Cloudflare auto-mitigated world record 3.8 Tbps DDoS attack

49 pointsposted 9 months ago
by beefman
(blog.cloudflare.com)

19 Comments

walth

9 months ago

Meanwhile, it’s going on two weeks that a large volumetric amplification attack has been coming from CF itself against systems I manage.

Ironically, their abuse report does validate the domain being used to route traffic is a registered customer domain. But the abuse report and even Slack pings have yet to affect the traffic. It’s incredibly frustrating because you’d expect a company like Cloudflare, which positions itself as a defender against DDoS and similar threats, to take action much more quickly when they’re part of the problem.

theideaofcoffee

9 months ago

Enh. I try to be positive in my comments as much as I can. Whenever the subject of DDoS mitigation by cloudflare comes up, and it seems like they're always tooting their own horn, I struggle to be impressed. By their own info, they have approximately 330 global locations [0]. 3800Gbps divided roughly (remember, anycast, and if their upstreams are well mixed, they're going to see pretty consistent splitting) equally across 330 locations is 'only' ~11.5 Gbps each location. I'm guessing within each PoP is more than a handful of machines dedicated to DDoS mitigation. So sure, they're doing computation on each bit of all of that, but it still doesn't seem all that significant. Toss half a cabinet at mitigation and continue on with your day. These capabilities are available at such commodity prices nowadays it's hardly worth the effort of a full page blog post.

And ok, I'll give some leeway in those numbers looking at the map on the linked page, 35% or so of source traffic is clustered over five countries so that distribution skews and some pops around those source countries are going to be hit harder than others. Still, maybe add an order of magnitude and I'll be a little less dismissive.

[0] https://www.cloudflare.com/network/

matsur

9 months ago

The amount of work required to stand up 330 well connected locations and then operate infrastructure to filter traffic at that scale profitably is more than "tossing" cabinets at problems.

This is on the level of BrandonM's famous comment on Dropbox. https://news.ycombinator.com/item?id=9224

theideaofcoffee

9 months ago

Nah, not really. I know the amount of work standing up even 5% of that requires because I've been there, done that, have the sheet metal scars to prove it. It's a lot of effort. It's just not -hard-. After a while it's a copy-paste problem with it bottle-necking around the human: signing documents, waiting for tickets and whatnot, and it's pretty disingenuous to suggest it's not.

And ooh, ooh, I can flippantly dismiss a comment by calling back to that infamous comment as well! [0] You're actually posting this as a former VP? Geez dude, lighten up, they're not paying you anymore.

[0] https://news.ycombinator.com/item?id=40814123

orf

9 months ago

Is your speculated 11.5gbit per location not a result of their system rather than something to look down on?

Yes, anyone can shove a bunch of network equipment into a bunch of cabinets.

No, not anyone can shove a bunch of network equipment into a bunch of cabinets and run a service like cloudflare on top of that.

And is your argument really “I’ve spun up 16.5 PoP locations before, so I know what I’m talking about?”

theideaofcoffee

9 months ago

> And is your argument really “I’ve spun up 16.5 PoP locations before, so I know what I’m talking about?”

Actually quite a few more than that, but yes.

orf

9 months ago

Then you must know how terrible that argument is

theideaofcoffee

9 months ago

Who cares about justifying an argument to an internet forum when all that cash is being dropped in my account.

orf

9 months ago

You do, given your replies and initial post.

dewey

9 months ago

> and it seems like they're always tooting their own horn

It’s called marketing.

psd1

9 months ago

I worry that CF has perverse incentives

suprjami

9 months ago

What "perverse incentives" do you think they have?

They have a product. This is marketing for that product. The incentive is to make money. It's very clear imo.

psd1

9 months ago

CF sells treatment, not cure, for ddos. They are a major player in internet technology.

I presume that fora exist for players to discuss blue-team strategy, and that decisions are nuanced and detailed. If so, there's a lot of leeway to pursue a hidden agenda.

I'm not so concerned about what their doing now. It's about in a few years, when stock isn't as strong and MBAs are parachuted in to perk up the bottom line.

suprjami

9 months ago

How do you suggest CloudFlare "cure" DDoS? Wouldn't that mean finding the people who make the decision to do this and physically stop them? They're a CDN not the Mafia.

psd1

9 months ago

I never suggested anything so simplistic.

Imagine some replacement for tcp is proposed and a working group is set up to develop it. A member of that group might advocate for or against features. You could take the position "we should not include Feature X because it will have a performance impact in Scenario Y".

Scenario Y may or may not be real, but it doesn't matter, because you're using it as a stalking horse to get the outcome you actuality want, which happens to be defeated by Feature X.

The other group members know what you're up to, but they can't prove it because you have plausible deniability. They can't kick you out of the group because you serve 20% of the web.

To reiterate, I have no allegations to level against Cloudflare. I think it's a useful heuristic to assume that a public company, given sufficient market power, will become evil. CF has the market power.

suprjami

9 months ago

> Imagine some replacement for tcp is proposed

No need to imagine, QUIC exists.

Like every technology since 1980, it's unlikely to supplant Ethernet and TCP/IP, but it's the most successful effort yet.

SCTP also solves the problem of TCP-based DDOS because the client must participate in the handshake.

Good luck convincing all existing network software to switch to these protocols. I would like that too but it won't happen.

cedws

9 months ago

65 second attack? Very suspicious. This attack must have had some very specific goal.

gomerspiles

9 months ago

Why keep running an attack that didn't even work? Every second probably causes a loss of some bots up to a point..

blakesterz

9 months ago

That is weirdly short. Maybe just a test? Someone proving they could do it as part of a threat? Someone accidently pressed the "Go" button accidently? Someone showing off?