Feeds

BIGGEST DDoS in history FAILS to slash interweb arteries

Bombardment without collateral damage - amazing

SANS - Survey on application security programs

Analysis The massive 300Gbit-a-second DDoS attack against anti-spam non-profit Spamhaus this week didn't actually break the internet's backbone, contrary to many early reports.

The largest distributed denial-of-service (DDoS) assault in history began on 18 March, and initially hit the Spamhaus website and CloudFlare, the networking biz hired by the spammer-tracking outfit to keep its systems online, at 90Gbps. After failing to knock the organisation offline, the attackers targeted CloudFlare's upstream ISPs as well as portions of the networks at internet traffic exchanges in London and Amsterdam.

The volume of this second-wave attack, which began on on 22 March, hit 300Gbps, an unnamed tier-1 service provider apparently told CloudFlare.

By far the largest source of attack traffic against Spamhaus came from DNS reflection, which exploits well-meaning, public-facing DNS servers to flood a selected target with network traffic - this is opposed to the usual tactic of using a huge botnet army of compromised computers.

DNS reflection attacks involve sending a request for a large DNS zone file to a DNS server; the request is crafted to appear as though it originated from the IP addresses of the victim. The server then responds to the request but sends the wad of data to the victim. The attackers' requests are only a fraction of the size of the responses, meaning the attacker can effectively amplify his or her attack by a factor of 100 from the volume of bandwidth they control.

CloudFlare reckons there were 30,000 DNS servers involved in the attack against Spamhaus, which might have been launched from only a small botnet or cluster of virtual servers. The attack against Spamhaus and CloudFlare proved there is a serious design flaw in the underpinnings of the internet, one that security experts such as Team Cymru and others have been warning about for years - although the use of DNS servers in DDoS attacks is rare, Rob Horton from NCC Group told El Reg.

The open DNS server problem is both a huge and under-reported issue involving 21.7 MILLION DNS resolvers that can be abused to launch equally ferocious attacks in future.

But the good news is that fixing the problem only requires small changes in configuration files that take only minutes. Everybody El Reg has spoken to agrees there's a problem with open DNS servers with some even suggesting the easily abused resource may replace botnets as a launchpad for DDoS attacks.

Joakim Sundberg, security solutions architect at security appliance maker F5, commented:

The Spamhaus attack is a demonstration of the kind of DDoS attack I have been expecting for some time: DNS Reflection. DNS Reflection attacks will play a more prominent role in DDoS attacks in the future.

The major driver for this kind of attack is the decreasing number of bots available for rent, with the authorities more effectively cracking down on major botnets. With a lower number of bots now available, hacktivists and other cyber criminals are finding new ways in which to amplify their attacks.

However there's deep disagreement about to what extent, if any, the DNS reflection attack thrown against Spamhaus and CloudFlare affected the internet more generally.

CloudFlare's take of The DDoS That Almost Broke the Internet can be found in a blog post that the states the attacks against it and Spamhus eventually spilled over to knacker internet connections across Europe:

Over the last few days, as these attacks have increased, we've seen congestion across several major Tier 1s, primarily in Europe where most of the attacks were concentrated, that would have affected hundreds of millions of people even as they surfed sites unrelated to Spamhaus or CloudFlare. If the internet felt a bit more sluggish for you over the last few days in Europe, this may be part of the reason why.

Even the websites of large corporations or hosting providers would be swept away by an attack of this intensity, judging by CloudFlare's rhetoric. However, this 300Gbps of traffic amounts to heavy congestion on a slip road that didn't hold up the main flow of traffic across the interwebs.

We understand a massive dip in a graph of traffic flowing through the London Internet Exchange (LINX) on 23 March, a graphic included in CloudFlare's blog post, is due to a data-plotting glitch and NOT due to the effects of the attack.

High performance access to file storage

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.