The Great DDoS of 2014

Started by FurryJackman, October 17, 2014, 04:41:44 PM

Previous topic - Next topic

FurryJackman

Well, everything went down.

Let's discuss mitigation of said things.

This has proven even Cloudflare is not enough to obfuscate your origin. Weasyl, even with Cloudflare protection, is now being directly IP attacked. However, it seems they're recovering faster than the other sites.

This thread is more for the technical side and less for the "when is it gonna be up again?!?" talk.

Zen

Some bored X-chaners and script kiddies decided to take down a bunch of furry websites for shits and giggles. Not sure what there is to discuss on the matter.

Sasha

Sure you could add people to a firewall list automatically if they do something that smells fishy? Throttle file downloads if there are too many, and prioritise the website? An ounce of prevention saves a pound of cure, but there's another saying, a week's worth of programming saves a day's worth of work.. publicity don't hurt either, does it?

Tigerface.
The farther one travels, the less one knows.

FurryJackman

There's also the possibility of coordinated waves of IP traffic slamming the server all at once coming from not just one stack of IPs, but completely random ones. In this case a firewall would have a really hard time keeping up.

However, DPI can be used if the traffic is exactly the same data, as script kiddies probably do on zombie machines. DPI requires tons of processing though, and if a ISP can DPI out the attack traffic, that might solve it if there's enough bandwidth and processing power, but this attack saturated the 10Gbit link already.

FurryJackman

#4
Yup, it's happening again. FA went behind Cloudflare and both FA and Weasyl are having trouble being up and down. Both aren't faring as well to this latest DDoS.

Edit: Oh wait, they had DDoS protection off for a few hours? Latest update is that it's on now. FA had slowdowns after activating the protection but it's likely all fine for now.

FurryJackman

#5
Talking in brief about FA and their woes, looks like (according to a rumor MaxCoyote heard) FA is now blackmarked by Black Hats/Script Kiddies. Expect DDoSes to increase in frequency.

https://twitter.com/maxyote/status/548397485203259392

But FA just upgraded to "business level" protection, so not sure if that'll help at all.

Now to the recent Steam DDoS, which didn't affect any of their web interfaces, if you weren't using Steam's internal WebKit browser.

See, another "squad" has claimed responsibility for a DDoS on Steam's WebKit Browser's URL verifying service. How do you anti-DDoS something like that where everyone has to pass URL and possible predictive page data (like Chrome sometimes does) anyways? They actually slowed that service to a crawl and prevented the Steam in-game Overlay web browser from going to any website.

In the meanwhile, if you tried to browse the Steam Store via any of the other browsers instead of Steam's own, it was 100% fine.

Begs the question, if you're going to do this, why not just use Chrome's data compression/verification systems in Steam's WebKit browser? They had to utilize Valve's own service for that, and that got DDoSed.