I can not safely use usage-based pricing clouds like AWS and GCS until they get serious about the DDoS problem.
I can not safely use usage-based pricing clouds like AWS and GCS until they get serious about the DDoS problem.
I can not safely use usage-based pricing clouds like AWS and GCS until they get serious about the DDoS problem.
Many people that are in denial about this. This article is not an outlier, this is exactly how DDoS is now. DDoSes are cheap to execute and devastating to the host. Your competitor will chip in a little Bitcoin and get these people to attack your site. Or they'll just do it because they're bored and it's basically free for them. I knew a guy that worked on a site, he told me they always got DDoSed every time his site put on a sale. Guaranteed DDoS.
Who gets the $30,000+ bandwidth bill for the attack? Well, if you're using AWS or GCS, you do of course (it happened to Greatfire, why won't it happen to you?)
30x market bandwidth markups, zero DDoS mitigation. Good luck.
Edit: Oh, and VPS providers (DigitalOcean, Linode) that just null route servers for hours or days during a DDoS: you're not off the hook either.
The free and $20 plan doesn't cover all DDoS attacks. The real stuff costs more than I spend on my entire monthly infrastructure. For my use case, it would cost $6000/mo (I need wildcards and full DDoS mitigation). I'm sure $6k is cheap for someone, but it's not cheap for us.
Meanwhile, providers like OVH, Ramnode, Vultr and BuyVM offer various levels of integrated DDoS protection for their servers and VPS for free or a very reasonable cost ($5-10 per month). It's out there, you just need to look for it.
Genuinely curious: How reliable are the DDoS protection services offered by these cheap providers?
BuyVM promises 500Gbps protection for $3/mo, whereas Vultr offers only 10Gbps protection for $10/mo. The pricing is all over the place. I would naturally assume that the quality is all over the place, too.
OVH will nullroute you in about 3 seconds if you're affecting the stability of their network. I've been hit with a very large DDoS attack before, and our host nullrouted us because the attack was causing instability for our neighbors in the rack due to the switch being flooded with too much traffic.
How long ago was this? From what I've read it seems this used to be the case, but they got their act together about it within the last couple of years. On their site they claim to offer DDoS protection bundled with their VPS offerings:
If you're using CloudFlare to protect your site against DDoS, you're essentially participating as part of a passive protection racket. "That's a pretty bold claim," you may reasonably contend. Here are the facts:
- A very large proportion (I would conservatively estimate >50%) of DDoS-for-hire sites are hosted on CloudFlare. I couldn't find a comprehensive survey of all attack service providers, but in a recent sample[1], 100% of the services were protected by CloudFlare.
- CloudFlare will not discontinue service for customers offering DDoS-for-hire services unless you are the police and bring them a court order [2].
- If you are not the police and submit a report of someone operating an illegal service behind CloudFlare, they will forward you report, unredacted, to the owner of the IP range. They will not tell you who owns it prior to forwarding the report. It is highly likely that your identifying information will be passed to the (anonymous) individual operating the attack service and that their (likely bulletproof) hosting provider will do absolutely nothing.
"Why do all of these services use CloudFlare?", you ask. One simple reason: before CloudFlare, the market of DDoS-for-hire services was somewhat self-regulating via all of the providers DDoSing each other. Since the advent of CloudFlare, though, many have used its protection to avoid attacks from the others, which has led to an increase in DDoS-for-hire services and a reduction in prices as they attempt to compete with each other. CloudFlare providing DDoS protection to these DDoS-for-hire sites therefore effectively increases the supply of such services. On top of that, "just use CloudFlare like everyone else" doesn't work for everyone -- people who don't easily fit into CloudFlare's plans (particularly people offering services via protocols other than HTTP/HTTPS) can't use it at all, while some others have to pay for a higher tier of service. It sounds pretty convenient for CloudFlare that all of these DDoS services are around (and cheap to use), doesn't it?
I don't agree at all. I think CloudFlare is almost a public utility at this point, and they should offer services to anyone and be completely blind to the content they are serving. If LEAs have a court order, then they should definitely remove them from the service but not before. This is a law enforcement problem and it should not be CloudFlare's responsibility. Banks are not generally forced to police each customer's transactions, neither should CloudFlare be forced to police their network. They are a blind intermediary and they provide an extremely valuable service.
