[TacticalCoder]

We still hear about DDoS attacks like this once in a while but it seems it's not anywhere near as common as it used to be. What happened? It looks like the bad guys are really having more and more trouble mounting succesful DDoS: how comes? It also looks like, in despair, they're targetting smaller fishes. Why? Smaller botnets? Cloudflare and OVH and the likes just being too good at absorbing everything and anything you can throw at them? Simple firewall rules getting rid of 99% of the crap? What's the reason it's not as prevalent as it used to be?

[__s]

Botnets aren't smaller (IoT has been quite a boon to them)

& according to https://www.comparitech.com/blog/information-security/ddos-s... their frequency isn't declining

But yes, the larger sites have gotten their shit together so that the cost to DDoS has gone up

Also if you have a botnet you now have to ask: do you want rent out DDoS or do you want to mine crypto?

[TacticalCoder]

How that's a good point: especially that if you DDoS while asking for a ransom, you take the risk that your botnets gets taken down. While if you "discretly" mine CPU (and/or GPU?) mineable cryptocurrencies, you kinda fly under the radar.

[ryanlol]

You DDoS from routers and other embedded devices which aren’t capable of mining anything.

[short12]

There have been many attempts to do exactly that with varied success.

The best I could find was 250 a day using only 15,000 hosts. Not bad considering the cost is literally zero for the attackers. Scale that up to half a million hosts, which is a tiny botnet in reality would make 8000+ a day or over 3 million a year based on low hanging fruit

https://www.cnbc.com/2018/03/01/thousands-of-iot-devices-can...

[Sebguer]

There are bandwidth-based coins.

[300bps]

A lot of the old DDoS attacks rely on the ability to spoof your IP address. Many networks are now configured to drop packets exiting their network that don’t have an address from their network.

For example, in a Smurf attack the attacker finds broadcast IP addresses by sending an ICMP request to an address and counts the number of ICMP replies that come back. A broadcast IP address is one that sends a packet to every host on a network (often with 255 as the last octet like 207.103.0.255 for a Class C network of 207.103.0.0/24).

After finding suitably large networks with an open broadcast IP address they then send the broadcast IP address packets with a spoof IP address of the victim. The attack is then multiplied by however many hosts are on the broadcast IP address network.

DNS reflection is another type of DDoS attack that also relies on the ability to spoof an IP address of the victim.

[prdonahue]

Once you get to a certain scale, you don’t really worry about those vectors anymore.

The more interesting/difficult to mitigate attacks are those that complete handshakes (if TCP) and make fully formed requests at L7 that otherwise appear legitimate.

[whoopdedo]

Can't spoof IP on a device behind CGNAT either, can you?

[brownbat]

Maybe ransomware.

A bit speculative, but my hunch is --

IOT and some other advancements still create opportunities for new DDoS attacks, but attackers herd. And the "X as a service" support infrastructure is mostly supporting ransomware right now, likely because its safer and more lucrative. You can walk away from a ransomware target, fire and forget, so you can do it at scale. DDoS you have to pick your victims, and monitor and maintain the pressure, choose how to allocate your resources to targets while they're investigating or waiting you out.

Cloudflare might be part of the story, maybe that was enough of a headwind to stop the trolls, but for the professional criminals, I suspect this is about lucrative alternative attacks.

[mobilemidget]

Yes I have the same suspicion. It is way harder to maintain a certain volume of DDOS, and some people use services to keep them online during a DDOS. Spending your time on a single action, encrypting, and keeping a company hostage without further energy I think is more, what's the word, efficient for those bad actors.

[short12]

That is already a thing and has been for a while now. Unless you are describing a new version with it but it's already there

[bikingbismuth]

The general quality of DDoS scrubbing services has dramatically improved in the last 10 years. I work for a large tech company and Silverline has protected us from 100G+ attacks.

[short12]

What about 250, 500, 1tbps. Hell 2.5 is possible now

100gbps is basically trivial test for a new botnet

[zinekeller]

Cloudflare is the most well-known, but there are lots of providers now that provides these level of service, from the old guys like Akamai's Prolexic to new ones like Imperva to tier-1 ISPs like Telia's.

