back to article World's biggest DDoS attack record broken after just five days

Last week, the code repository GitHub was taken off air in a 1.3Tbps denial of service attack. We predicted then that there would be more such attacks and it seems we were right. Arbor Networks is now reporting that a US service provider suffered a 1.7Tbps attack earlier this month. In this case, there were no outages as the …

  1. elDog Silver badge

    And we're only 50 years into the internet (arpa and aloha and others)

    We're still toddlers trying to understand what we've unleashed.

    The next 50 will be worse since so much more will be interconnected. We will just start to have really trustworthy and enforced protocols but they won't be universal.

    Maybe in 100 we'll have a truly reliable, solid, trustworthy means of communication. But it will be under the rule of a global hegemony that won't brook any dissent.

    It's been a fun golden age. Grab some of it while you can!

  2. bombastic bob Silver badge
    Stop

    ISPs could mitigate this

    ISPs could mitigate this, if they filtered all UDP traffic originating at their address space by filtering out anything that does not match the actual IP address of the source computer at the gateway

    A simple filter rule on the gateway. There's nothing in the RFCs (that I'm aware of) where you need to allow the originating IP address of a UDP packet to differ from the computer that originated it. It's just that it CAN, that's all.

    1. John Geek

      Re: ISPs could mitigate this

      re; mitigation, ditto ISP's could filter traffic from outside that claims to be from their own address space.

    2. andyp-random-number

      Re: ISPs could mitigate this

      I don't understand why responsibility is normally passed onto someone else, in this case an ISP. Why not make the people responsible for the problem, sort their problem, legally.

      We do it for cars, people have to make sure their car is compliant so as not to be a danger to others, it's called an MOT. While MOTs aren't perfect, at least the responsibility is put onto the owner.

      People running equipment on the net that is caperable of causing harm to others should be held to account. Pass the bill on to them, with a fine, perhaps even make them go through a training course to show they are fit to let their hardware loose onto the the wider world.

      It's just a principle, why make someone else responsible to fix it.

      1. Peter Prof Fox

        Re: ISPs could mitigate this

        So you're able to to fix and happy to be responsible for all the engine management software in your car. You know say the crooked VW stuff? What about manufacturing defects in, say, your tyres?

        I have a remote web cam. How am I supposed to know what software it's running, let alone do anything about it?

        So NO.

        1. CrazyOldCatMan Silver badge

          Re: ISPs could mitigate this

          I have a remote web cam. How am I supposed to know what software it's running

          Yes.

          Next question?

          (Just like it's your responsibility not to use polluting chemicals and casually discard them by the roadside.)

      2. handleoclast Silver badge

        Re: ISPs could mitigate this

        @ andyp-random-number

        We do it for cars, people have to make sure their car is compliant so as not to be a danger to others, it's called an MOT. While MOTs aren't perfect, at least the responsibility is put onto the owner.

        My father use to have this approach to driving: assume the other driver is an idiot. Sure, it's the other driver's responsibility to drive safely and with due care and attention, but the injuries you suffer in an accident aren't any less severe because you happened to be in the right.

        The same principle applies to MOTs and car maintenance. Your injuries aren't any less severe because the guy should have ensured his car was in a safe condition but did not. At best, the insurance companies will pay for your expenses because the accident wasn't your fault. It's still better to drive defensively.

        Yes, people running memcached should tighten their security. There should be a way to fine those that do not, or at least to pass costs of defending yourself from their stupidity onto them. But this isn't an ideal world, so drive defensively.

        1. steamrunner

          Re: ISPs could mitigate this

          "My father use to have this approach to driving: assume the other driver is an idiot."

          I use the same tactic, and not just for driving. (That's not precluding that, at moments, maybe it's *me* that's being the idiot ;-).

          More importantly, I taught the kids essentially the same tactic when crossing the road, even on a proper crossing: i.e. even if the crossing is green, assume the cars are NOT going to stop but watch them to make sure they do before actually stepping out and crossing! As noted in the previous comment, it doesn't help you being in the right when you get hit...

      3. David Roberts Silver badge

        Re: ISPs could mitigate this - car MOT

        Just one small flaw in your plan. The MOT helps to secure road safety in the UK from dangerous cars on the UK roads and is policed in the UK where the cars physically are.

        How do you propose to enforce an MOT on servers all over the world and completely outside your jurisdiction?

        If you can't knock on (kick down) the door then you can't tackle the problem at source. You have to police the borders (just like illegal goods) which is the point where you can take physical control.

        So having ISP routers acting as border guards is probably one of the more effective ways to address the problem.

        1. tip pc
          Alert

          Re: ISPs could mitigate this - car MOT

          @David Roberts

          So having ISP routers acting as border guards is probably one of the more effective ways to address the problem.

