Law enforcement takes down 'DDoS-for-Hire' sites in Operation PowerOFF(scworld.com)
scworld.com
Law enforcement takes down 'DDoS-for-Hire' sites in Operation PowerOFF
https://www.scworld.com/news/law-enforcement-takes-down-27-ddos-for-hire-sites-in-operation-poweroff
16 コメント
The underlying issue is how BGP and peering works behind the scenes.
BGP relies heavily on mutual trust that nobody claims an ASN they are not supposed to have and that have no overlaps. But, if you analyze the registry datasets, there will be always two culprits that claim ownership of networks for surveillance reasons :)
Then there is the fact that cloudflare is hosting sooo many malicious actors in the field that their own business model shifted into hosting crime as a service, while also offering "protection" against their own customers. There was this one guy that ran a custom DNS resolver to expose this, you can search the web archive for the "crimeflare" website where he hosted it (and got DDoSed by cloudflare, too, btw).
And then there is the problem with peering. As you said, peering providers could have just checked whether or not the source comes from within one of their networks, but they don't do that. Most amplification attacks cross those peering lines/ASNs, yet we see cloudflare's DNS being the single most DDoSing server on the internet, while simultaneously providing said protection from exactly that attack type.
[1] http://web.archive.org/web/20240000000000*/http://crimeflare...
[2] http://web.archive.org/web/20190620030133/http://www.crimefl...
BGP relies heavily on mutual trust that nobody claims an ASN they are not supposed to have and that have no overlaps. But, if you analyze the registry datasets, there will be always two culprits that claim ownership of networks for surveillance reasons :)
Then there is the fact that cloudflare is hosting sooo many malicious actors in the field that their own business model shifted into hosting crime as a service, while also offering "protection" against their own customers. There was this one guy that ran a custom DNS resolver to expose this, you can search the web archive for the "crimeflare" website where he hosted it (and got DDoSed by cloudflare, too, btw).
And then there is the problem with peering. As you said, peering providers could have just checked whether or not the source comes from within one of their networks, but they don't do that. Most amplification attacks cross those peering lines/ASNs, yet we see cloudflare's DNS being the single most DDoSing server on the internet, while simultaneously providing said protection from exactly that attack type.
[1] http://web.archive.org/web/20240000000000*/http://crimeflare...
[2] http://web.archive.org/web/20190620030133/http://www.crimefl...
> Most web-based services don't need random UDP packets from the internet.
HTTP3 is UDP-based. If you're running a modern web service, blocking UDP isn't a viable option.
> DNS and NTP can use TLS, etc.
No, they can't. DoH is only used for recursive resolvers (like those operated by ISPs); if you want to run an authoritative DNS server for your domain, you still need to respond to queries on UDP port 53. NTS (RFC 8915) still uses UDP for time synchronization packets; only the initial key exchange is over TCP.
HTTP3 is UDP-based. If you're running a modern web service, blocking UDP isn't a viable option.
> DNS and NTP can use TLS, etc.
No, they can't. DoH is only used for recursive resolvers (like those operated by ISPs); if you want to run an authoritative DNS server for your domain, you still need to respond to queries on UDP port 53. NTS (RFC 8915) still uses UDP for time synchronization packets; only the initial key exchange is over TCP.
Good points; however, 1) many victims are not running http3 and 2) there are ways of addressing the cases you mention, such as dropping unauthenticated TLS traffic, isolating any external-facing DNS and NTP servers (and probably with whitelisting/sandboxing/time-windowing), etc. (I'm also not a fan of abusing DNS for load balancing, but that is another discussion.) All of this can be done in hardware at line rate. And source address validation is going to help as well.
I'd be interested in your ideas as to the best steps forward for improving the DDoS situation, if you have a reference.
I'd be interested in your ideas as to the best steps forward for improving the DDoS situation, if you have a reference.
between 20%-60% of internet traffic today uses quic/http3 (udp). depends on many factors. so like... many victims, even the majority maybe, are using udp.
and the solutions you suggested are either non-starters for various reasons, or already being done and considered table stakes
and the solutions you suggested are either non-starters for various reasons, or already being done and considered table stakes
[deleted]
[deleted]
40% to 80% solution would be very significant.
If source address validation is already being done, shouldn't it block reflection attacks that depend on source address spoofing?
If source address validation is already being done, shouldn't it block reflection attacks that depend on source address spoofing?
The largest DDoS attacks recorded are un-amplified and un-spoofed. The sources are malware (see Mirai and its variants) via legitimate internet connections.
Even the largest ISPs generally do not have enough spare capacity to just "block UDP packets," as the largest attacks are now measured in Tbps. There is also nothing stopping attackers from just sending TCP packets.
As consumer internet speeds grow, DDoS grows.
Even the largest ISPs generally do not have enough spare capacity to just "block UDP packets," as the largest attacks are now measured in Tbps. There is also nothing stopping attackers from just sending TCP packets.
As consumer internet speeds grow, DDoS grows.
327 arrested operation-poweroff.com
Your link specifically says 4 arrested. There are ‘327 identified users’, but it does not say they have been arrested.
You're right, I used the wrong word, can't edit it sadly
For example, it is surprising to me that it still seems to be difficult or impossible to deploy IP source address validation (although the situation may be improving). And there seems to be no easy way for UDP flood victims to ask (or pay) their ISPs to block UDP packets? (Most web-based services don't need random UDP packets from the internet. DNS and NTP can use TLS, etc.) Why are exploitable reflection-amplification vectors still in wide use?
There do seem to be bad incentives for companies like Cloudflare which sell DDoS "protection" services.