So many threads, so many clueless individuals. I'm here to help! I'll try to answer any questions I can without diving into too much detail. If any of this interests you, I would strongly suggest furthering your knowledge in the field of NETWORKING as there is a LARGE demand for qualified individuals. All it takes is an interest and a desire to learn. Industry leading certifications are obtainable with self-study and provide you with HIGH PAYING JOBS PEOPLE! (WORLDWIDE)
I'll start with this: THIS IS NOT BLIZZARD BEHIND THIS ATTACK.
Kronos uses Bredband2 as it's upstream provider. I'll make a reference to them in my explanation.
I believe Kronos has been the victim of an Amplified DNS DDoS attack, in fact I'm damn near certain.
I do not believe this was carried out by a Botnet.
I do believe this was done by Chinese players who were recently the victims of a ban wave.
The reason they are doing this? It has greatly effected their business/bottom dollar. They are hoping to destroy the server's population or obtain a reversal of the bans/be able to continue on with their lucrative business. Chinese in general are quite knowledgeable when it comes to circumventing/infiltrating networks. Let me explain before you all jump on the "RACIST" bandwagon. China's government owns the internet and has created a lot restrictions/censorship that it enforces (tries to) on it's citizens. As a result of China being a socialist one-party state, they want total control. When faced with limits or walls, one simply may give up or, may learn ways to circumvent said limitations. This has put a large number of individuals in China at an advantage when it comes to general knowledge of Internet, more specifically, how it works. It's human nature to want what we can't have. They are forced to learn more about said technology to obtain what's being restricted or taken from them. Now that that is out of the way, onto the explanation.
Oh, one more thing, this same situation happened to Nostalrius - but it amounted to a much different outcome.
Anyway..
Without going into too much detail, in a L3/L4 DNS Amplified DDoS attack (using a Botnet) the victims (zombies), without knowing, are sending a UDP (connectionless) request (small in size, 64byte query) to a misconfigured DNS recursor(s) (Botnet owner's choice) against a website, like.. isc.org. This specific site is commonly used in said attack due to the large DNS response one would receive from a single query.. 3,363bytes give or take. This amounts to an amplification factor of x47ish. The source address is "Spoofed" in these packets to that of the target and on a misconfigured network, one which would allow spoofing (again not going to go into too much detail here), said packet would pass through the edge router, unsuspectingly, without issue. The responses to those requests are then flooded to that target, not the initiators. Once they hit the edge router of the provider, they typically begin creating a bottleneck, which in turn brings down the network or causes SIGNIFICANT delay/latency. This effects a lot more than just this one customer that is being targeted. This pushes the provider to shut down the connection/remove the routes to the targeted address. With some basic knowledge of scripting, a single person could cause a 70-80Gbp/s spike fairly easy, 300Gbp/s with some advanced knowledge. These (70-80Gbp/s, not 300Gbp/s) DDoS attacks are GENERALLY easily mitigated (or should be at least) without issue, unless the target does not have proper mitigation in place. I have a feeling, based on my research of Bredband2, that this is what they are dealing with now. Not shitting on them, just saying.. I do not believe they have anything close to what OVH has (Nostalrius' Provider) for mitigation/prevention. The two week window for a solution, given to us from Kronos, would also lead me to believe that the provider is purchasing upgraded hardware to put inline. People asked why Nostalrius' didn't deal with this on quite the same level.. short answer being, their providers infrastructure was much better and certainly well equipped to handle such an attack.
Now with that being said, a DDoS attack of a larger magnitude, say the 300Gbp/s I mentioned.. This would be rather difficult to mitigate, regardless of hardware that is being utilized inline. CloudFlare prevented an attack of this size on one of their clients a few years ago. The explanation to how can be found not only on their website, but plastered all over the internet. TL;DR/Not detailed answer - They use their vast network to deamplify the attack by spreading it out. The attack does not "blow up" any given resource as it's being chopped up and likely dropped on it's way to the destination. Not too many of these attacks (300+Gbp/s) have surfaced. I do not believe an attack of this size is the culprit. But it is fairly straight forward to carry out.
The provider likely tried playing a game of "switch destinations/reroute traffic" with the servers (servers went up, then shortly after, brought back down) but this is child's play to someone who understands Networking. It got to the point where they couldn't be bothered with it any longer (the provider) as it was disrupting their business and now, it's just down. A mutual understanding of the situation and a solution was likely agreed upon.
Not much detail is being given to us regarding the specifics of the attacks, for good reason. But this is only one form of attack that could cause such a disruption in service.
I do not believe this is any form of Layer 7, DRDoS, Smurf or ACK Reflection (TCP) attack. I really think this is just a simple attack exposing a weakness in the providers infrastructure. Sadly, these attacks are capable of being executed simply because of poorly configured networks. If all networks were properly configured, these attacks would be near impossible to carry out.
