Rostelecom has reported on the reflection of the attack of the Internet of Things on the largest Russian banks

Today, the company Rostelecom announced the reflection of the botnet's attack on the Internet of Things on the five largest Russian banks. The attack was carried out on December 5 using TCP SYN Flood. According to Rostelecom, the peak load was 3.2 million packets per second.

The provider did not provide any details, except that part of the traffic was generated from IoT devices. Also, general information was provided about the danger of DDoS attacks and about who has already suffered from the actions of intruders who manage botnets from the Internet of Things. In general, the press release of Rostelecom raises more questions than answers.

First, the company kept silent about the intensity of the attack. The figure of 3.2 million packages from Pyaterochka looks impressive, especially since SYN-flood attacks are actually measured in the number of packages.
')
During a SYN-flood attack, a TCP connection request is sent from fake IP addresses. The attacked server sends a SYN / ACK response and switches to the SYN-RECEIVED state, which, without a response from the requested side, is removed after only 75 seconds. The maximum SYN packet size is 64 Kb, but the standard is its smaller version of 16 Kb. By simple calculations, we obtain the most probable attack intensity of 51.2 GB / s.

At the same time, in the press release of Rostelecom, the situation with attacks on European structures and organizations with a capacity of up to 1 Tbit / s (125 GB / s) is openly injected.

The SYN Flood attack has been known for a long time (since the early 2000s) and has been used by attackers with varying success. Moreover, the effectiveness of such methods after a decade and a half is in doubt.

The well-known botnet Mirai, which put the DNS provider Dyn in October of this year (and to which attacks attributed by Rostelecom in Europe are attributed), used a UDP attack, also known as DNS retry.

At the same time, one of the information security specialists on condition of anonymity commented on the press release of Rostelecom and the attack for Habr:

After the release of linux 4.7, two patches came out:

Add SOCK_RCU_FREE socket flag that UDP sockets and TCP listeners can set so that their lookup can use traditional RCU rules, without refcount changes. The UDP stack is instructed to not use SLAB_DESTROY_BY_RCU, in order to speedup rx processing for traffic encapsulated in UDP; performance for a single UDP socket receiving flood traffic from many RX queues/cpus is increased. TCP listeners are changed to use SOCK_RCU_FREE as well to avoid touching sk_refcnt under synflood. Peak performance under SYNFLOOD is increased by ~33%.

Add rate limiting on ACK sent on behalf of SYN_RECV to better resist to SYNFLOOD targeting one or few flows.

They solve the problem of parallel processing of syn / udp flood, that is, even for a regular linux server on a modern kernel, this does not pose any problem.

Based on the foregoing, it can be concluded that Rostelecom is trying to give out a victory that was contrived for a real victory and earn “points” in the eyes of corporate clients as a reliable provider.

Why victory contrived? One of two things: either Rostelecom gives out wishful thinking and just recorded a SYN Flood-attack attempt, which the Linux Server coped without much difficulty and outside help, or the company provides its customers (banks!) With outdated technological solutions, including and in terms of software. Because of this, SYN flood had to “heroically overcome”, the problem of which was solved at the level of the Linux kernel six months ago.