Largest Recorded DDoS Attack is 3.8 Tbps - Source: www.schneier.com

Comments

Mark Johnson • October 7, 2024 7:13 AM

I think my numbers check out. WOW!

“A terabit is a multiple of the unit bit (b) for digital information or computer storage. The prefix tera (T) is defined in the International System of Units (SI) as a multiplier of 1012 (1 trillion, short scale), and therefore 1 terabit = 1012 bits = 1000000000000 bits = 1000 gigabits (Gb). The terabit is represented by the symbols Tbit and Tb.”

With 8 bits in a byte we have 1000000000000/8=125000000000 bytes (a byte is used to express 1 character of text).

Lexxica reports that the average page has 1800 characters (including spaces). So

125000000000/1800=15,625,000,000 (pages per Tb).

This attack was sending 3.8 times that PER SECOND (59,375,000,000 PAGES of content PER SECOND).

https://www.schneier.com/blog/archives/2024/10/largest-recorded-ddos-attack-is-3-8-tbps.html

Clive Robinson • October 7, 2024 8:19 AM

I guess it’s not surprising that data rates on DDoS are,

“On the up and up”

Because two things are immediately obvious,

1, The performance / cost of hardware is rising rapidly
2, The security of such lower cost hardware is appaling.

Whilst there are other factors to consider, these two appear to be in effect “runaway without control”.

Though how you would get effective control and reign things in is something that is not going to be easy to do.

Morley • October 7, 2024 11:48 AM

DDOS gives power to a few mitigation companies. I hope we have a solution via Internet infrastructure before IoT gets much bigger. I haven’t heard of that.

Clive Robinson • October 8, 2024 4:26 AM

@ Morley,

With regards,

“I hope we have a solution via Internet infrastructure before IoT gets much bigger”

Simple answer is we don’t.

The reason is the IP protocols are packet based and designed to “route around damage”.

Blocking traffic to a destination is seen as “damage” by the upstream nodes towards the source. So they try to re-route. Thus you still get a flood of traffic.

The “correct way” to stop such traffic is with TCP to quench the connection request –send RST– but that does not work with UDP. But to distinguish what should or should not be quenched takes a lot of CPU cycles, and in theory and practice can only be reliably done by the destination host.

What is being done is to create a virtual or ghost networks where backbone routers close to the source get told to fake a response from the host. This does not stop the DDoS attack but sweeps much of it into a bit bucket off of the real network thus diminishing it’s effects.

The problem is the attacker has agency and can try different things to get around blocks. But the setting up of blocks is both reactive and takes time, which gives an attacker a time window to achieve their objective.

A past suggestion has been to make the “connection” phase expensive to the source. But as with Spam Email such suggestions do not work as the attacker is using other peoples resources thus does not see the cost etc.

Each potential preventative measure you look at almost always ends up causing some kind of harm that directly or indirectly achieves the attackers aim.

The only way to reliably limit DDoS attacks is “perfect security” on host systems such that an attacker can not subvert them into what are “Bot nets”.

Homer Beard • October 8, 2024 11:32 AM

As a corollary to what Clive wrote, internet access is getting cheaper just as hardware is. Even people in traditionally deprived areas, such as the USA, are starting to get good connections.

Mark’s numbers make this sound like a crazy amount of data, but it actually only requires about 4000 compromised devices—if they’re on gigabit connections, and are evenly distributed so as not to be sharing bandwidth. Think of your “favorite” terrible and insecure internet-of-things device. If they’ve been sold in the tens of thousands, they’re ready to be turned into a bot-net for attacks just like this one.

I think we need some sort of distributed filtering feature for stuff like this, in which each router could ask an upstream router to stop sending it packets matching some criteria. Of course, doing that insecurely would lead to its own problems, but we do have ways to prove ownership of internet protocol addresses.

Jesse Thompson • October 8, 2024 4:04 PM

DDoS is also a technique used by at least some mitigation companies to create a problem they are then magically able to sell solutions for.

I don’t have data on whether or not Cloudflare directly practices anything like that, but I have caught at least one provider I am not at liberty to name in the act before.

Homer Beard • October 8, 2024 8:05 PM

Clive wrote:

The “correct way” to stop such traffic is with TCP to quench the connection request –send RST– but that does not work with UDP.

