I have been tracking DDOSs for a number of years, and quite frankly, it has become boring. Dont get me wrong, I am not complaining, just stating a fact. A number of factors seem tohave contributed to its fall from mainstream consciousness. somewhat better filtering practices, more awareness of timely patching, and probably the most significant being the novelty has worn off. Occasionally I will still see a multi-Gbps DDOS, but mostly it has been relegated to booter traffic which is not even a nuisance for most providers.
Over the last few days though there have been two very significant DDOS events. Firstly, on Tuesday,Sep 20, hosting company OVH was hit with DDOSwhich peaked near the 1Tbpsrange, and also onTuesday evening (Sep 20), InfoSec journalist Brian Krebs website was hit with a DDOS peaking at over600 Gbps.
These are believed to be the two largest DDOS on record and significantly exceed what it was believed could be achieved by any one DDOS group.
While the nature of the DDOS attack traffic usedagainst OVH has not been revealed, the attack against Brian Krebs site is unusual in that the traffic is not your typical reflective UDPDDOStraffic, but rather TCP traffic that made connections with the web server and GRE (generic routing encapsulation) packets. The reason why this is unusual is that this traffic cannot be spoofed, but rather an analysis of the traffic should reveal which devices were used to launch the attack.
Is this a sign that big DDOS is making a comeback or just a couple of isolated attacks?
UPDATE: It appears Akamaiis not happy with the extra excitement hostingBrian Krebssite is bringing them. Brian is looking for a new hosting provider.
-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.