DDoS Attacks?

a reply to: billxam

Thanks for the info. I was searching on the Library of Congress site when it started for me.

So what do you think the backbone attack would be about? Simpler?

a reply to: DontTreadOnMe
That's right about when I started having problems. I was on the Library of Congress site which is .gov and started having issues. Tried to go to a county website for a file and it was down. Then tried to go to isitdown and it was down.

That's when I noticed it was trending. I was happy to see ATS was up so I could see if anyone else had any ideas.

a reply to: Identified

I really thought it was my ISP at first. IT ws odd as most of the down sites were political....so then I thought it was probably more widespread.

I still don't understand what happened...it wasn't a DDoS?????

a reply to: DontTreadOnMe

That's why I was suspect because it was gov sites I noticed first as well.

Seems Cloudflare is saying it was all them because they had some sort of DNS problem and things weren't routing correctly. They say it wasn't an attack.

If you look at their site status they are still rerouting as of now.

a reply to: DontTreadOnMe

Cloudflare provides ddos protection and dns routing for many websites, if cloudflare goes down those sites go down.

a reply to: dug88

Exactly. Thing is since they provide the DDoS mitigation would they admit readily to a DDoS attack that brought them down?

a reply to: Identified

Others can chime in on this. The internet has thousands of routers. Where I get my email account from, Sunset Systems in Ypsilanti, is along US12 where the part of the backbone of the internet runs. In their building is a router. At one point, before they moved in the mid 90s, they wanted me to house the router in my house because I was a half mile from the backbone.

The routers are all over the place and their job is to make the information goes to the correct server. If I understand this correctly, this is where your ping hops come from.

Directly from the 1990s, here are some maps at the Centauri Communications site.

The entire concept and the way they do it is pretty cool and at the same time archaic - simply because that's the way it was designed.
centaurico.com

originally posted by: DontTreadOnMe
a reply to: Identified

I really thought it was my ISP at first. IT ws odd as most of the down sites were political....so then I thought it was probably more widespread.

I still don't understand what happened...it wasn't a DDoS?????

If cloudfare is/was the problem, then it's happened before,


blog.cloudflare.com...

extract from Clouflare's post mortem,

The cause of the outage was a system-wide failure of our edge routers. CloudFlare currently runs 23 data centers worldwide. These data centers are connected to the rest of the Internet using routers. These routers announce the path that, from any point on the Internet, packets should use to reach our network. When a router goes down, the routes to the network that sits behind the router are withdrawn from the rest of the Internet.

We regularly will shut down one or a small handful of routers when we are upgrading a facility. Because we use Anycast, traffic naturally fails to the next closest data center. However, this morning we encountered a bug that caused all of our routers to fail network wide.

Flowspec
We are largely a Juniper shop at CloudFlare and all the edge routers that were affected were from Juniper. One of the reasons we like Juniper is their support of a protocol called Flowspec. Flowspec allows you to propagate router rules to a large number of routers efficiently. At CloudFlare, we constantly make updates to the rules on our routers. We do this to fight attacks as well as to shift traffic so it can be served as fast as possible.

This morning, we saw a DDoS attack being launched against one of our customers. The attack specifically targeted the customer's DNS servers. We have an internal tool that profiles attacks and outputs signatures that our automated systems as well as our ops team can use to stop attacks. Often, we use these signatures in order to create router rules to either rate limit or drop known-bad requests.

In this case, our attack profiler output the fact that the attack packets were between 99,971 and 99,985 bytes long. That's odd to begin with because the largest packets sent across the Internet are typically in the 1,500-byte range and average around 500 – 600 bytes. We have the maximum packet size set to 4,470 on our network, which is on the large size, but well under what the attack profiler was telling us was the size of these attack packets.'

That's from, 3 March 2013, 01:47 pm. That was a DDoS attack.

Sorry, for the double post I can't edit my last post but details about today's outage

blog.cloudflare.com...

Not sure if it’s the same thing... but...

On Tuesday, MS issued a CVE patch for DNS servers.

The same “remote code” thing seems possible (iirtc) and is because of a level of sharing between DNS servers (no longer a server admin, I am not a definitive source! Just ask the longtime resident science guy who schooled me twice in an hour and put me straight today!)

Seems that they “feel” they are describing the same remote code execution that can lead to what appears to be a DDoS attack as people can’t reach the next page on the same sight. (Or get a proxy warning at the main page due to how web pages load).

Not a “state sponsored attack” against certain sites but a probe over not being current on patches (still might be state sponsored, but not necessary).

Will love to hear the details in a few weeks as they process the event.

And