hngopher.com

       [HN Gopher] Law enforcement takes down 'DDoS-for-Hire' sites in ...
       ___________________________________________________________________
        
       Law enforcement takes down 'DDoS-for-Hire' sites in Operation
       PowerOFF
        
       Author : LinuxBender
       Score  : 18 points
       Date   : 2024-12-14 23:06 UTC (2 days ago)
        
 (HTM) web link (www.scworld.com)
 (TXT) w3m dump (www.scworld.com)
        
       | musicale wrote:
       | I am still puzzled as to why we don't do a better job at DDoS
       | mitigation in 2024.
       | 
       | For example, it is surprising to me that it still seems to be
       | difficult or impossible to deploy IP source address validation
       | (although the situation may be improving). And there seems to be
       | no easy way for UDP flood victims to ask (or pay) their ISPs to
       | block UDP packets? (Most web-based services don't need random UDP
       | packets from the internet. DNS and NTP can use TLS, etc.) Why are
       | exploitable reflection-amplification vectors still in wide use?
       | 
       | There do seem to be bad incentives for companies like Cloudflare
       | which sell DDoS "protection" services.
        
         | duskwuff wrote:
         | > Most web-based services don't need random UDP packets from
         | the internet.
         | 
         | HTTP3 is UDP-based. If you're running a modern web service,
         | blocking UDP isn't a viable option.
         | 
         | > DNS and NTP can use TLS, etc.
         | 
         | No, they can't. DoH is only used for recursive resolvers (like
         | those operated by ISPs); if you want to run an authoritative
         | DNS server for your domain, you still need to respond to
         | queries on UDP port 53. NTS (RFC 8915) still uses UDP for time
         | synchronization packets; only the initial key exchange is over
         | TCP.
        
           | musicale wrote:
           | Good points; however, 1) many victims are not running http3
           | and 2) there are ways of addressing the cases you mention,
           | such as dropping unauthenticated TLS traffic, isolating any
           | external-facing DNS and NTP servers (and probably with
           | whitelisting/sandboxing/time-windowing), etc. (I'm also not a
           | fan of abusing DNS for load balancing, but that is another
           | discussion.) All of this can be done in hardware at line
           | rate. And source address validation is going to help as well.
           | 
           | I'd be interested in your ideas as to the best steps forward
           | for improving the DDoS situation, if you have a reference.
        
       ___________________________________________________________________
       (page generated 2024-12-17 23:01 UTC)