Linked by Thom Holwerda on Thu 28th Mar 2013 00:36 UTC, submitted by MOS6510
Internet & Networking "The New York Times this morning published a story about the Spamhaus DDoS attack and how CloudFlare helped mitigate it and keep the site online. The Times calls the attack the largest known DDoS attack ever on the Internet. We wrote about the attack last week. At the time, it was a large attack, sending 85Gbps of traffic. Since then, the attack got much worse. Here are some of the technical details of what we've seen."
Permalink for comment 557018
To read all comments associated with this story, please click here.
Soulbender
Member since:
2005-08-18

They apply egress filtering to make sure their customers don't sent out source IPs that are external to their network.


And that's the only thing you need to do in order to prevent spoofing from your clients. Very simple, very effective.


But it's very unlikely that they apply ingress filtering that discriminates IPs from various peer interfaces since that would break alot of internet traffic.


Not really. It's quite possible to filter without breaking the internet traffic but it does require some work. You will always know what prefixes your peers announce so you can set things up to only ever accept packets with an IP in those prefixes from a peer.

ISPs cannot do anything to detect spoofing outside of their network, which is part of the problem.


True but there's no scalable and feasible solution for this. Tracking this would create a massive overhead and for what? Just because some people can't do their jobs?

Once you read my other response, it should clarify that it is a DNS problem


No, it isn't. It's a problem combined of misconfigured DNS servers and ISP's not doing filtering on their customers. DNS itself is just doing what it was supposed to do. The advantage of UDP over TCP (or other connection-oriented protocols) is that it scales much, much better. The downside to this is that it does expect ISP's not being schmucks.

Reply Parent Score: 3