nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

From: Hugo Slabbert <hugo () slabnet com>
Date: Fri, 23 Sep 2016 14:24:53 -0700


On September 23, 2016 12:15:26 PM PDT, Sven-Haegar Koch <haegar () sdinet de> wrote:

On Fri, 23 Sep 2016, Mike wrote:


On 09/23/2016 11:30 AM, Seth Mattinen wrote:

On 9/23/16 10:58, Grant Ridder wrote:

Didn't realize Akamai kicked out or disabled customers


http://www.zdnet.com/article/krebs-on-security-booted-off-akamai-network-after-ddos-attack-proves-pricey/



"Security blog Krebs on Security has been taken offline by host

Akamai

Technologies following a DDoS attack which reached 665 Gbps in

size."



So ultimately the DDoS was successful, just in a different way.

~Seth



More technical information about the characteristics of these attacks

would be

very interesting such as the ultimate sources of the attack traffic
(compromised home pc's?), the nature of the traffic (dns / ssdp
amplification?), whether it was spoofed source (BCP38-adverse), and

whether

the recent takedown the vDOS was really complete or if it's likely

someone

else gained control of the C&C servers that controlled it's assets?


At least for the OVH case there is a bit of info:

https://twitter.com/olesovhcom/status/779297257199964160

"This botnet with 145607 cameras/dvr (1-30Mbps per IP) is able to send 

1.5Tbps DDoS. Type: tcp/ack, tcp/ack+psh, tcp/syn."


Krebs said it was mostly GRE. Pulling from the archive.org copy of his post[1]:

"Preliminary analysis of the attack traffic suggests that perhaps the biggest chunk of the attack came in the form of 
traffic designed to look like it was generic routing encapsulation (GRE) data packets..."

This bothered me, though:

"McKeay explained that the source of GRE traffic can’t be spoofed or faked the same way DDoS attackers can spoof DNS 
traffic."

Please tell me why I can't spoof source IPs on a stateless protocol like GRE. If he specifically meant you can't spoof 
a source, hit a reflector, and gain amplification, sure, but I see zero reason why GRE can't have spoofed source IPs. 
It bothered me sufficiently that I wrote up some spit-balling ideas about reflecting GRE using double encapsulation[2]. 
Very rough and untested, but apparently I got a bee in my bonnet...


c'ya
sven-haegar

-- 
Three may keep a secret, if two of them are dead.
- Ben F.


-- 
Hugo Slabbert       | email, xmpp/jabber: hugo () slabnet com
pgp key: B178313E   | also on Signal

[1] https://web.archive.org/web/20160922021000/http://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/
[2] http://blog.slabnet.com/post/gre-reflection/

Attachment: _bin
Description:

Previous By Date Next
Previous By Thread Next

Current thread: