On September 23, 2016 12:15:26 PM PDT, Sven-Haegar Koch <hae...@sdinet.de> wrote: >On Fri, 23 Sep 2016, Mike wrote: > >> On 09/23/2016 11:30 AM, Seth Mattinen wrote: >> > On 9/23/16 10:58, Grant Ridder wrote: >> > > Didn't realize Akamai kicked out or disabled customers >> > > >http://www.zdnet.com/article/krebs-on-security-booted-off-akamai-network-after-ddos-attack-proves-pricey/ > >> > > >> > > "Security blog Krebs on Security has been taken offline by host >Akamai >> > > Technologies following a DDoS attack which reached 665 Gbps in >size." >> > >> > >> > So ultimately the DDoS was successful, just in a different way. >> > >> > ~Seth >> > >> > >> More technical information about the characteristics of these attacks >would be >> very interesting such as the ultimate sources of the attack traffic >> (compromised home pc's?), the nature of the traffic (dns / ssdp >> amplification?), whether it was spoofed source (BCP38-adverse), and >whether >> the recent takedown the vDOS was really complete or if it's likely >someone >> else gained control of the C&C servers that controlled it's assets? > >At least for the OVH case there is a bit of info: > >https://twitter.com/olesovhcom/status/779297257199964160 > >"This botnet with 145607 cameras/dvr (1-30Mbps per IP) is able to send >>1.5Tbps DDoS. Type: tcp/ack, tcp/ack+psh, tcp/syn."
Krebs said it was mostly GRE. Pulling from the archive.org copy of his post[1]: "Preliminary analysis of the attack traffic suggests that perhaps the biggest chunk of the attack came in the form of traffic designed to look like it was generic routing encapsulation (GRE) data packets..." This bothered me, though: "McKeay explained that the source of GRE traffic can’t be spoofed or faked the same way DDoS attackers can spoof DNS traffic." Please tell me why I can't spoof source IPs on a stateless protocol like GRE. If he specifically meant you can't spoof a source, hit a reflector, and gain amplification, sure, but I see zero reason why GRE can't have spoofed source IPs. It bothered me sufficiently that I wrote up some spit-balling ideas about reflecting GRE using double encapsulation[2]. Very rough and untested, but apparently I got a bee in my bonnet... >c'ya >sven-haegar > >-- >Three may keep a secret, if two of them are dead. >- Ben F. -- Hugo Slabbert | email, xmpp/jabber: h...@slabnet.com pgp key: B178313E | also on Signal [1] https://web.archive.org/web/20160922021000/http://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/ [2] http://blog.slabnet.com/post/gre-reflection/
pgp5EAYoSgfGz.pgp
Description: PGP signature