Although a smaller service, we were in a similar situation a couple of years ago. We assumed it was a competitor because there were not monetary requests, just a massive DDoS via torrents that lasted almost a week. Data center didn't help us in any way... it was crazy. Worst thing is that 90% of customers have no clue what a DDoS is and how hard it is to handle.
I used to know people who performed these types of DDoS attacks.
Usually it was because they were hired to do so by a competitor. Every time they would claim to demand a ransom, although they didn't expect for it to be paid. It just made people less suspicious.
A competitor using a DDOS against you seems like a very bad idea. A likely outcome, for a popular service, is that you get free press as a result. The news, combined with the way Bootcamp has handled this, will probably increase their business.
How is torrents protocol used to DDoS you? I never came across torrents being used as a DDoS. I would appreciate more details on what sort of torrent attack it was, and whether you found any ways of partially neglecting damage.
A malicious tracker, or a peer if using DHT, can claim an IP, the victim, is active in the swarm and has valuable bits of the torrent. Then torrent clients will try to connect to the victim.
The attack is pretty clever, being indirect it is hard to trace and because bittorrent allows arbitrary ports you can hit a specific ip & port pair.
The one downside is the victims can be sure it is a bittorrent DDOS by checking the attacking connection's requests. The attacker's packets will contain bittorrent's magic connection bits.
Please confirm my understanding: this would be by inserting yourself into the DHT with an address near/equal to a target high-volume torrent, so that you're frequently queried by clients looking for peers?
If so, I guess it could be possible in some cases to identify the peers who initiated the attack. The non-malicious peers attempting to make BitTorrent connections to your server will provide the infohash of the torrent they think you're downloading, which you might be able use to find the malicious DHT peer who's directing them.
At first I thought you were suggesting that it's possible to for malicious peers to insert invalid IP/port pairs into non-malicious DHT nodes, which I don't believe is possible. (The mainline DHT protocol [1] requires that peers provide a "token" value, previously sent to their IP address, to verify themselves when being listed for a torrent.)
It sounds like you have a better understanding of DHT than me and tt sounds like DHT isn't vulnerable like traditional tracker. My knowledge of the attack method is served to what I read in a research paper 2 years back.
Yes. Very much harder. One can be done at line rate on any halfway decent router, and the other requires deep packet inspection which is considerably more expensive.
In theory yes, but it requires deep packet inspection to catch before it hits the server. Such equipment is expensive per GB/s and not something you'd have access to by accident.
unfortunately i don't have the technical details, we weren't 100% sure but it seems there's a way to exploit BitTorrent by misdirecting clients to send their traffic toward any host.
We ended blocking out ranges of ip's but at a point you end up cutting a lot of legitimate traffic as well (but i really lack the technical expertise to go more into depth on this).
I think that is what's great about how 37signals is handling this. I am sure a large portion of their client base is not technically inclined and having DDoS explained in plain english like they did gives those customers an understanding of what is happening.
That's what i was trying to say, we did something very similar, but you still end up with a portion of your user base that will blame you for not being able to handle it. (and they are in part right, but due to the nature of the attack sometimes it's very complicated to handle it or costs a lot of money - something the same customers wouldn't want to pay extra for :)
"Worst thing is that 90% of customers have no clue what a DDoS is and how hard it is to handle."
Otoh that's where the opportunity is. The fact that "customers have no clue". People pay you for something that they can't do themselves or that you make easier for them to do.
There's an oportunity if you're Cloudfare or similar service, not a time tracking and pm app. Most users will end up blaming you because you're not prepared enough etc..
Pardon the off-topic reply, but I'd like to connect with you. In the breadbox article the other day, you mentioned there's an opportunity to compete with GrubHub on price. Check out forkable.com. You can reach me at joe at forkable dot com.