A great deal of DDoS services are essentially MITM intermediaries. Akamai, Black Lotus and others do the same thing. Why is CloudFlare the bad guy? They have an exemplary record thus far.
The comment I replied to was about Cloudflare. But what really concerns me are the website owners who betray their users by allowing their HTTPS traffic to be MITMd, no matter if they use Cloudflare or something else. Also it is not acceptable to let one entity (be it Cloudflare or anyone else) control a significant portion of the worlds web traffic.
By never revealing the IP address of the origin. Conceal it completely behind CF. A properly configured CF setup will mean your real server IP never gets revealed ever.
Not always possible without expensive plans. For example, if you use websockets you will need a business/enterprise level plan in order to pipe through cloudflare. Non http/https services often fail to go through cloudflare as well. For example, you're gonna have to reveal origin to use ftp/sftp.
Have a separate domain that points to your real origin IP. This is how I do it. I have company.com and companyprivate.com (obviously named so it's not so obvious they are related). Company.com points to CloudFlare and companyprivate.com points directly to the origin. Nobody knows about companyprivate.com except the people who need to.
Not everyone needs websockets, and only the legitimate administrator needs to know the true IP address for ssh. Plenty of websites can be perfectly hidden behind CloudFlare as long as they don't have an MX record or unused subdomain that points to the same server.
>and only the legitimate administrator needs to know the true IP address for ssh
Again this is a blanket statement. I recently integrated with a service that required sftp access to function. Is this ideal? No, but if I could recreate the service efficiently I wouldn't be paying for it in the first place.
This and the websockets scenario were just two examples I can come up with from personal experience, I'm sure there are many other situations that I've never come across.
My point is that the above commenter was acting like cloudflare is a panacea for DDOS attacks.
>"A properly configured CF setup will mean your real server IP never gets revealed ever."
This makes it sound like only engineers who are inept with cloudflare are vulnerable to origin ip leaks which simply isn't true.
> Plenty of websites can be perfectly hidden behind CloudFlare as long as they don't have an MX record or unused subdomain that points to the same server.
Most residential Canadian internet connections have bandwidth caps. They're usually between 20gb and 200gb. Customers could only wish that their markup on overage was just 30x...
Because of economies of scale bandwidth in a datacenter is always going to be substantially cheaper than bandwidth in homes. Connecting thousands of homes to an internet backbone requires much more infrastructure than connecting one datacenter.
Or just attacking plain legal Russian targets - what we're getting in the US is likely just a spillover of the general computer crime problem over there.
Although there was one interesting case cited here that's sort of "the competition" - some criminals' forum admin removed the botnet's ad, so they attacked the forum. And then the forum turned around and reported them to the police.
There really isn't any beyond having a large pipe connected to a network device capable of filtering a high volume of pps.
That has always been the problem with competently executed DDoS attacks. You need a very large pipe as Step #1 which is simply not cost effective for most businesses. :/
There's a tiny bit of hope in there. The article claims that bots are polling CNC about once an hour (I suppose because they don't want to DOS themselves). So one option is to shift your service to a different domain name every hour, and notify your customers by email that they have to connect to a different host. This might be a lot of trouble, but may still allow you to support existing business relationships which is better than nothing.
It get even better if you're publishing through a mobile app - that one can simply switch from one host to another on the fly without customer even being aware of the problem beyond a slight delay in connection. The list of hosts of would need to be distributed out of band as a tiny payload, either through a high-cost high-bandwidth channel (but in a very low volume, obviously, just the name of the new host), or via DNS TEXT records so that they are hard to decipher reliably and require custom programming and raise the cost of the attack. There might even be hosts that will hold your alternate host list for free, such as the iTunes App Store (app description or even an in-app purchase "description" field).
Speaking of high-cost high-bandwidth providers, I think another option would be to host a CAPTCHa there, and those who solve it, or have cookies to prove that they did, or have logged in with a valid account, get redirected to one from the rotating lists of your normal hosts, with names and IP addresses changing every few minutes. An AJAXy application can then try different hosts in turn or in parallel before following a link.
