Linked by Thom Holwerda on Thu 28th Mar 2013 00:36 UTC, submitted by MOS6510
Internet & Networking "The New York Times this morning published a story about the Spamhaus DDoS attack and how CloudFlare helped mitigate it and keep the site online. The Times calls the attack the largest known DDoS attack ever on the Internet. We wrote about the attack last week. At the time, it was a large attack, sending 85Gbps of traffic. Since then, the attack got much worse. Here are some of the technical details of what we've seen."
Permalink for comment 556924
To read all comments associated with this story, please click here.
Member since:

"The repercussions of which could be a threat as it means criminals no longer need large botnets to take smaller organisations offline."
"While DDoS attacks will always be a threat, open resolvers make it easier than ever to disrupt services .... "

Laurence, you are implying here that this is a new attack vector (I understand your statement like this). It definitely isn't.
- "a known problems at least 10 years old."
The number of Open DNS resolvers that can be used in a DNS amplification attack is actually in decline.

"I'd rather see ISPs, peers and exchanges to add some reverse engineering to their UDP forwarding - in that they only forward UDP packets if the IP address attached can be routed backwards"

This isn't going to happen anytime soon. Adding such checks in the current infrastructure would reduce the capacity of backbones by a few levels of magnitude. "Backbone routers" are optimized to route tons of traffic, but only blindly. Adding checks would cripple their routing capacity.
Such checks (anti spoofing measures) can only be implemented at the "outskirts" of the Internet, not in it's core. Admins of small networks are responsible for such security measures, but since such attacks use their infrastructure without damaging it much, there is little incentive to do it.

Reply Parent Score: 2