grc.com off the net.
-
Steve Gibson has just announced that grc.com has been under a DDOS attack, and Level3 has disconnected him from the network. This due to a flood of 13tb/s worth of NTP UDP traffic. He said he has 10mb/s from Level3.
All because lots of people still forward NTP requests to spoofed IP addresses. Sad day for IT security people every where.
-
huh, I wonder why he is being attacked?
-
I'm assuming there is no Security Now on now?
-
@Dashrender said:
I'm assuming there is no Security Now on now?
That's where I heard about it from actually, sounds like he's kinda stuck. The only mitigation options he knows about would run him broke
-
10Mb/s, that's SO slow! Cheapest we can get for hosting is 100Mb/s.
-
@scottalanmiller said:
10Mb/s, that's SO slow! Cheapest we can get for hosting is 100Mb/s.
I might have heard him wrong, it was only background while I was working (tinnitus means I need low level noise to concentrate). Very well could have been 100Mb/s.
-
I wonder if he isn't behind someone like CloudFlare? If he was, that NTP attack could not touch him.
-
He's not. He's directly on the internet. Steve Gibson said that he felt it was unlikely that his services would be able to exist behind a normal proxy because his products like Shields Up and DNS spoofability do 'odd' things that normal sites don't need to do.
As for his connection. Steve's half rack has a 100 Mb connection to the DC, but he's paying for 10 Mb at 95/5, so he can burst when needed, but it keeps his bill manageable for him.
-
@scottalanmiller said:
I wonder if he isn't behind someone like CloudFlare? If he was, that NTP attack could not touch him.
Normally I'd post on his newsgroup to let him know about things like CloudFlare, but without his normal services online I have no way of getting a message to him. I think the only communication channel he maintains outside of his own stuff is twitter.
-
Steve specifically mentioned CloudFlare during his podcast and made mention that he didn't think it would work for him.
Leo LaPort even offered to reach out to CF and see if the Twit network could work out some sort of deal on Steve's behalf to get Steve the protection.
-
@Dashrender said:
Steve specifically mentioned CloudFlare during his podcast and made mention that he didn't think it would work for him.
What kind of site is he running? ML cant work behind it because of Websockets. Is his site a blog or what?
-
Shields Up and DNS Spoofability are two utilities that site visitors can kick off that send half syn packets, and other weirdness to produce results.
Example, Shields Up does a port scan of the IP you're visiting the site from to see if your machine is responding. It does more than just a ping, it tries all kinds of tricks (short of port knocking) to see if it can get a response on the in test ports.
-
@scottalanmiller said:
@Dashrender said:
Steve specifically mentioned CloudFlare during his podcast and made mention that he didn't think it would work for him.
What kind of site is he running? ML cant work behind it because of Websockets. Is his site a blog or what?
He's got a lot of services like "ShieldsUp" that does port scans of your public facing IP address. So any sort of filtering would block a lot of what he's made available over the years.
-
@travisdh1 said:
@scottalanmiller said:
@Dashrender said:
Steve specifically mentioned CloudFlare during his podcast and made mention that he didn't think it would work for him.
What kind of site is he running? ML cant work behind it because of Websockets. Is his site a blog or what?
He's got a lot of services like "ShieldsUp" that does port scans of your public facing IP address. So any sort of filtering would block a lot of what he's made available over the years.
Oh, yeah that would not work.
-
@scottalanmiller Honestly, I'm surprised this didn't happen before with how vulnerable his stuff apparently is/was.
-
@travisdh1 said:
@scottalanmiller Honestly, I'm surprised this didn't happen before with how vulnerable his stuff apparently is/was.
Sounds that way.
-
@travisdh1 said:
@scottalanmiller Honestly, I'm surprised this didn't happen before with how vulnerable his stuff apparently is/was.
What makes you say that?
FYI, he has been DDOS'ed in the past, several times. He just doesn't publicize it. One time he was being attacked by a kid - Steve was able to find the IRC channel the kid was using to control his botnet, broke into the IRC Channel and asked him why he was pestering him. At that time I think it was just a prank, but Steve didn't give any more details.
Sure it doesn't take much to knock him off the net - Steve only has a max 100 Mb, but how many sites do? Very few sites pay to prevent themselves from being DDOS'ed at 13 Gb.
-
@Dashrender said:
Very few sites pay to prevent themselves from being DDOS'ed at 13 Gb.Most do, actually.
-
@scottalanmiller said:
@Dashrender said:
Very few sites pay to prevent themselves from being DDOS'ed at 13 Gb.Most do, actually.
Most, meaning more than 50%?
-
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
Very few sites pay to prevent themselves from being DDOS'ed at 13 Gb.Most do, actually.
Most, meaning more than 50%?
Assuming business sites rather than like random personal blogs and stuff, yes. Business sites, at least "real" ones not including the free site for the diner on the corner, have some degree of DDOS protection. Even my dad's prayer group website does. And it's just for six guys scheduling breakfast.