Belgian ISP under 250 Gbps DDoS for days on end

497 点作者 laurensr超过 3 年前

21 条评论

s800超过 3 年前

I got hit with a ~40Gbps DDoS last week. These attacks are on the rise. Some responses to folks above: Success working with upstreams is quite varied. Some care, some don't, and it can be difficult to get to folks that can help- even if their networks are impacted as well. Some carriers immediately turn this into a sales opp. - buy more bandwidth, buy more services.In our case it was based on DNS reflection from a large number of hosts. I've contacted the top sources (ISPs hosting the largest number of attackers) and provided IPs and timestamps. I've received zero responses.Geo-based approaches yielded no helpful reduction in source traffic.Also, during this event we discovered an upstream of ours had misconfigured our realtime blackhole capability. As a result, I'm going to add recurring testing for this capability and burn a couple IPs to make sure upstreams are listening to our rtbh announcements.Very concerned about the recent microtik CVE, as that is going to make for some very large botnets.Personally this all is very disappointing because it creates an incentive to centralize / de-distribute applications to a few extremely large infrastructure providers who can survive an attack of these magnitudes.

评论 #28581060 未加载

评论 #28581949 未加载

评论 #28578922 未加载

评论 #28581051 未加载

评论 #28579125 未加载

评论 #28580447 未加载

评论 #28579402 未加载

评论 #28581024 未加载

评论 #28588734 未加载

评论 #28580390 未加载

评论 #28583824 未加载

评论 #28580033 未加载

stingraycharles超过 3 年前

Since this is HN, it’s 2021 and DDoS’es are still a thing: why are they still a thing? Is there some fundamental “anonymity” to the Internet that makes it impossible to structurally prevent DDoS attacks? Apart from CloudFlare-like approaches, are there any R&D in the pipeline that may kill this type of attack once and for all?To me it’s incredibly infuriating to see the damage that still happens with these extremely simple techniques. Will it ever end?Edit: to elaborate, I know that there are tons of insecure Internet devices and whatnot. I’m more interested in standards, and core protocol improvements that can fundamentally rid the world of these types of attacks.

评论 #28578595 未加载

评论 #28578629 未加载

评论 #28578696 未加载

评论 #28578637 未加载

评论 #28578620 未加载

评论 #28578608 未加载

评论 #28578869 未加载

评论 #28578642 未加载

评论 #28578847 未加载

评论 #28578578 未加载

评论 #28578756 未加载

评论 #28578819 未加载

评论 #28579319 未加载

评论 #28578754 未加载

评论 #28579011 未加载

评论 #28582219 未加载

ineedasername超过 3 年前

I'm very much not a network engineer, but I'd like to understand the magnitude of this issue because my intuition is wrong:250 Gbps seems like it would definitely be a lot for a server or website but it also seem like a drop in the bucket for an ISP providing broadband for many customers.Clearly I'm wrong because it is an issue here. I'd like to understand why I'm wrong, and I hope that here, on HN, that's taken in the spirit of curiosity intended and not negativism.So, what am I missing? Maybe Belgian broadband is lower capacity than what I'm used to in a US metropolitan area? Maybe this particular ISP served a population too small to have a... um... "fat pipe"? I'd like to understand.

评论 #28579330 未加载

评论 #28579406 未加载

评论 #28579329 未加载

评论 #28580545 未加载

评论 #28580179 未加载

评论 #28579359 未加载

评论 #28580173 未加载

JackMcMack超过 3 年前

I'm an Edpnet subscriber currently suffering the effects of the DDOS. It's annoying to say the least. Last year's DDOS attack was relatively simple, pointed at the DNS servers. Simply using other dns servers was good enough to get back online. Edpnet also joined NaWas [0] at that time, a non-profit for ISPs to be able to redirect all trafic through big pipes when needed to deal with large attacks. Because the current attacks are rapidly shifting targets, it's a game of cat and mouse to properly filter the ddos.In practice, this means that some sites such as google and youtube keep working, but other services might not be available. It is extremely annoying when all of a sudden AWS api calls time out, or a Teams or Slack call suddenly drops to very low bandwith, and then drops entirely. I've had to resort to my phone's hotspot multiple times in the last few days. Yes, I pay for SLA, but what's the point in that? I've got priority in case of a cable break, and failover to 4G connection, but that's no use if the upstream is congested.The sad part is that the attack works because it it a small isp, 45000 customers. [1] It is the main reason I'm a customer, they offer good service for great prices. Kudos for not paying the ransom. If the attacks continue for much longer, I will probably switch to the bigger, more expensive, less customer friendly isp. I'm happy to support a local company instead of a big multinational coorporation. But if my clients can't depend on me when working from home, I've got no choice but to pick the ISP with the bigger and more expensive pipes.[0] <a href="https://www.nbip.nl/en/nawas/" rel="nofollow">https://www.nbip.nl/en/nawas/</a>[1] <a href="https://datanews.knack.be/ict/nieuws/edpnet-al-dagen-getroffen-door-zware-ddos/article-news-1779585.html" rel="nofollow">https://datanews.knack.be/ict/nieuws/edpnet-al-dagen-getroff...</a>

