Large attacks targeting industry giants over the past few days

[Swiftnode]

I made this post on the reliablesite down thread in the network issues forum. But I felt like it deserves it's own thread, and may give other providers the chance to comment if they've seen the same attacks recently on their network.

Psychz was attacked yesterday. (>100Gbps)
Cogent was attacked yesterday. (reportedly)
OVH was attacked yesterday (source: https://twitter.com/olesovhcom/statu...19962036314112)
Krebs was attacked today. (source: https://twitter.com/briankrebs/statu...98865619836928)
Blizzard was attacked today. (source: https://twitter.com/PoodleCorp/statu...34956456120320)
Choopa/Vultr were attacked today. (source: http://www.webhostingtalk.com/showthread.php?t=1599421)
Riot were attacked 3 days ago. (source: https://twitter.com/PoodleCorp/statu...73040434872321)

You can probably find more, someone is tossing around some seriously large attacks at the industry.

Some of the attacks are being claimed by LizardSquad/PoodleCorp. The others, such as the large attack that hit OVH/Choopa/Psychz haven't been publicly claimed that I could find.

And an interesting write-up here as well: https://www.schneier.com/blog/archiv...e_is_lear.html

[Swiftnode]

Akamai reporting a "network event." Possibly related.

[net]

Yeah, noticed this too and this is a bad business.

[Swiftnode]

Some new updates, Akamai has dropped Brian Krebs (http://krebsonsecurity.com) indefinitely due to the scale of the attacks.

Voxility showing some large attacks.
http://i.imgur.com/N0rjL8P.png - Large TCP Flood (~530Mpps)
http://i.imgur.com/4yytOSN.png

[SenseiSteve]

You're absolutely right - this is disconcerting to say the least. Thanks for the links.

[Swiftnode]

The group behind the attacks appears to be "Ghost Squad" (as per https://twitter.com/BannedOffline/st...80149957423105 & https://twitter.com/BannedOffline/st...97938853261316)

Additionally,
WoW servers were offline this morning.
Verizon recently had serious network issues in Baltimore.
Xbox Live is being reported down in some regions. (some users are stating downtime has been 3-4 days which matches up with the window of when the large attacks began.)
PoodleCorp reporting they took down the Battlefield servers, EA posted a maintenance statement last night for the effected games. (https://twitter.com/PoodleCorp/statu...57323561123840)

[Victor R]

At this rate, these attacks are totally no joke. I speculate we will soon read about a major vulnerability that has allowed this to happen way too easy, so the attacker/s don't even have to spend money on this, since attacks at this scale don't happen easily and usually there is a reason behind them. It's not very clear what the reason is this time.

[stefeman]

Now that Akamai dropped krebs, maybe Cloudflare could help like it did with spamhaus?

And how is BCP38 still not followed by all hosts out there? Hopefully this gets coverage.

[scv-]

And how is BCP38 still not followed by all hosts out there? Hopefully this gets coverage.

Because of how hardware accelerated routing is usually implemented. To lookup the source address on the packet generally requires cycling the packet through again, effectively cutting capacity in half. Most people are more willing to just handle issues when they occur instead of properly securing their networks.

[spykee]

And now krebs is pointing the A Record of his site to 127.0.0.1

:~$ dig @ns1.prolexic.net krebsonsecurity.com +noall +answer

; <<>> DiG 9.8.3-P1 <<>> @ns1.prolexic.net krebsonsecurity.com +noall +answer
; (1 server found)
;; global options: +cmd
krebsonsecurity.com. 300 IN A 127.0.0.1

[Eased]

I believe we are going to start to see attacks of this scale (and larger) become the new normal. These days we have the full spectrum of groups actively engaged in cyber warfare including black-hats, white-hats, grey-hats and even state-sponsored groups. As of right now there is no network on the planet, DDoS protected or otherwise, that is capable of defending itself from 1Tbps~ cyber attacks. DDoS, BGP hijacks, botnets, you name it.

Right now the Internet at it's core is in a state of disarray. Government and corporate entities are fighting for control, censorship, and monetization. While people and hacktivists are fighting for decentralisation, security/privacy, and the free and open Internet as we once knew.

I can only hope that the right people are at the table when we discuss & implement important topics around the stability & structure of the Internet such as encryption, BGP, DNS, IPv6, and others. Improvements to these core protocols that are literally the foundation of Internet are what is needed to ensure a sustainable and stable Internet into the future.

Unfortunately it has to get worse before it will get better.

[Swiftnode]

Sorry for the lack of updates here regarding the large attacks, after the last post I made it seems they decided my website was next on the list, so I had to spend a while resolving that last night before heading off.

