> A total of 34,500 ports were targeted, indicating the thoroughness and well-engineered nature of the attack.
How is that more complicated than a for-loop?
monster_truck · 2h ago
You can't just spray every port blindly if you are maximally trying to disrupt, there is nuance to it.
lolinder · 1h ago
Right. So why does the fact that they targeted 34,500 ports show it was a well-engineered attack? By itself it's just evidence that they know how to iterate over ports. Coupled with the data size (7.3Tbps) we know they had an enormous botnet. None of this points to a well-engineered attack, it just means that lousy IoT has made botnets incredibly cheap.
A well-engineered attack would not draw headlines for its scale because it would take down its target without breaking any records.
motorest · 1h ago
> A well-engineered attack would not draw headlines for its scale because it would take down its target without breaking any records.
You don't hear much about DDoS that are either comparable in size or bring down targets. How do you explain why this one made the news in spite of not having met your arbitrary and personal bar?
lolinder · 1h ago
Like I said: it broke records for data throughput. It doesn't hurt that Cloudflare has an interest in publicizing the size of the DDoS attacks it fights off.
> in spite of not having met your arbitrary and personal bar?
I'm not sure what you mean by this. I didn't establish any sort of bar for what sorts of DDoS should get headlines, I'm just agreeing with OP that that line in the article doesn't make any sense. There may be other reasons to believe this attack was well-engineered but the article doesn't get into them.
rob_c · 54m ago
> How do you explain why this one made the news in spite of not having met your arbitrary and personal bar?
It's that a serious question or bait?
Either way, are you so broken as to not understand what was just typed?
ukuina · 3h ago
Because it's a distributed for loop?
lolinder · 1h ago
Not necessarily. It could be one for loop running on tens of thousands of compromised IoT devices, with the only thing distributed being the command that starts the loops.
blitq · 3h ago
It’s not :)
ksec · 3h ago
If I dont want my user to have Cloudflare captcha or for example captcha dont work on my Safari 18.5 running on OpenCore Patcher MacBook 2015. What other options have I got?
VladVladikoff · 3h ago
Most websites don’t need DDOS protection.
Many websites which use Cloudflare to block basic bot vulnerability scanning. You could block this type of traffic with other methods; ja3/ja4, Ip to ASN & ASN filtering, etc.
esseph · 1h ago
Your first line is wrong.
While it may not impact your site, it does impact your hosting provider. As their costs go up, your costs go up. Anything on the Internet at this point needs DDoS / scraping protection. If may not drop your service, but your ISP or upstreams may blackhole your route.
The "old web" (current web) was largely based on an open exchange of information.
The "new web", post AI bot scraping, is taking its place. Websites are getting paywalls. Advertising revenue is plummeting. Hosting providers are getting decimated by the massive shift in bandwidth demand and impact to systems scraped by the bots.
nemathod · 3h ago
GRE-Tunnel
VladVladikoff · 3h ago
I’m confused what this would accomplish? Do GRE tunnels drop UDP packets or something?
firebird84 · 2h ago
You make a contract with a company that does layer 3 ddos protection, you advertise a route including their AS on a subset of your prefixes and they route to you over a GRE tunnel.
zzzeek · 2h ago
dont piss off any nation-states that would want to take your site down, should help
petee · 1h ago
Fwiw, i have a site with nearly zero content or users; randomly it got ddos'd one day, and never happened again. I think the reasons for a ddos can be wide ranging, from just testing, to nation state, to someone is unhappy with your font choice
inetknght · 1h ago
> to someone is unhappy with your font choice
Everyone hates when I set my app's fonts to courier size 8.
datameta · 46m ago
Everyone is wrong or they're fans of courier new specifically
esseph · 1h ago
An 11 year old with a discord account and a stolen credit card can now rent massive capabilities that can take (smaller, limited peered) entire countries offline for brief periods these days.
encom · 31m ago
So this "article" "source" is Cloudflare, claiming Cloudflare blocked some super duper mega attack, but gives zero verifiable detail about any of it.
Now I hate Cloudflare with a passion, but even setting that aside, this is journalistic malpractice - it's basically a sponsored post. I was going to say I expected better from Ars Technica, but their glory days are long gone.
No comments yet
balanc · 3h ago
Doesn’t Cloudflare have every incentive to inflate the bandwidth of the attack they have successfully mitigated?
And yes I know that there are Cloudflare employees here so spare me with your pinky swears.
move-on-by · 2h ago
A couple months ago Brain Krebs, who uses Google’s Project Shield, wrote of a very similar attack. 6.3 terabits, all UDP, less then a minute.
Couldn’t this logic apply to basically every internal metric across every company?
udev4096 · 2h ago
Clownflare is more incentivized to make it look like they are the only ones who can defend against such an attack so they could gather more users for backdooring the majority of internet traffic. I wonder if it would be possible to create a peer-to-peer and decentralized DDoS mitigation service for anyone. All you gotta do is donate some of your bandwidth
perching_aix · 55m ago
Speaking of incentives, what might be the incentives of those referring to them as Clownflare? I sure have to wonder what their biases are, and how fairly they represent the company.
eviks · 2h ago
How does it counter the incentives of all other companies to make it look like they're not the only one???
mlyle · 2h ago
Cloudflare has the biggest scale and is arguably best positioned to soak up massive attacks. Therefore CF may have a unique incentive to make it sound like attacks are larger and there are more really big ones.
eviks · 1h ago
> is arguably best positioned
Lying about the scale of thwarted attacks by others is the counter argument
How is that more complicated than a for-loop?
A well-engineered attack would not draw headlines for its scale because it would take down its target without breaking any records.
You don't hear much about DDoS that are either comparable in size or bring down targets. How do you explain why this one made the news in spite of not having met your arbitrary and personal bar?
> in spite of not having met your arbitrary and personal bar?
I'm not sure what you mean by this. I didn't establish any sort of bar for what sorts of DDoS should get headlines, I'm just agreeing with OP that that line in the article doesn't make any sense. There may be other reasons to believe this attack was well-engineered but the article doesn't get into them.
It's that a serious question or bait?
Either way, are you so broken as to not understand what was just typed?
While it may not impact your site, it does impact your hosting provider. As their costs go up, your costs go up. Anything on the Internet at this point needs DDoS / scraping protection. If may not drop your service, but your ISP or upstreams may blackhole your route.
The "old web" (current web) was largely based on an open exchange of information.
The "new web", post AI bot scraping, is taking its place. Websites are getting paywalls. Advertising revenue is plummeting. Hosting providers are getting decimated by the massive shift in bandwidth demand and impact to systems scraped by the bots.
Everyone hates when I set my app's fonts to courier size 8.
Now I hate Cloudflare with a passion, but even setting that aside, this is journalistic malpractice - it's basically a sponsored post. I was going to say I expected better from Ars Technica, but their glory days are long gone.
No comments yet
And yes I know that there are Cloudflare employees here so spare me with your pinky swears.
https://krebsonsecurity.com/2025/05/krebsonsecurity-hit-with...
Lying about the scale of thwarted attacks by others is the counter argument