everyone focusing
on a set of uplinks being flooded with _inbound_ traffic, who is going to
notice the (relatively smaller) outbound spike of traffic as the compromised
machine sends out a copy of your internal intellectual property to the
miscreant recipients?

Matt
(speaking purely hypothetically, of course, and definitely not on behalf
of any institution or entity other than myself)