Octave Klaba "The attacks DDoS, it is a war that has no end"
Security: In the last week of September, OVH has been targeted by a DDoS attack record, the peak of malicious traffic was recorded at 1 terabit per second. A record traffic volume made possible by an important botnet of connected objects. Decrypting this new threat with Octave Klaba, CTO and founder of OVH.
By Louis Adam | Monday 16 January 2017
Octave Klaba at the OVH Summit 2016 at the Paris Docks
ZDNet - What does this attack have different from other attacks ddos?
Octave Klaba - On the one hand it is the volume of the attack, which reached 1Tbps. A week earlier, the attack on Krebs had peaked at 600 Gb / s, we took 1 Tbps. I think this is mainly related to the fact that we have a very good peering network with several third-party operators 1. So we are able to receive all the malicious traffic without another operator saturating upstream.
The second thing that seemed interesting to us is that in analysis we were able to detect quite particular patterns in traffic frames, we found in particular GRE, similar frames. We were intrigued: at first we found 160 000 IPs, then we saw that it was increasing every day. So we tried to understand what it was, and that's where the cameras were discovered.
Subsequently, it was discovered that these were cameras using the same type of software. These are models that have been marketed as a white label through several different companies and the software used to make them work is always the same.
The object of the crime: cameras, mainly marketed by Xiong Mail Technologies and presenting a failing security.
What were the effects of this attack on you?
On our side, this attack was well received. We just had to block the permanent mitigation service of some customers. We had a little problem with the Spanish customers, because Telefonica did not have enough bandwidth to be able to receive the attack. We were directly connected with them, but the capacity was not sufficient. We are working with them to increase the capacity of the links between us.
The fact that this is a botnet of connected objects, has it changed anything?
Basically no, but I think there is still a change: the number of NPS that participate and the fact that they change regularly. It changes the way we detect it and we protect ourselves. There are a lot of addresses that attack us and it requires all the more resources to analyze the traffic.
It also requires equipments capable of keeping to scale. Today it works, but in the next few years when we are going to pass on orders of magnitude of 3 or 4 Tbps, the equipment that will be deployed will have to be able to collect attacks that can come from 2 million d For example. It is ddddos if one wants, the attack is this time extremely distributed.
Is this type of botnet the next big evolution of Ddos attacks?
It is a war that has no end. There will never be a winner or losers, there will be just battles during which the attackers can sometimes win for 3 minutes, sometimes an hour.
For us, this means that we must always be at the forefront: have enough capacity to receive the ddos ??and have a lot of capillarity with the main operators. We have more than 20 or 25 peering points and private exchanges with more than 25 operators. So we have a capillarity towards every place in Europe and in the US that allows us to have excess capacity. It is far from simple to negotiate! Because our interlocutors do not understand: you have 30 Gb / s average throughput and you are asking 100Gb / s, people do not always understand why you ask so much.
The solution is to be big. We push on the internet about 3tbs at OVH. That makes it easier to weigh in the negotiations. Second thing: the continuous work on anti ddos ??solutions. We have a dedicated team that works on it, we develop our own solutions. At first we started to use the Tilera and the FTGA and then we used Arbor. But today we chose to leave Arbor to turn to tools developed in-house.
Arbor is a reference, but it costs us dearly and the capabilities are disappointing. So we develop our own system called Armor. So we will be able to get a protection of 5tb / s which will cost us much less than if we had used technologies available on the market.
Is that the new VAC you mentioned at the Summit?
The vac 2 is already in prod in our data center of the Gravelines. It has a capacity of 160GB and is mainly based on FPGAs. We are currently working on the v3, scheduled for the end of the year, based on FPGA 100go and DPDK based on Mellanox 100GB cards. In total, it will give 600 GB per VAC, we plan to deploy 12 different VAC which will give us a total traffic processing capacity of 5 Tb / s.
It is a real investment on our part. We can propose it because we have developed these solutions internally. Okay I have a dozen people working to develop this, it costs us. But it also brings us new opportunities in terms of business.
For example, following this attack in late September, new grounds for attack were beginning to be noticed. In fact, we realized that following these announcements, new customers came to us and brought back with them the doses that aimed at them. In the extension of these initial attacks, we received new attacks, but this time around 200/300 gbps, which is pretty nice. But that allowed us to win new customers.
Do you know who is behind the attack or what were the motivations of the attackers?
We can not talk about it. We must keep some confidentiality with regard to our clients on this type of attacks. Usually we do not even communicate on these subjects.
But I felt obliged to alert on this subject. The idea was to involve specialists and experts to dismantle this type of botnets. It's not our job, I'm not going to hire people to look after that. Our job is to receive the attack and protect ourselves. But when we saw that, we said "Wow, somebody has to look at this!"Because we're okay, we got it. But there are hosts or providers who will just collapse if they take an attack of this magnitude. So it's a call to those who are supposed to take care of that, the authorities or the FBI, so that we can deal with it quickly. |