OVH showing more than 25 attacks since the 18th that exceeded 100Gbps. (source: https://twitter.com/olesovhcom/statu...30571677978624)

As reported by Krebs the attack on him was a mix, most likely the majority being GRE. OVH is reporting a botnet of DVRs capable of sending 1.5Tbps. (https://twitter.com/olesovhcom/statu...97257199964160)

And even though I was attacked yesterday after posting the "Ghost Squad" group here, the attack was significantly smaller than what Krebs/OVH has seen. It seems like even though they claimed at least one of the attacks on Krebs, they may not be the group that launched the 650Gbps attack. PoodleCorp/LizardSquad have been silent over the past day or so, so surprisingly enough nobody reputable has claimed the attack. (using reputable very loosely here.)

[Chrysalis]

Some new updates, Akamai has dropped Brian Krebs (http://krebsonsecurity.com) indefinitely due to the scale of the attacks.

Voxility showing some large attacks.
http://i.imgur.com/N0rjL8P.png - Large TCP Flood (~530Mpps)
http://i.imgur.com/4yytOSN.png

Ahh so thats what happened, I was reading his page, and literally as I was browsing it went dead, yesterday.

[Ed-Freethought]

Some new updates, Akamai has dropped Brian Krebs (http://krebsonsecurity.com) indefinitely due to the scale of the attacks.

I feel that it is important to note that Akamai have dropped Brian Krebs because they were providing the services pro-bono (i.e. for free) and felt that they were unable/unwilling to continue to incur the costs of defending attacks on this scale:

Before everyone beats up on Akamai/Prolexic too much, they were providing me service pro bono. So, as I said, I don't fault them at all.

[Ed-Freethought]

Now that Akamai dropped krebs, maybe Cloudflare could help like it did with spamhaus?

They've already offered:

we've offered. Have seen this attack before. Confident we could help. So far he's not taken us up on our offer.

[Swiftnode]

I feel that it is important to note that Akamai have dropped Brian Krebs because they were providing the services pro-bono (i.e. for free) and felt that they were unable/unwilling to continue to incur the costs of defending attacks on this scale:

Can we get a source on that? I haven't been able to find anything where Akamai/Prolexic have stated they could not/would not incur the costs.

The attack on Krebs caused issues at a global level for Akamai. Which they requested peers to route around them so they they wouldn't be impacted. I doubt money was much a factor for Akamai, at least more-so than their entire network being disrupted for a pro-bono client.

edit: Unless you were using costs to reference what I stated above. In which I apologize it's been a long 24 hours for me.

[Meekrokun]

Cloudflare has offered to pick up Krebs, but he'd lose face just a bit if he said yes. He's railed against them for hosting many of the DDoS-for-hire websites, thereby creating a market for their product.

[Swiftnode]

Some large attacks still ringing off in the distance. Likely from a different source than what hit Krebs.

http://i.imgur.com/U4opmfr.png

[Swiftnode]

Probably not going to have too many more updates here. The more attention this thread gets the more attacks get sent towards my website. I don't understand the logic behind what they're doing, they publicly claim the attacks on twitter, but when someone else says they're the ones behind it on a forum, they attack that person.

They're not sure if they want attention or not. Some real next generation Einsteins we got pumping out these attacks.

edit: Forgot to post the update, Krebs is back online using Google Cloud. (Congrats to him, and hopefully he can stick around for a bit.)

[Ed-Freethought]

Can we get a source on that? I haven't been able to find anything where Akamai/Prolexic have stated they could not/would not incur the costs.

The attack on Krebs caused issues at a global level for Akamai. Which they requested peers to route around them so they they wouldn't be impacted. I doubt money was much a factor for Akamai, at least more-so than their entire network being disrupted for a pro-bono client.

edit: Unless you were using costs to reference what I stated above. In which I apologize it's been a long 24 hours for me.

There's a couple of quotes from Akamai in this article by The Boston Globe:

Akamai had the technology to fend off the attack, but not the resources. It provides security services to Krebs’s website at no charge. And the sheer scale of the assault meant that Akamai could no longer afford to pick up the tab.

“If this kind of thing is sustained, we’re definitely talking millions” of dollars in cyber security services, said Shaul.

And:

The Akamai network filtered out the garbage traffic and KrebsOnSecurity remained online. But the attackers kept on coming, and the expense of fighting them became overwhelming. On Thursday, Akamai pulled the plug.

“We made a business decision to no longer keep this customer on our platform and prioritize our resources on our paying customers,” said Akamai spokesman Jeff Young.

[Gaucho]

Right now the Internet at it's core is in a state of disarray. Government and corporate entities are fighting for control, censorship, and monetization. While people and hacktivists are fighting for decentralisation, security/privacy, and the free and open Internet as we once knew.

"Government" vs. "people and hacktivists???"

I'd rather describe it as those with criminal intent vs. those who without. Breaking into someone's computer is the same (on may levels) as breaking into one's house.