I wonder if this is a part of an attack that has been targeting private torrent trackers recently.
A lot of private trackers lately have been getting hit by DDOS attacks. To the point that a few have taken on extra developers/admins which have openly stated their primary goal is to deal with said attacks.
One in particular that has a large user base (35,000 active users) has been experiencing difficulties and is also customer of CloudFlare. This might be one reason why CloudFlare is hesitant to give out details.
The "French networking host" (OVH) that is mentioned in the article is one of the largest suppliers of seedboxes I known of. Usually indirectly through smaller companies who buy from OVH and then provide support and server management services. In fact, this is so widely known within the private P2P community that "being on the OVH network" is actually a selling point due to the sheer amount of peers that you'll be getting ridiculously high speeds with.
Of course, it could all just be a coincidence too.
Is there a legitimate reason why any ISP / hosting provider etc allows traffic to exit with an IP that doesn't belong to them?
Surely enforcing this would prevent any IP spoofing, which would cut down on these types of attacks?
(As far as I'm aware in this type of attack you send packets purporting to be from your target, to anything on the internet that will blindly send back a reply. Hopefully the reply will be bigger/more packets than your request was, thus amplifying the bandwidth).
Yes, it is. But DDoS attacks to EU or the US aren't launched from China/Africa anyway.
You need relatively low capacity to start an amplification attack, so a server at some ISP which doesn't care is enough. There are some ISPs which knowingly allow this, like Ecatel in The Netherlands which is probably the most notorious example.
The way to solve this is not through technology but through the bounty, which needs to be assisted-sponsored by the government(s) as it affects global strategic infrastructure.
Post $5-$10M bounty to find those responsible, make their buddies to salivate to give them up and then make the public case out of them for others to think 10 times more before engaging in stupidity.
In my opinion, the NTP reflection attacks are a result of a larger problem on the internet - large payloads being delivered without any sort of connection handshake. While it is easy to blame open ntp servers, dns resolvers, and snmp servers - these protocols wouldn't be as easy to abuse if the internet hadn't grown to rely on UDP. UDP is a connectionless protocol, so there is no handshake before data is thrown at the vulnerable target. Worse yet, there is no way to 'reset' function in these protocols, so there is no way for the victim to tell the remote host to shut up.
As for the targets of these attacks. They're still happening. It's honestly a pretty stupid attack. The connections from victim:80 to ntpserver:123. The attackers don't seem to understand that port 80 is not a commonly used UDP port. I'm seeing the following targets in my ntp server's logs:
It may not be a good idea to measure DDoS merely based on the volume. For example, a 100Gbps L7 attack is much harder to mitigate than a 100Gbps L3 attack. [1] Also, some had previously questioned the accuracy of CloudFlare's figures. [2]
A lot of private trackers lately have been getting hit by DDOS attacks. To the point that a few have taken on extra developers/admins which have openly stated their primary goal is to deal with said attacks.
One in particular that has a large user base (35,000 active users) has been experiencing difficulties and is also customer of CloudFlare. This might be one reason why CloudFlare is hesitant to give out details.
The "French networking host" (OVH) that is mentioned in the article is one of the largest suppliers of seedboxes I known of. Usually indirectly through smaller companies who buy from OVH and then provide support and server management services. In fact, this is so widely known within the private P2P community that "being on the OVH network" is actually a selling point due to the sheer amount of peers that you'll be getting ridiculously high speeds with.
Of course, it could all just be a coincidence too.