nanog mailing list archives
Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey
From: Hugo Slabbert <hugo () slabnet com>
Date: Fri, 23 Sep 2016 14:24:53 -0700
On September 23, 2016 12:15:26 PM PDT, Sven-Haegar Koch <haegar () sdinet de> wrote:
On Fri, 23 Sep 2016, Mike wrote:On 09/23/2016 11:30 AM, Seth Mattinen wrote:On 9/23/16 10:58, Grant Ridder wrote:Didn't realize Akamai kicked out or disabled customershttp://www.zdnet.com/article/krebs-on-security-booted-off-akamai-network-after-ddos-attack-proves-pricey/"Security blog Krebs on Security has been taken offline by hostAkamaiTechnologies following a DDoS attack which reached 665 Gbps insize."So ultimately the DDoS was successful, just in a different way. ~SethMore technical information about the characteristics of these attackswould bevery interesting such as the ultimate sources of the attack traffic (compromised home pc's?), the nature of the traffic (dns / ssdp amplification?), whether it was spoofed source (BCP38-adverse), andwhetherthe recent takedown the vDOS was really complete or if it's likelysomeoneelse gained control of the C&C servers that controlled it's assets?At least for the OVH case there is a bit of info: https://twitter.com/olesovhcom/status/779297257199964160 "This botnet with 145607 cameras/dvr (1-30Mbps per IP) is able to send1.5Tbps DDoS. Type: tcp/ack, tcp/ack+psh, tcp/syn."
Krebs said it was mostly GRE. Pulling from the archive.org copy of his post[1]: "Preliminary analysis of the attack traffic suggests that perhaps the biggest chunk of the attack came in the form of traffic designed to look like it was generic routing encapsulation (GRE) data packets..." This bothered me, though: "McKeay explained that the source of GRE traffic can’t be spoofed or faked the same way DDoS attackers can spoof DNS traffic." Please tell me why I can't spoof source IPs on a stateless protocol like GRE. If he specifically meant you can't spoof a source, hit a reflector, and gain amplification, sure, but I see zero reason why GRE can't have spoofed source IPs. It bothered me sufficiently that I wrote up some spit-balling ideas about reflecting GRE using double encapsulation[2]. Very rough and untested, but apparently I got a bee in my bonnet...
c'ya sven-haegar -- Three may keep a secret, if two of them are dead. - Ben F.
-- Hugo Slabbert | email, xmpp/jabber: hugo () slabnet com pgp key: B178313E | also on Signal [1] https://web.archive.org/web/20160922021000/http://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/ [2] http://blog.slabnet.com/post/gre-reflection/
Attachment:
_bin
Description:
Current thread:
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey, (continued)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Alex Wacker (Sep 23)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Mel Beckman (Sep 23)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Simon Lockhart (Sep 23)
- RE: Krebs on Security booted off Akamai network after DDoS attack proves pricey Justin Krejci (Sep 23)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Patrick W. Gilmore (Sep 23)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Rubens Kuhl (Sep 23)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey DaKnOb (Sep 23)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Seth Mattinen (Sep 23)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Mike (Sep 23)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Sven-Haegar Koch (Sep 23)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Hugo Slabbert (Sep 23)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Jared Mauch (Sep 23)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Hugo Slabbert (Sep 23)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Mel Beckman (Sep 23)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Jared Mauch (Sep 23)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Mike (Sep 23)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Alex Wacker (Sep 23)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey jim deleskie (Sep 25)