It doesn’t work with TCP either, unless the remote end is “playing nicely”. Maybe they are, like if the flaw used to create the bot-net leaves the TCP stack un-exploited, or if some external device enforces it. I recall seeing some proposal, long ago, for on-path routers to drop traffic (for a while) in response to such things; I’m not aware of anything like that ever being widely implemented.

For now, a victim can ignore the traffic, or send all the TCP RSTs or ICMP errors they like, and it won’t change a thing about IP datagram routability. The attacker can often ignore that stuff just as well, and even keep sending as if the victim is sending ACK packets.

Clive Robinson • October 9, 2024 11:16 AM

@ Homer Beard, ALL,

Re : The “correct way”

Unfortunately the target has to “follow the rules” unless the up stream routers allow other techniques.

Daft as it might appear the attackers mostly “follow the rules” as they have “weight of numbers” as a sufficient advantage.

Knowing both sides of this is why certain people in the middle can profit greatly from it.

As has been pointed out above, some people are tempted to do things they should not to “make a sale”.

There is firm evidence of this from people attacking “Minecraft Servers” where some of those involved set themselves up as problem solvers for hire.

Likewise it is known that in the earlier days of ransomware where the targets were “SoHo and home” users who had been easy targets due to lack of technical ability, a number of “Ransomware Recovery” agencies rather than possessing technical expertise to decrypt files just payed off the ransom and charged the client three times as much.

As my father who used to do forensic accounting amongst other things once noted, when talking about “fences” and the like, Very few criminals make more than a few pennies in the pound because,

“Not only is there no honour amongst thieves, they steal from each other. Especially as they can betray those down the hierarchy to the authorities. So it gets them more at less risk.”

I guess the same logic applies in the intangible information universe as well if not better than it does in the tangible physical universe.

But my father also pointed out a couple of points that are worth remembering,

“Only ever do a crime once, otherwise you have an MO that will hang you.”

“If you have the brains to do a crime –that does not identify you–, you have the brains to earn more money honestly.”

The thing is crime happens at a point in time, investigation happens from that point on. As with ICT Attacks investigation techniques only improve with time.

Thus if you commit a crime you are on a “count down clock” untill you are sufficiently linked to the crime. So the only two things that stop you being caught[1] are,

1, Lack of investigative resources.
2, You die before the improving techniques identify you.

The thing about “internet crime” is it can be “transnational” and unlike tangible physical crime you do not have to be where the crime happens. This makes investigation and prosecution expensive thus not “cost effective” Whilst not clearly stated, it’s obvious that crimes below a certain value do not get investigated especially as the trend these days is for the authorities to “off load” investigation onto commercial entities. Like financial crime gets pushed at the banks, who have good reason not to investigate as their poorly designed and implemented systems built at “lowest price” are usually the reason the crime was possible in the first place…

And that is why DDoS etc is relatively easy to carry out and get away with as an attacker. And why if you put yourself in as a “Hero in the middle”(HIT’M) profit greatly from the target(s)…

[1] There is/was a third, which is investigators jump the gun and prosecute ineffectively and you get found “not guilty” (which is not the same as innocent which is why Scotland has “case not proven” as a third option). Thus you do not get found guilty the rule used to be that “you can not be tried twice for the same crime”. However that rule is falling away one way or another.

Homer Beard • October 10, 2024 12:25 PM

Daft as it might appear the attackers mostly “follow the rules” as they have “weight of numbers” as a sufficient advantage.

Not really daft in my opinion; there’s no reason to develop and “burn” a powerful exploit (hacking a kernel to control the TCP stack) when a dumb one, like using your target’s IP address in some HTML image tags, will do.

It does make me wonder what, exactly, the relevant “rules” are, and whether sending RST is a good use of them. On the attacker’s side, receiving that RST frees up some resources (source-port numbers, general connection limits), which I think might actually be the only thing preventing them from sending more data. If the victim resets the connection, the attacker can probably immediately try it again; if the victim ignores the connection, the attacker might be slowed down.

I’m also wondering whether “the rules” ought to be tweaked somewhat (or maybe they already have been; I haven’t been following such things lately). There might be some value in having kernel controls on client connection rates and such. Although, given the number of attackers that can be amassed, maybe it’d be too little too late.

Subscribe to comments on this entry