The Twelve Days of Crisis – A Retrospective on Linode’s Holiday DDoS Attacks

I strongly believe it&#x27;s not possible to safely run a site without DDoS protection for all servers anymore. Anyone with $20 can take down anything on Digital Ocean, Linode, Hetzner, and many others. Or they can run up a huge bill for you on AWS. I would love to use Cloudflare but I can&#x27;t afford $6000&#x2F;mo for DDoS protection on my servers with the wildcard requirements we need. Linode may have solved their DDoS problems with their own stuff, but what about their customers&#x27; VPSes?<p>I really wish people would start taking DDoS more seriously. It&#x27;s really not something we can just null route servers for anymore. It&#x27;s becoming a very serious problem. It&#x27;s not going away, it&#x27;s amplifying and getting far worse.<p>I&#x27;m also not sure how effective it would be, but it would be nice to see the FBI, NSA or whomever spend at least as much time fighting these DDoS warlords as they did persecuting whistleblowers and trying to shove backdoors into cryptography.

Layer 7 attacks are the new hotness in DDoS. If you have a big enough botnet (either conventional botnet, or hijacked browsers), you can do them, and they&#x27;re often quite effective.<p>Fundamentally, layer 3&#x2F;4 are usually amplification. Those are still effective, and very efficient for the attacker, but they will someday (5y? 10y?) be blocked by closing up sources amplification. Address spoofing address at layer 3&#x2F;4 might get addressed by BCP 38, Vixie&#x27;s good fight, etc., but not holding my breath.<p>By the time all that happens, attackers will have moved on to layer 7 attacks. Those can target the weakest parts of your stack, and with a large botnet, even the act of blocking the IPs in the wrong place can add enough overhead to hurt. With a huge botnet of hijacked browsers, blocking everyone affected becomes a DoS vector in itself, since some of those are your own legitimate attacks.<p>The big problem for DDoS mitigation is that this requires much deeper knowledge of the protected application. It&#x27;s hard to just put a box inline, or an unmodified cloud service, and have it block the attacks. There&#x27;s both good science and great engineering to be done, by developers, platform vendors, and specialty anti-DDoS providers, to block this emerging kind of attack.

Far more concerning to me than this outage were the security incidents (<a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=10845278" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=10845278</a>) that Linode seem to continually have once every year or so. The most recent one seems to have happened in July, but they didn&#x27;t notify customers or reset passwords for another six (!) months. <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=10845619" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=10845619</a>

Wow, still a lot of people fighting over whether or not Linode is a good company. It&#x27;s a shame we don&#x27;t get to see how &lt;hipster hosting company of the month&gt; copes with 80gbps of DDoS on a single DC.<p>I&#x27;m personally happy with Linode. They have a seriously tough technical issue to deal with —as much working out what&#x27;s happening as how to stop it— and they seem to be doing a fairly top job at staying afloat. My servers haven&#x27;t gone down. Any downtime in the last four years has been my fault.<p>So even if they are targets of some ludicrously powerful botnet, I&#x27;d rather stay with them than let the bastards doing this win. The attack isn&#x27;t hurting my business or my clients and each incident we go through, the lower the chances of it <i>ever</i> being a problem in the future.<p>On a more serious note, governments keep moaning on about encryption but botnets are still a much greater direct threat to national security.

Uh-oh, the attacks started again a few minutes ago:<p><a href="http:&#x2F;&#x2F;status.linode.com&#x2F;incidents&#x2F;mkcgnmjmnnln" rel="nofollow">http:&#x2F;&#x2F;status.linode.com&#x2F;incidents&#x2F;mkcgnmjmnnln</a>

Where&#x27;s the Linode founder(s) in all this, and why couldn&#x27;t they have kept customers informed? It seems like a lone network engineer has been left to deal with a potentially company destroying event.

&gt; Our longest outage by far... can be directly attributed to frequent breakdowns in communication<p>I have direct experience with Linode staff breakdowns in communication because of a security problem before the December attacks.<p>The problem affected many Linode customers and included risks to confidential information such as billing.<p>The Linode staff communication was terrible. The problem was severe and ended up with Linode on a blacklist of companies that are not suitable for hosting.<p>I have to agree with tptacek: do not use Linode for anything, and if you do now, make plans to switch to a new provider.<p>To end on a happy note, I migrated the project to Rackspace, and the Rackspace staff communication is excellent.

&gt;Layer 7 (“400 Bad Request”) attacks toward our public-facing websites<p>I really wonder what that is supposed to mean, Linode has mentioned it multiple times but not elaborated on what sort of an attack this is.<p>I personally haven&#x27;t ever head of a &quot;400 bad request&quot;-attack.<p>Edit: Yeah, I know what Layer 7 floods are :), but I&#x27;m pretty sure &quot;400 bad request&quot; floods are something Linode came up with, so that could use some elaboration by them.

I am pretty amazed Linode didn&#x27;t have their own IP Transit up to this point. Their colo provider is Newark charges some pretty high prices from what i&#x27;ve seen.

My plan is to keep saying this on Linode threads, just in case there are people who have missed it. Take my advice or leave it:<p>Please don&#x27;t use Linode. If you are using it now, make immediate plans to switch. If you have friends who have things built on Linode servers, tell them to switch.

Slightly related question:<p>They mention segregating their customers into separate &#x2F;24s, and consequently having to assign an IP from every one of these subnets to the router for use by the customer as a gateway.<p>Is there any reason why they couldn&#x27;t get rid of these by having customers set up a static route to the &quot;primary&quot; IP of the router (migration &#x2F; configuration issues aside)?

We are currently getting DDoSed at Hetzner and they are clueless as well.

No guess at motive? Did someone ask for ransom before these started? Is one of the Linode subscribers hosting censorship-evasion technologies? Or is this one just some very determined kids having fun over holiday break?

&gt; Our nameservers are now protected by Cloudflare<p>How? I thought CloudFlare only protected HTTP? Can you have it reverse proxy a DNS server or is Linode using CloudFlare as the host for ns1.linode.com now?

&gt; after some stubborn transit providers finally acknowledged that their infrastructure was under attack and successfully put measures in place to stop the attacks.<p>Care to elaborate why it took them so long to ack? And name them so I know who to avoid in the future (or route around)!

&gt;he pervasiveness of these types of attacks has caused hundreds of billions of dollars in economic loss globally.<p>Is it really $100bn+ ? If so we could do with some government funded research &#x2F; countermeasures.

Thread on IPFS&#x2F;DDoS: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=10329195" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=10329195</a>

&gt; blackholing is a blunt but crucial weapon in our arsenal, giving us the ability to ‘cut off a finger to save the hand’ – that is, to sacrifice the customer who is being attacked in order to keep the others online<p>There is something very ironic about this. They have a policy which instead of addressing the problem actively assists anyone wanting to attack their customers. No surprise that these customers have been complaining about this practice for a long time. But until now it was Somebody Else&#x27;s Problem so they didn&#x27;t bother figuring out some proper (or at least less terrible) solution. Now this lack of preparedness bit them in the ass...

Does the buck stop with this network admin? Where&#x27;s the CEO?

I wonder what will happen if Linode routes their traffic through CloudFlare...