Kronos is updating us as frequently as I would expect them to. This is not in their scope of support to deal with, this issue rests solely in the hands of their provider.
Please forgive any spelling errors/grammar.
I'll start with this: THIS IS NOT BLIZZARD BEHIND THIS ATTACK.
Kronos uses Bredband2 as it's upstream provider. I'll make a reference to them in my explanation.
I believe Kronos has been the victim of an Amplified DNS DDoS attack, in fact I'm damn near certain.
I do not believe this was carried out by a Botnet.
I do believe this was done by Chinese players who were recently the victims of a ban wave.
The reason they are doing this? It has greatly effected their business/bottom dollar. They are hoping to destroy the server's population or obtain a reversal of the bans/be able to continue on with their lucrative business. Chinese in general are quite knowledgeable when it comes to circumventing/infiltrating networks. Let me explain before you all jump on the "RACIST" bandwagon. China's government owns the internet and has created a lot restrictions/censorship that it enforces (tries to) on it's citizens. As a result of China being a socialist one-party state, they want total control. When faced with limits or walls, one simply may give up or, may learn ways to circumvent said limitations. This has put a large number of individuals in China at an advantage when it comes to general knowledge of Internet, more specifically, how it works. It's human nature to want what we can't have. They are forced to learn more about said technology to obtain what's being restricted or taken from them. Now that that is out of the way, onto the explanation.
Oh, one more thing, this same situation happened to Nostalrius - but it amounted to a much different outcome.
Anyway..
Without going into too much detail, in a L3/L4 DNS Amplified DDoS attack (using a Botnet) the victims (zombies), without knowing, are sending a UDP (connectionless) request (small in size, 64byte query) to a misconfigured DNS recursor(s) (Botnet owner's choice) against a website, like.. isc.org. This specific site is commonly used in said attack due to the large DNS response one would receive from a single query.. 3,363bytes give or take. This amounts to an amplification factor of x47ish. The source address is "Spoofed" in these packets to that of the target and on a misconfigured network, one which would allow spoofing (again not going to go into too much detail here), said packet would pass through the edge router, unsuspectingly, without issue. The responses to those requests are then flooded to that target, not the initiators. Once they hit the edge router of the provider, they typically begin creating a bottleneck, which in turn brings down the network or causes SIGNIFICANT delay/latency. This effects a lot more than just this one customer that is being targeted. This pushes the provider to shut down the connection/remove the routes to the targeted address. With some basic knowledge of scripting, a single person could cause a 70-80Gbp/s spike fairly easy, 300Gbp/s with some advanced knowledge. These (70-80Gbp/s, not 300Gbp/s) DDoS attacks are GENERALLY easily mitigated (or should be at least) without issue, unless the target does not have proper mitigation in place. I have a feeling, based on my research of Bredband2, that this is what they are dealing with now. Not shitting on them, just saying.. I do not believe they have anything close to what OVH has (Nostalrius' Provider) for mitigation/prevention. The two week window for a solution, given to us from Kronos, would also lead me to believe that the provider is purchasing upgraded hardware to put inline. People asked why Nostalrius' didn't deal with this on quite the same level.. short answer being, their providers infrastructure was much better and certainly well equipped to handle such an attack.
Now with that being said, a DDoS attack of a larger magnitude, say the 300Gbp/s I mentioned.. This would be rather difficult to mitigate, regardless of hardware that is being utilized inline. CloudFlare prevented an attack of this size on one of their clients a few years ago. The explanation to how can be found not only on their website, but plastered all over the internet. TL;DR/Not detailed answer - They use their vast network to deamplify the attack by spreading it out. The attack does not "blow up" any given resource as it's being chopped up and likely dropped on it's way to the destination. Not too many of these attacks (300+Gbp/s) have surfaced. I do not believe an attack of this size is the culprit. But it is fairly straight forward to carry out.
The provider likely tried playing a game of "switch destinations/reroute traffic" with the servers (servers went up, then shortly after, brought back down) but this is child's play to someone who understands Networking. It got to the point where they couldn't be bothered with it any longer (the provider) as it was disrupting their business and now, it's just down. A mutual understanding of the situation and a solution was likely agreed upon.
Not much detail is being given to us regarding the specifics of the attacks, for good reason. But this is only one form of attack that could cause such a disruption in service.
I do not believe this is any form of Layer 7, DRDoS, Smurf or ACK Reflection (TCP) attack. I really think this is just a simple attack exposing a weakness in the providers infrastructure. Sadly, these attacks are capable of being executed simply because of poorly configured networks. If all networks were properly configured, these attacks would be near impossible to carry out.
Kronos is updating us as frequently as I would expect them to. This is not in their scope of support to deal with, this issue rests solely in the hands of their provider.
Please forgive any spelling errors/grammar.
Last edited: