it's fairly large. There are really two factors in a DoS, though, total throughput and packet size. Obviously, your incoming pipe can only handle a certain total throughput, I mean, that's what most of us get billed on.
However, most routers and firewalls also have a limit on packets per second they can process, on top of the throughput limits. I've got a 100Mbps commit on a 1000mbps pipe, and I can handle 1000Mbps of 'normal' traffic... but I got taken out a month back by a 200Mbps DDos that used very small packets. My router couldn't handle it. (now, if I had spent money on a better router, it wouldn't be a problem. As far as I can tell, even, a reasonable software router could have handled it.)
Another way to measure this is the capacity required to absorb the attack. You can get he.net bandwidth for around a thousand dollars a month per gigabit, and he.net is about as cheap as bandwidth gets, so to soak a 50 gigabit attack, you'd have to have fifty thousand dollars a month of spare capacity.
(I'm sure there are further discounts available between the 1GiB and the 50GiB tier... but you get the idea. )
Considering the fact I've seen this attack first hand. I can tell you a couple of things about it's strength.
It's very flexible one minute they are sending packet size 1500 bytes udp, the other they are sending 48 bytes syn tcp 80. However, filtering them with a Firewall is not hard at all since they do have packet patterns you can detect, but even if you can find a firewall and have it on the edge of your network traffic is STILL reaching your network and if you can handle 50Gbps of traffic all coming from a couple of different ASn than "wow".
50gbps is pretty massive. Clearly somebody did something horrifically insulting to China like mention that they could maybe possible consider treating Tibet a little bit more humanely and stop turning it into one big whorehouse.. make a statement like that, and all of china ddos's you.
No. (having lived in China for multiple years) Pretty much all the political issues the West thinks of WRT China are not even given a cursory thought by most Chinese. China just isn't very political. Taiwan is basically a non-issue. Tibet is completely a non-issue.
More to the topic: It's much more likely that the motivations are financial.
And who do you think pays these people to ddos sites like slideshare and posterous? (both of whom have been my customers during massive ddos's from China). I'm sure there's like one posting somewhere on Posterous that someone in the Chinese government didn't like, so they paid their team of script kiddies for time on their botnets to bully Posterous around. The same thing happened to Slideshare a few years ago.
It's about China bullying people around and trying to censor the internet.
Your assertion that the China gov sponsors and pays for this is mostly unwarranted. I say mostly, as I can see why someone without experience in what goes on internal to the China gov may think such things. But you still have no evidence. Most Chinese Windows XP installs are virus platforms ready made to be transformed into a bot-net army. These PCs could be controlled by just about anyone/anywhere. The main reasons they are virus ridden is (1) the PCs use unlicensed copies of Windows and MS does not allow updates and (2) Chinese software add-ons (browser tools, chat tools, etc) are particularly vulnerable, many times by design to allow easy access by the distributor, and (3) most software installed is pirated which may also contain virus payloads.
As an example of how outdated a typical Windows XP install is in China, I'm running a site which has 95% traffic from China. Over 62% of users are on IE6.
So then, patriotic hackers (riiiiiiiiiight) like to target American websites that are critical of the Chinese government because they feel a sense of nationalistic pride? Bullshit.
It's serious but not the end of the world. Of course if your uplink is smaller than that it might be a real problem. Then you'll have to talk to your upstream provider to do the filtering job for you.
The hosting facilities where I have my servers would class this one as 'just another days work'.
Sites that are routinely targeted for blackmail because they make lots of money have dealing with attacks like this down to a science. Of course they're not going to go out of their way to advertise that it happens all the time to protect their business interests, so that's why you may not have heard about it.
Banks and other financial institutions, gambling sites, large porn sites, top 100 websites and sites that are either vulnerable to brand damage or that have a lot of turnover see an awful lot of this.
50Gbps is at most 50K zombies or so, that's really not that bad.
The largest attacks against sites that I know of used a million ips and more. That's a wholly different kettle of fish and starts to be a real problem because even hardware based packet filtering (Thanks force10!) has its limits.
Additional notes (too late to edit the comment above):
After a call with one of my hosting providers (yes, on a Sunday at that, how is that for service), they saw the 40Gbit barrier broken somewhere at the end of 2007, today they're prepared for a multiple of that but he says that because they are that well prepared they've become less of a target.
They've invested a very large sum of money in infrastructural components specifically to deal with DDOS attacks at the hardware level, and though he doesn't rule out the possibility that they'll be one day facing one they can't deal with he doesn't seem overly worried, he does not want to claim any upper limit.
The countries they've seen the most trouble from are hard to pin down, but apparently the former USSR states and China are pretty high on hist list for the 'bot masters'.
Extortion seems to have arrived on the internet to stay, if you're a small player and you become successful you'd better be prepared, sooner or later you'll be a target.
Even smaller websites can easily get 2 to 10 Gbps ddos attacks aimed at them, the first time this happened to me I was pretty happy that all that happened was that I received an email from my ISP informing me of the fact without any loss of service.
I've done so in the past and I have already remarked somewhere earlier that I feel a bit uncomfortable about mentioning this business on HN because it feels a bit like advertising (and it's owned by a former employee and a bunch of his friends of mine so I'm not exactly impartial).
If you really want to know please drop me a line (email in my profile).
Not a single provider in the world can handle this kind of attack peacefully without service interruption except China Telecom and China Union.
Your calculations can't be more off about 50K bots, our counts showed more than 100K we couldn't count after that due to limitation in software.
My business has been dealing with DDOS attacks since 2002 we pretty much saw the brunt of every kind of new attack that came online. The only thing that can be compared with magnitude to this is the DNS Amplification attack, but that was limited in it's impact considering the source of the attack was diverse not from one geo area.
Force10 will sell you a router that will fend off a DDOS attack with over a million zombies. It's going to cost you though.
Yes, there will be an interruption, but you will be able to get the situation back under control while the attack is still in progress. You will need your upstreams/peers to collaborate.
If you're on the Cisco platform, then good luck to you.
However, most routers and firewalls also have a limit on packets per second they can process, on top of the throughput limits. I've got a 100Mbps commit on a 1000mbps pipe, and I can handle 1000Mbps of 'normal' traffic... but I got taken out a month back by a 200Mbps DDos that used very small packets. My router couldn't handle it. (now, if I had spent money on a better router, it wouldn't be a problem. As far as I can tell, even, a reasonable software router could have handled it.)
Another way to measure this is the capacity required to absorb the attack. You can get he.net bandwidth for around a thousand dollars a month per gigabit, and he.net is about as cheap as bandwidth gets, so to soak a 50 gigabit attack, you'd have to have fifty thousand dollars a month of spare capacity.
(I'm sure there are further discounts available between the 1GiB and the 50GiB tier... but you get the idea. )