          Why do people always jump to try and fix these things in the network. Its not a network problem, the network is operating as per spec, its delivering udp packets to their destination. Its up to the remote application to accept the traffic and act upon it. Why is the remote app responding with upto 50k more packets than it received? Why is the remote application not verifying its receiving traffic from sources it should. The problem is how the remote app behaves when it receives unsolicited requests in a certain format. fix the remote app and suddenly this is not a problem. Worse case, filter the traffic as it approaches the remote end, don't break the internet for the rest of us because someone's had a knee jerk reaction and decided to do something without really understanding what the ramifications are.

        2. Wayland Bronze badge

          Re: ISPs could mitigate this - car MOT

          David, if you read handleoclast's post properly you will notice the real thrust is not for an MOT but for defensive driving.

          Devices should be built with security on as standard. Users should be responsible to ensure their device is secure.

          BUT you should have some firewalls and suchlike to protect yourself from irresponsible Internet users.

      4. Anonymous Coward
        Anonymous Coward

        Re: ISPs could mitigate this

        "I don't understand why responsibility is normally passed onto someone else, in this case an ISP. Why not make the people responsible for the problem, sort their problem, legally.

        We do it for cars, people have to make sure their car is compliant so as not to be a danger to others, it's called an MOT. While MOTs aren't perfect, at least the responsibility is put onto the owner."

        We do not do it for cars.

        Compliance is enforced on the manufacturers, not the drivers. We do not require all drivers to be automotive engineers who can fix flaws in the design or construction of their vehicles.

        If you really want to do this, go after the database software vendors, or maybe the router manufacturers.

      5. Anonymous Coward
        Anonymous Coward

        Re: ISPs could mitigate this

        "People running equipment on the net that is caperable of causing harm to others should be held to account. Pass the bill on to them, with a fine, perhaps even make them go through a training course to show they are fit to let their hardware loose onto the the wider world."

        Groan. That's what we'll do. Imagine how well that'll work when your 94 year old grandad gets a virus on his iPad that causes issues out on the Internet.

        Of course it SHOULDN'T be down to ISP's to sort this, but at the end of the day, it HAS to be! What other way is there? Those with the know-how should be able to request "unfiltered" connections if they so wish, for the rest, blocks as described by the previous poster should be the norm - same as how parental controls are until an adult unlocks them.

        I appreciate in this case it'll only be sysadmin's unleashing a memcache problem, but in other cases, IoT etc, we all need some protection from what's out there. And would you rather ISP's took that on board and made your connection inover a little safer, or would you rather all in sundry could just have their connections doing whatever they like because they're still waiting for their "training course" coming up?

        You could argue the same with traffic lights and give way signs out on the road.. "Why make someone else responsible?".. Well because without them, a number of folks would run riot!

    3. tip pc
      Alert

      Re: ISPs could mitigate this

      @bob

      And just how do you propose to do that?

      You’d have to do it on the originating subnet, which will incur extra processing and extra config which equals extra cost. For some esoteric reason there may be a good reason for spoofing the source address to be some address not belonging to the sender or in their isp’s ranges, the sender may want to ensure the recipient replies back on the senders other isp link for some reason.

  3. John Smith 19 Gold badge
    FAIL

    "It has been nearly five years since the first memcached attacks were reported, "

    5 f**king years

    And it's a UDP with spoofed return address.

    It's not the volume generated.

    This is probably happening because of its default processing of UDP packets.

    Which was no doubt viewed as the friendly, internet neighborly thing to do.

    In 1988. Today? ?

    1. Anonymous Coward
      Anonymous Coward

      Re: "It has been nearly five years since the first memcached attacks were reported, "

      No, not just default processing of UDP.

      This is the internet equivalent of having a skip outside your house in London. The items in it are changed and replaced over time as people walk by. If you left a database outside it will be filled with all sorts, and others will take stuff away.

      The internet does not have traffic police either, so its either DIY or somebody at an aggregated level will have to take some responsibility i.e. ISP. The ISP's can also suffer as well as possibly assist in these types of attack.

      It's also becoming far easier to hire skips (i.e AWS instances) and self amplify for short periods at low cost/effort. I would also suspect some of these site-builder apps are likely to contribute but I don't have enough direct knowledge of the services they offer.

      Overall, its everybody's job and everyone can help. Now onto the more relevant question of how we can nail the Bas***ds that do this in the first place.

  4. John Smith 19 Gold badge
    Unhappy

    "I would also suspect some of these site-builder apps are likely to contribute"

    Which set the default configuration of your "cloud" environment.

  5. Anonymous Coward
    Devil

    Ahh that's more like it

    Sock it too them !

    You were right, there was more and yet more after this too.

    Er, well excuse me, I feel a little on both sides of the fence, I think some sites/servers need a good kicking but dislike DDoS and any other hacking, so until we get an effective and official kicker.

    I'll play both sides Sock it to em' DDoS and Sickem Rex !

  6. Anonymous South African Coward Silver badge
    Trollface

    Can't you set up an open memcached host to feed itself UDP packets?

    Kind of a vicious loopback as it will start to feed itself more and more until it falls over....

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019