Linked by Thom Holwerda on Thu 28th Mar 2013 00:36 UTC, submitted by MOS6510
Internet & Networking "The New York Times this morning published a story about the Spamhaus DDoS attack and how CloudFlare helped mitigate it and keep the site online. The Times calls the attack the largest known DDoS attack ever on the Internet. We wrote about the attack last week. At the time, it was a large attack, sending 85Gbps of traffic. Since then, the attack got much worse. Here are some of the technical details of what we've seen."
Thread beginning with comment 556924
To view parent comment, click here.
To read all comments associated with this story, please click here.
puidelup
Member since:
2013-03-19

"The repercussions of which could be a threat as it means criminals no longer need large botnets to take smaller organisations offline."
"While DDoS attacks will always be a threat, open resolvers make it easier than ever to disrupt services .... "


Laurence, you are implying here that this is a new attack vector (I understand your statement like this). It definitely isn't.
CloudFlare:
http://blog.cloudflare.com/deep-inside-a-dns-amplification-ddos-att...
- "a known problems at least 10 years old."
The number of Open DNS resolvers that can be used in a DNS amplification attack is actually in decline.

"I'd rather see ISPs, peers and exchanges to add some reverse engineering to their UDP forwarding - in that they only forward UDP packets if the IP address attached can be routed backwards"


This isn't going to happen anytime soon. Adding such checks in the current infrastructure would reduce the capacity of backbones by a few levels of magnitude. "Backbone routers" are optimized to route tons of traffic, but only blindly. Adding checks would cripple their routing capacity.
Such checks (anti spoofing measures) can only be implemented at the "outskirts" of the Internet, not in it's core. Admins of small networks are responsible for such security measures, but since such attacks use their infrastructure without damaging it much, there is little incentive to do it.

Reply Parent Score: 2

Laurence Member since:
2007-03-26


Laurence, you are implying here that this is a new attack vector (I understand your statement like this). It definitely isn't.

It is a new vector in attack in that it's only really been exploited like this in recent years. Or at least I've not been aware of hackers targeting open resolvers for DDoS attacks until recently. So I'm assuming it wasn't a commonly used technique until recently. If you know otherwise then I'll happily accept the correction ;)

I wasn't implying that this is a new vulnerability though, just that this existing vulnerability is getting wider exposure (advertising) so this specific type of exploit is becoming more frequent.


This isn't going to happen anytime soon. Adding such checks in the current infrastructure would reduce the capacity of backbones by a few levels of magnitude. "Backbone routers" are optimized to route tons of traffic, but only blindly. Adding checks would cripple their routing capacity.
Such checks (anti spoofing measures) can only be implemented at the "outskirts" of the Internet, not in it's core. Admins of small networks are responsible for such security measures, but since such attacks use their infrastructure without damaging it much, there is little incentive to do it.

Oh I'm well aware of that. This is why there's a coordinated underway to identify vulnerable name servers and work with the hosts to get them patched (ie it's the most realistic solution to this immediate concern).

My comment regarding the router checks was what I'd prefer to see; "ideal world" thinking etc. But as that post was quickly becoming my second essay in this thread I decided to cut some detail out for the sake of getting back to work ;)

[edit]
reworded a lot of this as it really wasn't clear what I was trying to say.

Edited 2013-03-28 12:52 UTC

Reply Parent Score: 2

puidelup Member since:
2013-03-19

It is a new vector in attack in that it's only really been exploited like this in recent years.


Well here you might be right.

This is a type of Reflected DDoS (http://en.wikipedia.org/wiki/Denial-of-service_attack#Reflected_.2F...), of which there are many. They were "all the rage" in the late 90ties (smurf attacks, DC attacks anyone?). If specifically DNS amplification attacks are something new, especially on this scale, I don't know. But they're just a variation of the same basic concept.

I've known about DNS amplification attacks for ~3 years, and by quickly googling around I found that in 2006-2007 they were considered new (http://www.theinquirer.net/inquirer/news/1015743/dns-amplification-..., http://securitytnt.com/dns-amplification-attack/). I really thought this was older ;)

so this may be relatively new, but it's yet another form of reflective DDOS

Reply Parent Score: 2