On September 23, 2016 12:15:26 PM PDT, Sven-Haegar Koch <haegar@sdinet.de> wrote:
On Fri, 23 Sep 2016, Mike wrote:
On 09/23/2016 11:30 AM, Seth Mattinen wrote:
On 9/23/16 10:58, Grant Ridder wrote:
Didn't realize Akamai kicked out or disabled customers
http://www.zdnet.com/article/krebs-on-security-booted-off-akamai-network-aft...
"Security blog Krebs on Security has been taken offline by host
Akamai
Technologies following a DDoS attack which reached 665 Gbps in size."
So ultimately the DDoS was successful, just in a different way.
~Seth
More technical information about the characteristics of these attacks would be very interesting such as the ultimate sources of the attack traffic (compromised home pc's?), the nature of the traffic (dns / ssdp amplification?), whether it was spoofed source (BCP38-adverse), and whether the recent takedown the vDOS was really complete or if it's likely someone else gained control of the C&C servers that controlled it's assets?
At least for the OVH case there is a bit of info:
https://twitter.com/olesovhcom/status/779297257199964160
"This botnet with 145607 cameras/dvr (1-30Mbps per IP) is able to send
1.5Tbps DDoS. Type: tcp/ack, tcp/ack+psh, tcp/syn."
Krebs said it was mostly GRE. Pulling from the archive.org copy of his post[1]: "Preliminary analysis of the attack traffic suggests that perhaps the biggest chunk of the attack came in the form of traffic designed to look like it was generic routing encapsulation (GRE) data packets..." This bothered me, though: "McKeay explained that the source of GRE traffic can’t be spoofed or faked the same way DDoS attackers can spoof DNS traffic." Please tell me why I can't spoof source IPs on a stateless protocol like GRE. If he specifically meant you can't spoof a source, hit a reflector, and gain amplification, sure, but I see zero reason why GRE can't have spoofed source IPs. It bothered me sufficiently that I wrote up some spit-balling ideas about reflecting GRE using double encapsulation[2]. Very rough and untested, but apparently I got a bee in my bonnet...
c'ya sven-haegar
-- Three may keep a secret, if two of them are dead. - Ben F.
-- Hugo Slabbert | email, xmpp/jabber: hugo@slabnet.com pgp key: B178313E | also on Signal [1] https://web.archive.org/web/20160922021000/http://krebsonsecurity.com/2016/0... [2] http://blog.slabnet.com/post/gre-reflection/