Comment by kachapopopow

1 day ago

we were getting hit with attacks like this daily at some point and were forced to use cloudflare magic transit it's pretty random and you shouldn't read too deep into it as nearly every anti-ddos solution, host and isp has been hit with this botnet by now.

7 comments

kachapopopow

Reply
estearum  1 day ago

but why? For fun?

  • toast0  1 day ago

    I used to run servers for a very popular service. I'm 99% sure people DDoSed our www for lolz and also to kick the tires on DDoS as a service vendors. We would get DDoS on a pretty regular basis, for exactly 90 seconds, +/- a few nodes that had bad clock sync and were 2 seconds off; which was exactly what you get from a free trial at DDoS as a service. I feel like we got a ransom request like once; but I can't remember if it actually corresponded to an attack, if it did, I don't think it was consequential.

    Thankfully, it was almost always targetted at our www servers, which were not important for our service. Very occasionally, we'd get hit on the machines that we actually ran our service on, but between the consistent DDoS on www, and our own self-inflicted DDoS from defects in the client code we wrote for our users, our service was well prepared... if the DDoS went over line rate for the server, our hosting provider would null route it [1], but otherwise, we could manage line rate of udp reflection or tcp syn floods and what have you. From what I could tell, most attackers didn't retarget to our other servers when one got null routed.

    [1] They did try a DDoS scrubbing service, but having our servers behind the scrubber was way worse than just null routing. Maybe the scrubbing could have been tuned, but as it was, it was better for us to just have the attacked servers lose connectivity to the public network.

  • Fabricio20  20 hours ago

    As someone on the receiving end of these, I've yet to receive any explanation. Every other week we see the most basic of attacks against our infrastructure (http floods - GET / - for example), with no specific goal in mind and we never received any threats. I can only assume it's some disgruntled user or maybe a competitor, but it could also just be stray bullets. I don't know who used these IPs before us, though it's been several years we've owned them. Who knows.

  • kachapopopow  1 day ago

    yep, there's no consistency to their actions - basically hit a target and keep it down for as long as possible causing heavy business loss. to my knowledge none of the target servers have ever received a ransom request.