Given Elon's hiring preferences there's a strong probability that there's significantly more people at Twitter who know how to perform DDoSes than know how to mitigate them
Comments
Log in with your Bluesky account to leave a comment
To what extent are these skillsets distinct? I've always felt like they (offense vs defense) might be a little more distinct than the CTF folks give credit for.
Knowing how to type an IP address and credit card number into a form is pretty distinct to knowing how to handle identifying and dropping malicious traffic, and the people who can do the latter are paid *way* more
Based on https://bsky.app/profile/doublepulsar.com/post/3lk2ms3dzg22v this is the classic case of fucking up your Cloudflare protection - leave the server that Cloudflare is supposed to be protecting publicly accessible, such that attackers can bypass the Cloudflare protections.
Basically the way Cloudflare works is this: you point your public DNS at Cloudflare's CDN, and when Cloudflare receives a query it forwards it to your *actual* server. If Cloudflare detects an attack they can simply drop the traffic and never forward it to you.
But if your actual server is still directly visible? Attackers can just hit it directly, and Cloudflare can't do anything because the malicious traffic is going nowhere near Cloudflare. How do attackers find the actual server? You scan the internet looking for systems that have the right TLS cert
A server sitting there saying "Hi I serve https://x.com and https://twitter.com" is a KIND OF OBVIOUS TARGET and the whole point of using Cloudflare is you don't have any servers doing that because what are you, stupid or something, or what
But how do you find that server? Well, the easiest way is to just visit https://shodan.io and search for https://ssl.cert.subject.cn:twitter.com and then just DoS whatever network range has the largest number of them because that's probably their data centre this genuinely isn't magic
But now you have the target, how do you do the DDoS? Uh well that's actually as simple as having a credit card, there's plenty of botnets for hire and if you can't find one just ask the nearest teenager who games too much because they probably know
With the prevalence of SNI this is actually a lot more common by default (ie accidentally) now than it used to be. But even better and almost just as easy is to simply not have it accessible to the public 🤷♀️
It's more practical to just drop the traffic if the source is wrong (not via the CDN).
Since it's common to host many domains on one server, if somebody suspects they found the right hosting server they won't be deterred by an incorrect domain name in the reply.
Does not bode well that Elon and his team of sloppy engineers are wandering though governmental systems. Who knows what kinds of security gaps they'll create without even realizing it.
Comments
Looking at any web server's logs gives an impression of how often they're all being scanned through.
https://security.stackexchange.com/a/107918
Since it's common to host many domains on one server, if somebody suspects they found the right hosting server they won't be deterred by an incorrect domain name in the reply.