Linked by Thom Holwerda on Thu 28th Mar 2013 00:36 UTC, submitted by MOS6510
Internet & Networking "The New York Times this morning published a story about the Spamhaus DDoS attack and how CloudFlare helped mitigate it and keep the site online. The Times calls the attack the largest known DDoS attack ever on the Internet. We wrote about the attack last week. At the time, it was a large attack, sending 85Gbps of traffic. Since then, the attack got much worse. Here are some of the technical details of what we've seen."
Thread beginning with comment 556905
To read all comments associated with this story, please click here.
far from bringing down the net.
by puidelup on Thu 28th Mar 2013 08:27 UTC
puidelup
Member since:
2013-03-19

The only thing that this attack could really bring down is the spam protection of organizations that rely on spamhaus (excellent) DNS blacklists. And that's precisely what the crooks behind this are after - taking the spam protection down that bites into their spammer revenue streams.

It's a war between spammers and spam protection services, (and cloudfare, who are a DDOS protection firm). A spectacular one, nonetheless, with possible implications for many of us (who doesn't hate spam?) but the internet as we know it is *not* in danger.

Take care!

Reply Score: 5

Laurence Member since:
2007-03-26

You're both correct and wrong.

This attack wasn't intended to bring down the net; just Cloudflare (and it didn't even succeed at that either).

However what this attack does highlight is the seriousness of unprotected open DNS resolvers, which were the servers exploited to generate the ~300Gb/s DDoS traffic. The repercussions of which could be a threat as it means criminals no longer need large botnets to take smaller organisations offline. All they need now is a modest amount of bandwidth to flood poorly configured DNS servers with forged UDP packets that are then multiplied up at the name servers by a factor of 10.

While DDoS attacks will always be a threat, open resolvers make it easier than ever to disrupt services and this latest story is basically a massive advert to anyone considering a denial of service attack.

I just hope the seriousness of this is taken on board and action is taken to mitigate the effectiveness of this attack (there's a few different approaches to this, one of them being to patch the name servers themselves, but personally I'd rather see ISPs, peers and exchanges to add some reverse engineering to their UDP forwarding - in that they only forward UDP packets if the IP address attached can be routed backwards - thus effectively checking if the sender matches what the UDP packet describes).

Apologies about the crude explanation. I'm not a networking expert (though there is overlap between that an my field in IT) so that last part I'm having to trust online sources as being accurate.

Reply Parent Score: 3

ssokolow Member since:
2010-01-21

I just hope the seriousness of this is taken on board and action is taken to mitigate the effectiveness of this attack (there's a few different approaches to this, one of them being to patch the name servers themselves, but personally I'd rather see ISPs, peers and exchanges to add some reverse engineering to their UDP forwarding - in that they only forward UDP packets if the IP address attached can be routed backwards - thus effectively checking if the sender matches what the UDP packet describes).


That's actually a solution to what both the NYT article and one of the commenters on the CloudFlare blog identified as the real problem... that the 'net is full of routers that perform none of the sanity checks which would block such spoofed packets, regardless of what daemon we discover to be exploitable next week.

I'm no expert either, but your solution sounds more complicated (and, hence, more CPU intensive on the routers) than what they were proposing. It sounded like they were just proposing plain old source-interface checking so, when the attacker sends a spoofed packet to a DNS server, one of the border routers along the way drops it for arriving on the wrong interface.

Also, I believe it was the CloudFlare commenter who pointed out that this isn't the first attack of this kind. Before spoofed UDP flooding via DNS, there was spoofed SYN flooding.

Reply Parent Score: 2

puidelup Member since:
2013-03-19

"The repercussions of which could be a threat as it means criminals no longer need large botnets to take smaller organisations offline."
"While DDoS attacks will always be a threat, open resolvers make it easier than ever to disrupt services .... "


Laurence, you are implying here that this is a new attack vector (I understand your statement like this). It definitely isn't.
CloudFlare:
http://blog.cloudflare.com/deep-inside-a-dns-amplification-ddos-att...
- "a known problems at least 10 years old."
The number of Open DNS resolvers that can be used in a DNS amplification attack is actually in decline.

"I'd rather see ISPs, peers and exchanges to add some reverse engineering to their UDP forwarding - in that they only forward UDP packets if the IP address attached can be routed backwards"


This isn't going to happen anytime soon. Adding such checks in the current infrastructure would reduce the capacity of backbones by a few levels of magnitude. "Backbone routers" are optimized to route tons of traffic, but only blindly. Adding checks would cripple their routing capacity.
Such checks (anti spoofing measures) can only be implemented at the "outskirts" of the Internet, not in it's core. Admins of small networks are responsible for such security measures, but since such attacks use their infrastructure without damaging it much, there is little incentive to do it.

Reply Parent Score: 2

Soulbender Member since:
2005-08-18

but personally I'd rather see ISPs, peers and exchanges to add some reverse engineering to their UDP forwarding - in that they only forward UDP packets if the IP address attached can be routed backwards


This is already done by any competent provider and it is why spoofing is much less common today than it used to be. It's not feasible to do this between "Tier 1" peers though (due to, among other things, asymmetric routing) so it's important that providers closer to the customer does this properly.
This wouldn't solve the problem with DNS amplification attacks though since the source was valid and not spoofed. The only way to effectively stop these attacks is to not have open DNS resolvers.

Reply Parent Score: 2