Daily DDoS Attacks... [at another provider]

This is used for general discussion that is not necessarily server-related.
User avatar
ren3gade
This is my homepage
This is my homepage
Posts: 87
https://www.youtube.com/channel/UC40BgXanDqOYoVCYFDSTfHA
Joined: Tue Jun 05, 2012 5:43 pm
Location: USA

Daily DDoS Attacks... [at another provider]

Post by ren3gade »

Well lately.. my servers have been getting randomly DDoS'd. I do not understand why, or what their motive is. As me and my clan is generally neutral or friendly with every other clan out there for the most part. We've had a couple run ins here in there with some other larger communities/clans, but they're pretty much solved now.

So I am just curious if anyone else has been having issues lately with attacks? I am hosted through a very large and reputable hosting company, that offers high quality DDoS Protection for their prices and a decent filter system. But if you know anything about networking & DDoS attacks, then you should know that it is near impossible to make your server is immune to all DDoS attacks. Even if you spend $3k a month on Prolexic, you still arent 110% gauranteed. Especially with the rise of NTP attacks.

One thing I noticed today was, when my Counter-Strike: Global Offensive Idle Server got fixed.. I started to populate it. As soon as it started to fill up with players, we randomly got hit. And of course as always, all of our servers lag badly/some of them go offline. And then our host mitigates the attack within 1-3 minutes generally.

Normally any attack would be instantly mitigated and the servers wouldn't even notice a thing, with the host I'm at. But the attacks that we've been getting hit with, have been spiking up to 650gb/s. Now this big of a spike is insane.. and it's obvious that whomever is doing it, has some dedis with NTP Scripts/Amplification on it. (assuming they learned about NTP attacks from DerpTrolling)

So, if you haven't heard already.. DerpTrolling hitting Cloudflare with over 400gb/s, has spread like wildfire. Especially after Cloudflare posted a blog explaining the attack, and how it works. They are using NTP amplification, which can theoretically amplify One Dedicated Server (On 1gb/s Port) to send an attack of over 200gb/s if you have a fully populated amp list. Throw in a few more dedis, and you have extremely insane attack power. Hackers and even little skids are obviously taking notice of this, as it is now as easy as purchasing a cheap dedi from a host that allows IP spoofing, and buying an NTP script from someone, throwing it on the server, and dropping gameservers/websites/whatever left and right. And Cloudflare even ends the blog with this: "Finally, if you think NTP is bad, just wait for what's next. SNMP has a theoretical 650x amplification factor. We've already begun to see evidence attackers have begun to experiment with using it as a DDoS vector. Buckle up."

--------------------------------------

Edit: This post above was one I made on Alliedmods today. And it seems that I am in the same boat. I had a feeling it was ClanVPP. As they have many CS:GO idle servers that are popular. (theyre trying to make theirs more popular = more cash for them running ads)

My Idle Servers are hosted at another provider which has a shit ton of DDoS mitigation, and the attacks will drop my servers for about 1-5 minutes max. Then it mitigates. It normally would instantly mitigate, but these attacks are bursting/peaking upwards 650gb/s....
User avatar
soja
This is my homepage
This is my homepage
Posts: 2389
Joined: Fri May 18, 2012 3:20 pm

Re: Daily DDoS Attacks...

Post by soja »

League of Legends is also getting taken down daily, almost every game I try to play there is some sort of communication issue. I can only play very late at night to try to dodge the kids attacking them.
Not a NFO employee
User avatar
ren3gade
This is my homepage
This is my homepage
Posts: 87
Joined: Tue Jun 05, 2012 5:43 pm
Location: USA

Re: Daily DDoS Attacks...

