How Cloudflare blocked a monumental 7.3 Tbps DDoS attack

Huh, I got attacked from 170 countries last year (HTTP) and Cloudflare's autonomous detection (machine learning powered) rules did almost nothing. It was millions of the same requests over and over and the only thing that we could do to stop it was manually put in rules to block routes. Not only that, some of the attacking traffic came from within Cloudflare workers or it was at least going through their WARP client (those details are now fuzzy). Was a pretty miserable failure to perform on their part.

> QOTD DDoS attack

> How it works: Abuses the Quote of the Day (QOTD) Protocol, which listens on UDP port 17 and responds with a short quote or message.

Does any reasonable operating system those days support this protocol? Sounds like "IP over Avian Carriers" to me.

It almost feels like writing about this is exactly what the attacker wants: Free validation and advertisement for exactly what their botnet can do

← Inserting standard complaint about Cloudflare protecting the sites selling these DDoS attacks here (at best: a conflict of interest selling the cure while protecting the disease).

This article taught be about the QOTD protocol: https://datatracker.ietf.org/doc/html/rfc865

Cool artifact of the internet!

Sort of neat, but also feels like this post is 95% marketing and PR because its just a cherry picked example of success.

Dodgy IoT devices will be the end of us all.

A DDoS gets some fraction of the entire internet to attack a single host.

As the internet gets more users and more devices connected, the ratio of DDoS volume to a single connections volume will only get larger.

Is there any kind of solution?

Anybody know who the "Cloudflare customer, a hosting provider" was and what IP they were targeting and why? I'm curious why someone would go to such great lengths to try to take down a service.

Any proof that this happened except cloudflare claiming it did? Just wondering whether these kind of attacks are seen by other orgs.

What does this botnet do when it's not performing a 7.3 Tbps DDoS? Yea it's probably regular folks computers, but what "wakes up" the botnet to attack? What makes an attack target worthwhile? Presumably something this large would be on someone's radar...

L4 level ddos is useless and is easily protected by Cloudflare.

App level DOS use Cloudflare evasion techniques and directly DOS the destination server, while keeping itself undetected by Cloudflare's systems.

Do not assume that Cloudflare will protect you from all attacks, if your app is dogshit python/js/php then even cloudflare wont protect you from L7 DDOS

Should Cloudflare release the IPs and try to get those devices removed from the internet?

What was the goal of an attack lasting only 45 seconds?

Possibly the only kind of advertising that I actually like. Informative, engaging, no overselling.

i just depends on waf, as long as the ddos attack does not reach my server. is that ok?

meanwhile, cloudflare has been blocking my reading of websites more and more.

[flagged]

[flagged]

@tete called it: https://news.ycombinator.com/item?id=44262324

Cloudflare is the One Punch Man of the internet

The current optics are 400gbps, and 800gbps are sampling; next up is 1.6 tbps; so this is 20x400gbps, basically 1 expensive switch’s worth of traffic. Which is itself a scary prospect!

> DDoS sizes have continued a steady climb over the past three decades.

This is a bit misleading; according to Wikipedia[1], the first DDoS is said to have occurred less than three decades ago.

[1] "Panix, the third-oldest ISP in the world, was the target of what is thought to be the first DoS attack. On September 6, 1996, Panix was subject to a SYN flood attack, which brought down its services for several days while hardware vendors, notably Cisco, figured out a proper defense.", source: https://en.wikipedia.org/wiki/Denial-of-service_attack