评论 #28580665 未加载

评论 #28582205 未加载

评论 #28582193 未加载

评论 #28581335 未加载

ericbarrett超过 3 年前

> EDIT 16/09/2021 10:12*: During the night we had two more attacks. We are working with the authorities, who have confirmed they are looking into it and are doing everything in their power to find the responsible individuals. We were contacted by an individual who verified he was behind the attacks, asking for a ransom.Roughly how many criminal groups are active in DDoS ransoms (as opposed to data crimes, like cryptolockers and exfiltration)? How common is this nowadays? Clearly it happens, but I've no idea the general scale of the problem in 2021.

评论 #28578750 未加载

mfkp超过 3 年前

I wonder if this is related to the attack on voip.ms (ongoing for multiple days)<a href="https://twitter.com/voipms" rel="nofollow">https://twitter.com/voipms</a>

leoc超过 3 年前

Mods, can the URL please be corrected to <a href="https://issues.edpnet.be/?p=3507" rel="nofollow">https://issues.edpnet.be/?p=3507</a> ? The current link to <a href="https://issues.edpnet.be/" rel="nofollow">https://issues.edpnet.be/</a> is likely to rot badly over the years.

tigerlily超过 3 年前

How can I check my home network for signs I have any devices participating in a botnet?

评论 #28578725 未加载

评论 #28578799 未加载

hda2超过 3 年前

Spamhus bad ISPs. Give them low QoS until they fix their problem.If all major exchanges and service providers agree to punish IP blocks, ISPs will have no choice but to better police their networks.

forty超过 3 年前

Why are the people doing those attacks doing them? Ransom? Or are they just doing that to prove and advertise/demo their capacity to harm?

评论 #28580331 未加载

ThinkBeat超过 3 年前

What is the motivation?Extortion? Retribution? Censorship? Marketing? QA?Are they asking for money stop?Are they being paid by some actor to do this because they wishes to protest / punish the company?Are they demonstrating what they can do, in order to drum up business?Are they testing what their system can accomplish? and iron out any bugs and learn how to best utilize it? So what mitigations they face and how to overcome them?

评论 #28581624 未加载

edoceo超过 3 年前

Don't the peering agreements have to pay for bandwidth? Isn't there a bigger cost for those flooding this one? Could they charge-back and encourage peers to throttle? Can peers fix this with pricing model changes?

blunte超过 3 年前

How often do we ever find the actual individual humans resonsible for these bad actions?I would imagine if the individuals were identified, some harmed parties would spend money eliminating them to dissuade others doing the same thing.

评论 #28580607 未加载

r_singh超过 3 年前

I worked at an ISP AAA/Radius provider and since we started offering a cloud offering to our customers we were DDoSed twice.The source IPs were a Turkish university, I wrote to them a few times but they seemed clueless. Cloudflare's protection suite was beyond our budget and our engineers really started moving the system between 5 different IP blocks thanks to the help of our customers.We still don't know who's responsible, but we suspect it could be done by our competitor...(PS - We're based in India)

Aeolun超过 3 年前

It there no way to just completely block every IP sending you so much traffic?You might end up blocking a few million, but your network remains uncongested.

评论 #28582113 未加载

teitoklien超过 3 年前

<a href="https://gnunet.org/en/gns.html" rel="nofollow">https://gnunet.org/en/gns.html</a>

评论 #28590571 未加载

vadfa超过 3 年前

A 250 Gbps attack is bringing an ISP down? How is this possible in the age of 1 Gbps connections in every home?

评论 #28579296 未加载

评论 #28578674 未加载

评论 #28578698 未加载

评论 #28578999 未加载

评论 #28583267 未加载

评论 #28580428 未加载

评论 #28578994 未加载

Havoc超过 3 年前

Unfortunately this works. Kills small ISPs on all fronts. Customer perception, technical and financial

pstuart超过 3 年前

I'm assuming that eBPF would be a potent tool for dealing with this, and it looks like CloudFlare agrees: <a href="https://blog.cloudflare.com/l4drop-xdp-ebpf-based-ddos-mitigations/" rel="nofollow">https://blog.cloudflare.com/l4drop-xdp-ebpf-based-ddos-mitig...</a>

评论 #28581071 未加载

评论 #28590276 未加载

bullen超过 3 年前

Why not just block the offending IPs in iptables?Edit: as a Swede it's very funny that customer is called klant in dutch!

pt_PT_guy超过 3 年前

and no one accountable :-)

评论 #28580713 未加载