8 comments

[ 3.0 ms ] story [ 12.4 ms ] thread
Are all those infected machines, that create the DDoS attack, tracked and labeled? I.e. is their cover now blown? Or do they live on to attack another day?
I'd be surprised if all 5,000+ devices were shutdown. Maybe if there were 5 devices...
Most of these attacks are reflection attacks, meaning they are just exploring normal protocol behaviors. Meaning these machines, are not necessarily infected but are just innocent participants in the attack.

For example somebody has a Memcached instance running on a public machine and does not realize they have UDP ports on 11211.

"Memcrashed - Major amplification attacks from UDP port 11211": https://blog.cloudflare.com/memcrashed-major-amplification-a...

Incompetent participants, but non notwithstanding still innocent.

The attack discussed in the blog post was an HTTP attack, so reflection and amplification were not involved. The attacking machines are most likely infected, and can be labeled and tracked.
Oops..for this instance yes, you are correct.
Why would anyone DDoS a website insignificant enough to be using a free CF plan?
i do this too, Why ? 1. Developing myself to keep the backend server alive. 2. To determine who has what power in the groups I am in. 3. How exactly does cloudflare behave in the face of this power, to analyze its technical infrastructure. If you are in the IT industry and e-commerce business, the technical software infrastructure of your website should always be ready for this, if you want to live on the Internet.
(comment deleted)