How CloudFlare dealt with a 65Gbps DDOS Attack...

Abraham Williams on Google+ pointed us to an article over on the CloudFlare blog about how they dealt with a recent 65Gbps attack.  The article titled "How to launch a 65Gbps DDOS attack and how to stop one" gives some high level details about how they deal with such attacks and how someone can get 65 Gbps of bandwidth to even start one.  The article does a great job of explaining one method using Open Unrestricted DNS Resolver.  The basic idea is that since DNS can be done with UDP packets you can easily forge the from address and cause the Open Unrestricted DNS Resolver to reply to the targeted computers or network.  This is exploiting two flaws in the internet.  The first that UDP is a fire and forget protocol which doesn't require any proof of where you are coming from.  The second is that Open Unrestricted DNS Resolver exist or at the least allow UDP requests.  DNS can and should be required to be done over TCP which makes forging the information much harder and less reliable.

They have an article they wrote before this one that talks about and apologizes to their customers for the disruption in the first place.  It's found here and called "Post Mortem: What Yesterday's Network Outage Looked Like" .  It is a shinning example of what a company should do when an event like this happens.  It is very transparent, clear and easy to understand and most of all genuine.  While I know it's great PR it's not something I see a lot of companies like them doing.

 

Let us know if you have ever dealt with something like this in your job?

Do you think they took the proper response?

What do you think of the post mortem?

Update: Changed Open to Unrestricted becuase as pointed out in the comments below it seemed to imply the awesome DNS service by a similar name.  They, to our knowledge, were not part of the problem.

Brian Wagner

Brian started working with *nix in while a student at Kent State University in the early 90's. In 1995, as an E-Mail Administrator for Caliber Technology (now part of Fedex) he was tasked with administering Sendmail on both Slackware Linux and Solaris Systems. His first home install of Linux was MkLinux DR1 in 1996 on his 60 Mhz PowerMac. Since then Brian has been working and consulting on Linux and it's uses in the Enterprise to support everything from E-Mail, Firewalls, Web and File serving to custom cluster solutions and grid solutions. Brian has had the opportunity to work in both Fortune 500 companies and small 2 person organizations. This has given him the unique insight into the differences every size business faces.

Episode 52 - When will the world become secure...

Episode 52 - When will the world become secure...
Running Time:  47:06
1) Introduction
Did you try Windows 8 Beta? Kind of looks like Unity...
2) News
3) Conclusion
Recommendations for People to interview
Go to the WebSite to call us via Google Voice
Facebook Fan Page
Follow us on Twitter and Identica as @linuxinstall
Look for us and comment on iTunes, odeo

 

Brian Wagner

Brian started working with *nix in while a student at Kent State University in the early 90's. In 1995, as an E-Mail Administrator for Caliber Technology (now part of Fedex) he was tasked with administering Sendmail on both Slackware Linux and Solaris Systems. His first home install of Linux was MkLinux DR1 in 1996 on his 60 Mhz PowerMac. Since then Brian has been working and consulting on Linux and it's uses in the Enterprise to support everything from E-Mail, Firewalls, Web and File serving to custom cluster solutions and grid solutions. Brian has had the opportunity to work in both Fortune 500 companies and small 2 person organizations. This has given him the unique insight into the differences every size business faces.

Is linux really more secure?

With the recent breaches at Kernel.org and the Linux Foundation several people have started asking is Linux really more secure?  Our assesment of the sitution is that any OS is only as secure as the users and Admin's make it.  A weak user password or failing to keep up with system patches both can end with the same result as the Kernel.org breach showed.  Others like Leo Leporte's Twit Network website were caused by missed updates.  So whether it's Windows, Linux or the Mac poor choices will always lead to insecurity.  Protect your data and that of your fellow users and use long, safe and secure pass phrases.  if your a system admin or Developer push hard to maintain your systems to a reasonable patch level for your company.

Brian Wagner

Brian started working with *nix in while a student at Kent State University in the early 90's. In 1995, as an E-Mail Administrator for Caliber Technology (now part of Fedex) he was tasked with administering Sendmail on both Slackware Linux and Solaris Systems. His first home install of Linux was MkLinux DR1 in 1996 on his 60 Mhz PowerMac. Since then Brian has been working and consulting on Linux and it's uses in the Enterprise to support everything from E-Mail, Firewalls, Web and File serving to custom cluster solutions and grid solutions. Brian has had the opportunity to work in both Fortune 500 companies and small 2 person organizations. This has given him the unique insight into the differences every size business faces.