Additionally, depending on the exact service, you can certainly firewall traffic - close to the source.

The specific problem here is that mail servers, since that is not the target of DDoS until now, which means that there are few companies who do provide mail exchange-specific DDoS protection, which means larger companies (Verizon/Yahoo, Microsoft/Outlook, Google/Gmail) just operate servers well beyond what they really need, and I don't think that they can just run to Cloudflare and violate their privacy promise in the process.

[Kye]

More protection at the OS and ISP level. ISPs can isolate nodes that become part of botnets, and operating systems increasingly remove the avenues malicious actors use to cause trouble. Microsoft's push for hardware security is justly controversial, but the move to TPM by default in Windows 11 is the latest in a long line of changes that's made it harder to take over an ordinary person's computer. Android has had an equivalent since 8, and I'm pretty sure iOS has it.

Put that with the change to more people being mobile-only and there's fewer ways to create the botnets behind these.

[zugi]

> TPM by default in Windows 11 is the latest in a long line of changes that's made it harder to take over an ordinary person's computer

Interesting, I think of TPM as being for holding keys for bitlocker encryption or personal certificates. Can you clarify how TPM makes it harder for to remotely take over a computer?

[will4274]

It's what you can do with the TPM. With the TPM to hold keys, you can require that e.g. bootloader changes be signed by the vendor. It's hard for malware to convince an ordinary person to go into BIOS and disable vendor locked bootloaders. Of course, Microsoft also gets into trouble here, because sometimes the vendors (and Microsoft itself) don't put the option to disable locking in the BIOS.

[Kye]

Bingo. I've seen multiple instances in the last year or so where people were advised to reboot their devices to make sure a newly identified and patched out malware was removed.

[gruez]

but why does malware need to mess with the bootloader when you can launch DDoS attacks from userspace?

[Kye]

It's a lot easier for something like Windows Defender to untangle something confined to user space than something that can prevent the OS from protecting its files by taking over the boot process.

[birdman914]

You are correct on the ISP level. I am a network engineer for an ISP, we utilize Corero to monitor and mitigate DDoS attacks into our network. Since 99% of the time the DDoS is not targeted to us but rather the customer, I also kill the active IP addressing to their Modem/ONT, and configure that endpoint so it isn't allowed to pull an IP. Once the attack stops, re-config the endpoint and have it pull a new address.

[DanAtC]

That will stop overloading paths inside your network, but if your edge can't handle a 100 Gbps DDoS all your other customers still suffer.

Better to have the target blackholed upstream. Can usually be done with a BGP community of 666 if your peers support it.

[kijin]

Doesn't that simply mean that the customer loses connectivity, just as the attacker intended, for the duration of the attack?

From the ISP's point of view, you might have prevented an overload that could have affected other customers. From the customer's point of view, their service was denied all the same. Doesn't sound like anything has improved compared to 10-20 years ago.

[gsich]

In both cases the customer has no access. (or a very limited one)

[jacques_chester]

One factor: the main target was internet gambling sites. They banded together and collectively agreed not to pay any DDoSers.

Source: Security Engineering by Ross Anderson.

[xyzzy123]

CloudFlare, AWS, GCP.

[wongarsu]

Cloudflare I agree, but "give us $10000 or we increase your AWS bill by $20000 per day" sounds like a viable extortion scheme to me.

[__s]

https://aws.amazon.com/shield/pricing

Might want to check how much it costs to increase someone's billing 20k a day (granted, a botnet makes it cheaper, but measure opportunity cost of what else that botnet could be doing), see also https://www.reddit.com/r/aws/comments/7z6uc3/comment/dutgw6u...

Full disclosure: I work for Azure

[posnet]

AWS Shield (while expensive $36000 a year) does have `DDoS cost protection` as one of it's features. i.e. if you have to 10x your server fleet to outscale + outlast the ddos attack, then AWS will forgive the additional cost.