The Register® — Biting the hand that feeds IT

Feeds

Bitbucket's Amazon DDoS - what went wrong

After a DDoS brought down Bitbucket's web-based code-hosting service for more than 19 hours over the weekend, Jesper Nøhr speculated the attack had exposed a flaw in the sky-high Amazon infrastructure that hosts the site. Nøhr - who runs Bitbucket - has since spoken to an "Amazon executive" about the attack, and according to his …

This topic is closed for new posts.
kevin elliott
Coat

Knicker Elastic

Seems like the problem is really the elastic that Amazon use in their products. knicker elastic is outdated and doesn't have the stretch & resilience of pure latex products..

David S
Coat

@Kevin

I think you're thinking of Amazon's less-well-known service, the Knicker Elastic Komputing Service.

It's pants.

The one with the lacy stuff in the pockets, thanks...

Goat Jam
FAIL

Using QoS to prioritise traffic?

Are they really that naive at Amazon Central? Prioritisation only really works when all the packets going to and fro are well behaved. Any half aware script kiddie worth his salt would know that and use it to his advantage.

Thorsten 1

not so interesting, actually

I'm not sure you actually hit the real source of the problem. It seems to me that there is a different true problem, which is that the EC2 security group rules (firewall) are implemented on the host, not on an external device. I assume Bitbucket's rules denied all those UDP packets, but they still hit the host and thus caused network contention. The EBS issue is secondary in that it's traffic should have had priority over the UDP packets. But the real problem was that nobody could see the UDP traffic and respond appropriately.

Thorsten 1

misleading article

I'm not sure you actually hit the real source of the problem. It seems to me that there is a different true problem, which is that the EC2 security group rules (firewall) are implemented on the host, not on an external device. I assume Bitbucket's rules denied all those UDP packets, but they still hit the host and thus caused network contention. The EBS issue is secondary in that it's traffic should have had priority over the UDP packets. But the real problem was that nobody could see the UDP traffic and respond appropriately.

TTTM
Grenade

Sad but true

Once the incoming network was saturated, probably nothing would have stopped the attack. I talked to some of our CTOs & architects and put together a summary - http://cloudsecurity.trendmicro.com/ddos-and-the-cloud-sad-but-true/# .

TT

This topic is closed for new posts.