Krebs on Security booted off Akamai network after DDoS attack proves pricey

Hugo Slabbert hugo at slabnet.com
Fri Sep 23 21:24:53 UTC 2016


On September 23, 2016 12:15:26 PM PDT, Sven-Haegar Koch <haegar at sdinet.de> wrote:
>On Fri, 23 Sep 2016, Mike wrote:
>
>> On 09/23/2016 11:30 AM, Seth Mattinen wrote:
>> > On 9/23/16 10:58, Grant Ridder wrote:
>> > > Didn't realize Akamai kicked out or disabled customers
>> > >
>http://www.zdnet.com/article/krebs-on-security-booted-off-akamai-network-after-ddos-attack-proves-pricey/
>
>> > > 
>> > > "Security blog Krebs on Security has been taken offline by host
>Akamai
>> > > Technologies following a DDoS attack which reached 665 Gbps in
>size."
>> > 
>> > 
>> > So ultimately the DDoS was successful, just in a different way.
>> > 
>> > ~Seth
>> > 
>> > 
>> More technical information about the characteristics of these attacks
>would be
>> very interesting such as the ultimate sources of the attack traffic
>> (compromised home pc's?), the nature of the traffic (dns / ssdp
>> amplification?), whether it was spoofed source (BCP38-adverse), and
>whether
>> the recent takedown the vDOS was really complete or if it's likely
>someone
>> else gained control of the C&C servers that controlled it's assets?
>
>At least for the OVH case there is a bit of info:
>
>https://twitter.com/olesovhcom/status/779297257199964160
>
>"This botnet with 145607 cameras/dvr (1-30Mbps per IP) is able to send 
>>1.5Tbps DDoS. Type: tcp/ack, tcp/ack+psh, tcp/syn."

Krebs said it was mostly GRE. Pulling from the archive.org copy of his post[1]:

"Preliminary analysis of the attack traffic suggests that perhaps the biggest chunk of the attack came in the form of traffic designed to look like it was generic routing encapsulation (GRE) data packets..."

This bothered me, though:

"McKeay explained that the source of GRE traffic can’t be spoofed or faked the same way DDoS attackers can spoof DNS traffic."

Please tell me why I can't spoof source IPs on a stateless protocol like GRE. If he specifically meant you can't spoof a source, hit a reflector, and gain amplification, sure, but I see zero reason why GRE can't have spoofed source IPs. It bothered me sufficiently that I wrote up some spit-balling ideas about reflecting GRE using double encapsulation[2]. Very rough and untested, but apparently I got a bee in my bonnet...

>c'ya
>sven-haegar
>
>-- 
>Three may keep a secret, if two of them are dead.
>- Ben F.

-- 
Hugo Slabbert       | email, xmpp/jabber: hugo at slabnet.com
pgp key: B178313E   | also on Signal

[1] https://web.archive.org/web/20160922021000/http://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/
[2] http://blog.slabnet.com/post/gre-reflection/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 850 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20160923/f2ee8f78/attachment.sig>


More information about the NANOG mailing list