Post by ren3gade »

soja wrote:League of Legends is also getting taken down daily, almost every game I try to play there is some sort of communication issue. I can only play very late at night to try to dodge the kids attacking them.
I have a feeling its someone using a specific exploit. Cuz my servers should be able to handle pretty much any DDoS attack, as my host can handle alottttt.
User avatar
Edge100x
Founder
Founder
Posts: 12945
Joined: Thu Apr 18, 2002 11:04 pm
Location: Seattle
Contact:

Re: Daily DDoS Attacks...

Post by Edge100x »

The largest attacks aren't up to 400 Gbps or 650 Gbps yet, but they're still very large, to the point that nobody is able to mitigate them effectively right now (at least, according to the FBI). Internap is certainly struggling with the larger ones.

CloudFlare is in the business of selling DDoS mitigation and their posts definitely have some marketing spin to them. They are behind the times in relation to SNMP, as it has been used for awhile. NTP's amplification level is around 1165x, because the request packets are 40 bytes and the responses total 46800 bytes (when it's done correctly).

No advertisements for other hosts here, please, and no links to sites which offer attack tools.
User avatar
soja
This is my homepage
This is my homepage
Posts: 2389
Joined: Fri May 18, 2012 3:20 pm

Re: Daily DDoS Attacks...

Post by soja »

With NTP reflection attacks, the incoming packets are not spoofed right? Meaning you can identify the vulnerable NTP servers and have them fixed? Do you think the attacks will generally get smaller, as the amount of available NTP servers decreases, or get larger as attackers harness more?
Not a NFO employee
User avatar
kraze
Former staff
Former staff
Posts: 4362
Joined: Fri Sep 17, 2010 9:06 am
Location: California

Re: Daily DDoS Attacks...

Post by kraze »

soja wrote:With NTP reflection attacks, the incoming packets are not spoofed right? Meaning you can identify the vulnerable NTP servers and have them fixed? Do you think the attacks will generally get smaller, as the amount of available NTP servers decreases, or get larger as attackers harness more?
Yes, and we do. I know we've sent out many abuse emails. I think we're likely in the 200K range now. Since NTP is catching on and people are realizing they can't just ignore it. Many may start dropping it at their borders and some have taken a white listing route, similar to Internap.

As with the case of most these types of attacks, many don't know that they're being used. Once they realize it they'll shut off the servers or upgrade to the latest package which fixes this exploit.

Generally, though, as attacks like these keep happening the list of public NTP servers will shrink, which in-turn will make the attacks smaller, but things always get worse before they get better.
@Kraze^NFo> Juski has a very valid point
@Juski> Got my new signature, thanks!
@Kraze^NFo> Out of context!
@Juski> Doesn't matter!
@Juski> You said I had a valid point! You can't take it back now! It's out there!
User avatar
Edge100x
Founder
Founder
Posts: 12945
Joined: Thu Apr 18, 2002 11:04 pm
Location: Seattle
Contact:

Re: Daily DDoS Attacks...

Post by Edge100x »

soja wrote:With NTP reflection attacks, the incoming packets are not spoofed right? Meaning you can identify the vulnerable NTP servers and have them fixed?
We see the actual IP addresses of the reflectors, that is correct. This has allowed me to send out hundreds of thousands of emails to exploitable hosts, letting them know that they need to fix their stuff. I haven't seen many other places sending similar emails, but I imagine a few must be.
Do you think the attacks will generally get smaller, as the amount of available NTP servers decreases, or get larger as attackers harness more?
The attacks will peak at some point, as more attackers use them and they use spoofed sources with larger pipes, and then they will become less effective, as the global effort to fix or filter NTP servers fully takes effect and/or the (relatively small and getting smaller) number of NTP servers just can't deliver the same amount of attack traffic. It's hard to tell when this will be. Certainly the issue is getting more and more attention right now.
User avatar
soja
This is my homepage
This is my homepage
Posts: 2389
Joined: Fri May 18, 2012 3:20 pm

Re: Daily DDoS Attacks... [at another provider]

Post by soja »

Does NTP have a legitimate purpose passing through your pipes at internap? Is it possible to just filter MONLIST response packets permanently?
Not a NFO employee
User avatar
Edge100x
Founder
Founder
Posts: 12945
Joined: Thu Apr 18, 2002 11:04 pm
Location: Seattle
Contact:

Re: Daily DDoS Attacks... [at another provider]

Post by Edge100x »

soja, most upstream devices don't allow fine-grained ACLs that can block on packet length or contents, so that's not really possible. It's really all NTP traffic or no NTP traffic (with a few whitelisted exceptions).

