500Gbps DDoS attack flattens world record The world's largest distributed denial of service attack has been clocked at 500Gbps, according to Arbor Networks. The attack was reported by a third party and is yet to be analysed, other than in terms of its size. British teen Seth Nolan-Mcdonagh likely held the title for the previous largest DDoS, which came in at 300Gbps …
Well, the computer you're using now probably has a 1Gbps ethernet port, and unless you have a fast harddrive, you'll probably struggle to saturate that connection.
So, not only would you have to have enough aggregate bandwidth across your network switches, servers and other networking gear, you'd also need the processing capacity to deal with that much data so quickly (even if you're just dropping the traffic). So yes, that's a big amount of data to deal with.
@phuzz
Yeah that much I gathered. However if one is able to measure the magnitude of a DDOS attack does that not suggest they have bandwidth to spare...or does it suggest that 500gbps is their upper limit?
Also is the effect of the 500gbps that the bandwidth is getting chewed up or is it that the infrastructure cant handle the number of incoming sessions at that rate?
Apols for the retarded question(if indeed it is retarded). I am an experienced techie but for some reason I cant put myself in the shoes of the person fending off something like this.
It'd be interesting to know the experience from a victims side for once!
Solution is BCP38 a.k.a. RFC2827 in the CPE/hosting network's ingress/egress routers. Block before the packets are able to aggregate and thus avoid overloading links and devices close to the target.
"Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing"
http://www.bcp38.info/index.php/Main_Page
http://tools.ietf.org/html/rfc2827.html
It's a crying shame that this simple solution has been around for many many years but those that could do most to prevent the spoofing-based attacks don't/won't apply it.
If you're an ISP network engineer it'd be good to know if you're aware of the RFC, and if so, reasons why you do - or do not - implement it on your ingress/egress routers?
Each network knows what sub-nets it should be routing and can easily drop any source addresses that are outside the valid sub-nets.
The only way to mandate it is by interchanges and backhaul providers dropping peering with CPE/hosting networks that do not implement BCP38. Until recently it seems like handling DDoS traffic has been seen as an acceptable business cost. Maybe as these attacks get larger and more frequent that cost will push the buttons.
Whether that's a lot to deal with depends on the nature of the attack. If it's a simple (reflective) UDP attack to a non-UDP service then you can easily filter that at the network borders where such a capacity is available in the large national networks and certainly in the Tier 1 ISPs.
If it's an attack simulating the application (eg. a HTTP attack to a HTTP service) from similar networks as legitimate clients then you need a more intelligent scrubbing capability that can analyse and block the traffic in detail. For that it's big.
problem is when your at pass 500Gbps is not about blocking it you start to break the internet itself in places before it even gets to the ISPs/target that don't have that 500Gbps links
one DDoS had take out 2-3 ISPs temporary due to the flood of data as they started to target transient providers gateways that had Routable IP addresses
bcp38 needs implementing at ISP levels and openDNS and time servers the hosting providers should automatically cut them off when they are running services like that
@leexgx are you too lazy or short of time to punctuate or proofread your own post? Please don't waste the valuable time of Reg readers with speakwrite babble.
to you're credit the information you have to share could be useful but it becomes much less useful when poorly presented think about how how hard it is to read
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