DDoS is the antithesis to an open and free internet from a free market perspective because it drives people to a few select providers for hosting and CDN services. In the end, the big players in those spaces who have the bandwidth win. It's not so much about who has the best innovation either as DDoS tends to be all about brute-force.
Actually there are providers which will sell you a port ACL as part of their DDoS mitigation service. These ACLs can block almost all of the BS volumetric attacks which will cripple you. Everything gets blocked on the provider side. NTT's pricing is especially reasonable. TWTC has a similar service.
CloudFlare protection can be easily bypassed. These types of proxy services which offer decently cheap DDoS protection are fine for defending against small-time attacks, however, plenty of attackers have scripts capable of bypassing them.
You can't bypass with syn floods or udp flood. And if we are talking about size of attack in context of bandwidth, look at spamhaus and cloudflare case. That wasn't small. I admit that specialized, sophisticated attack from lets say top3 botnets would make damage and probably bypass cloudflare http protection. But if someone is making such an attack on you then probably you can afford getting prolexic.
What scripts are capable of bypassing CloudFlare/proxy services and how do they do it? Do they look for old DNS records that leak their Origin IP or something like that?
There are two ways to bypass CloudFlare and related services.
1) Most of the time, as Kephael said, websites expose their back end IPs through subdomains like ssh.domain.com or ftp.domain.com. MX records also sometimes function in the same way. There are a variety of ways to resolve a domain through CloudFlare.
2) CloudFlare bypass scripts can be bought for around $400 which manipulate the JavaScript per client when sending an attack (mainly by disabling JavaScript). This prevents the so called "challenge pages" from blocking malicious traffic, effectively slipping through CloudFlare protection. Most of these scripts work on most other providers such as Sucuri as well.
Spin up a hefty AWS instance and connect to every single IPv4 IP while sending a HTTP get request on successful connects with a Host matching that of the domain. There are only 4 billion IPs. Look for successful code 200's with the same headers and content as the original website. Easier said than done though.
Btw, this attack can be prevented if you run a drop-all firewall and only whitelist the IPs listed here: https://www.cloudflare.com/ips/
Frequently there will be MX records or something similar pointing directly to the server. Even error pages can potentially leak a direct, unprotected IP.
This problem exists mainly because the most used os doesn't have a package manager/app store or a secure and safe way to install software and it still doesn't because there is a huge av/security industry built to solve the problem it creates.
It does, actually, it's just that a) nobody uses it and b) any time it gets brought up people rail against Microsoft for trying to tell them what to do with their computers.
I can't imagine that DDOS are an effective competitive technique? Are people really buying these against their competitors? I would have assumed that they were mostly part of ransom campaigns.
I guess if you run yet-another-dog-food-store and you want to get more business, you target the top 3 competitors whenever they have sales events and at random throughout the year during busy periods. They'll lose custom to you and other stores because customers hate slow/broken sites. Just make sure you don't ddos everyone except yourself. Bit of a give away.
He uploaded the .exe of his malware to the malware checker sites (like virustotal) and then posted the hashes. You can look up the hashes on virus total and then get the executable.
Repeat after me:
I can not safely use usage-based pricing clouds like AWS and GCS until they get serious about the DDoS problem. I can not safely use usage-based pricing clouds like AWS and GCS until they get serious about the DDoS problem. I can not safely use usage-based pricing clouds like AWS and GCS until they get serious about the DDoS problem.
I've brought this up before: https://news.ycombinator.com/item?id=11261882 https://news.ycombinator.com/item?id=11000086
Many people that are in denial about this. This article is not an outlier, this is exactly how DDoS is now. DDoSes are cheap to execute and devastating to the host. Your competitor will chip in a little Bitcoin and get these people to attack your site. Or they'll just do it because they're bored and it's basically free for them. I knew a guy that worked on a site, he told me they always got DDoSed every time his site put on a sale. Guaranteed DDoS.
Who gets the $30,000+ bandwidth bill for the attack? Well, if you're using AWS or GCS, you do of course (it happened to Greatfire, why won't it happen to you?)
30x market bandwidth markups, zero DDoS mitigation. Good luck.
Edit: Oh, and VPS providers (DigitalOcean, Linode) that just null route servers for hours or days during a DDoS: you're not off the hook either.