Our internal mitigation system can easily do what you suggested, of course, but with 100+ Gbps attacks, filtering has to be done upstream.

I can't go into specifics on the measures that I've asked Internap to take at this time, but I've fleshed out every necessary avenue, many times, to all of the relevant people.
User avatar
soja
This is my homepage
This is my homepage
Posts: 2389
Joined: Fri May 18, 2012 3:20 pm

Re: Daily DDoS Attacks... [at another provider]

Post by soja »

Edge100x wrote:soja, most upstream devices don't allow fine-grained ACLs that can block on packet length or contents, so that's not really possible. It's really all NTP traffic or no NTP traffic (with a few whitelisted exceptions).

Our internal mitigation system can easily do what you suggested, of course, but with 100+ Gbps attacks, filtering has to be done upstream.

I can't go into specifics on the measures that I've asked Internap to take at this time, but I've fleshed out every necessary avenue, many times, to all of the relevant people.
Alright John, I was just getting curious, exactly what I was looking for :)

Thanks
Not a NFO employee
User avatar
ren3gade
This is my homepage
This is my homepage
Posts: 87
Joined: Tue Jun 05, 2012 5:43 pm
Location: USA

Re: Daily DDoS Attacks...

Post by ren3gade »

Edge100x wrote:The largest attacks aren't up to 400 Gbps or 650 Gbps yet, but they're still very large, to the point that nobody is able to mitigate them effectively right now (at least, according to the FBI). Internap is certainly struggling with the larger ones.

CloudFlare is in the business of selling DDoS mitigation and their posts definitely have some marketing spin to them. They are behind the times in relation to SNMP, as it has been used for awhile. NTP's amplification level is around 1165x, because the request packets are 40 bytes and the responses total 46800 bytes (when it's done correctly).

No advertisements for other hosts here, please, and no links to sites which offer attack tools.
Well then how large are the attacks that are knocking out your guy's whole entire strongest locations such as Chicago and New York?

Because Cloudflare reported that DerpTrolling hit them with over 400gb/s. I've spoken to a handful of other "amateurs" on other sites about NTP lately, and they're easily hitting over 200gb/s with 1-2 dedicated servers with NTP Scripts/Amplification.. and even dropping Prolexic+Akamai.
User avatar
kraze
Former staff
Former staff
Posts: 4362
Joined: Fri Sep 17, 2010 9:06 am
Location: California

Re: Daily DDoS Attacks...

Post by kraze »

ren3gade wrote:
Edge100x wrote:The largest attacks aren't up to 400 Gbps or 650 Gbps yet, but they're still very large, to the point that nobody is able to mitigate them effectively right now (at least, according to the FBI). Internap is certainly struggling with the larger ones.

CloudFlare is in the business of selling DDoS mitigation and their posts definitely have some marketing spin to them. They are behind the times in relation to SNMP, as it has been used for awhile. NTP's amplification level is around 1165x, because the request packets are 40 bytes and the responses total 46800 bytes (when it's done correctly).

No advertisements for other hosts here, please, and no links to sites which offer attack tools.
Well then how large are the attacks that are knocking out your guy's whole entire strongest locations such as Chicago and New York?

Because Cloudflare reported that DerpTrolling hit them with over 400gb/s. I've spoken to a handful of other "amateurs" on other sites about NTP lately, and they're easily hitting over 200gb/s with 1-2 dedicated servers with NTP Scripts/Amplification.. and even dropping Prolexic+Akamai.
Exact numbers likely can't be shared, but they're very large. Cloudflare rounded that number up a bit. The attack itself was more in the range of 360, still very large, though.

At this point, the size of the attacks aren't very important. Since in general they're just large enough to knock off just about anyone, including datacenters and ISP's.

NTP server owners are reacting and many are closing down their servers and patching the exploit. CF wrote a blog post about it.
http://blog.cloudflare.com/good-news-vu ... osing-down

Many datacenters and their upstream providers are dropping unknown NTP traffic at their borders. Which is extremely helpful as it pretty much stops the attacks in their tracks.
@Kraze^NFo> Juski has a very valid point
@Juski> Got my new signature, thanks!
@Kraze^NFo> Out of context!
@Juski> Doesn't matter!
@Juski> You said I had a valid point! You can't take it back now! It's out there!
User avatar
ren3gade
This is my homepage
This is my homepage
Posts: 87
Joined: Tue Jun 05, 2012 5:43 pm
Location: USA

Re: Daily DDoS Attacks...

Post by ren3gade »

kraze wrote:
ren3gade wrote:
Edge100x wrote:The largest attacks aren't up to 400 Gbps or 650 Gbps yet, but they're still very large, to the point that nobody is able to mitigate them effectively right now (at least, according to the FBI). Internap is certainly struggling with the larger ones.

CloudFlare is in the business of selling DDoS mitigation and their posts definitely have some marketing spin to them. They are behind the times in relation to SNMP, as it has been used for awhile. NTP's amplification level is around 1165x, because the request packets are 40 bytes and the responses total 46800 bytes (when it's done correctly).

No advertisements for other hosts here, please, and no links to sites which offer attack tools.
Well then how large are the attacks that are knocking out your guy's whole entire strongest locations such as Chicago and New York?

Because Cloudflare reported that DerpTrolling hit them with over 400gb/s. I've spoken to a handful of other "amateurs" on other sites about NTP lately, and they're easily hitting over 200gb/s with 1-2 dedicated servers with NTP Scripts/Amplification.. and even dropping Prolexic+Akamai.
Exact numbers likely can't be shared, but they're very large. Cloudflare rounded that number up a bit. The attack itself was more in the range of 360, still very large, though.

At this point, the size of the attacks aren't very important. Since in general they're just large enough to knock off just about anyone, including datacenters and ISP's.

NTP server owners are reacting and many are closing down their servers and patching the exploit. CF wrote a blog post about it.
http://blog.cloudflare.com/good-news-vu ... osing-down

Many datacenters and their upstream providers are dropping unknown NTP traffic at their borders. Which is extremely helpful as it pretty much stops the attacks in their tracks.
Well that's very good to hear. It sure has been a hell of a hectic past month or so with all of this. Hopefully it can get patched up over a wide-scale, to not allow anyone with a little bit of money to send attacks out in the 100's of GB/S. I remember back in 2010 or 2011 I think even, when 5-10gb/s was a lot.
User avatar
Edge100x
Founder
Founder
Posts: 12945
Joined: Thu Apr 18, 2002 11:04 pm
Location: Seattle
Contact:

Re: Daily DDoS Attacks... [at another provider]

Post by Edge100x »

5-10 Gbps is still a lot, and that's what's so crazy about the new 100+ Gbps attacks.

NTP attacks have a limited lifespan, but they will continue to trouble everyone until then.
User avatar
ren3gade
This is my homepage
This is my homepage
Posts: 87
Joined: Tue Jun 05, 2012 5:43 pm
Location: USA

Re: Daily DDoS Attacks... [at another provider]

Post by ren3gade »

I am still being attacked sadly. And these attacks are extremely large still.

They are targeting my CS:GO Idle Servers. Any ideas on who is doing this anyone? (probably what ever csgo idle servers that arent getting knocked offline ever)
Post Reply