Linked by Thom Holwerda on Thu 28th Mar 2013 00:36 UTC, submitted by MOS6510
Internet & Networking "The New York Times this morning published a story about the Spamhaus DDoS attack and how CloudFlare helped mitigate it and keep the site online. The Times calls the attack the largest known DDoS attack ever on the Internet. We wrote about the attack last week. At the time, it was a large attack, sending 85Gbps of traffic. Since then, the attack got much worse. Here are some of the technical details of what we've seen."
Thread beginning with comment 556928
To view parent comment, click here.
To read all comments associated with this story, please click here.
Laurence
Member since:
2007-03-26


Laurence, you are implying here that this is a new attack vector (I understand your statement like this). It definitely isn't.

It is a new vector in attack in that it's only really been exploited like this in recent years. Or at least I've not been aware of hackers targeting open resolvers for DDoS attacks until recently. So I'm assuming it wasn't a commonly used technique until recently. If you know otherwise then I'll happily accept the correction ;)

I wasn't implying that this is a new vulnerability though, just that this existing vulnerability is getting wider exposure (advertising) so this specific type of exploit is becoming more frequent.


This isn't going to happen anytime soon. Adding such checks in the current infrastructure would reduce the capacity of backbones by a few levels of magnitude. "Backbone routers" are optimized to route tons of traffic, but only blindly. Adding checks would cripple their routing capacity.
Such checks (anti spoofing measures) can only be implemented at the "outskirts" of the Internet, not in it's core. Admins of small networks are responsible for such security measures, but since such attacks use their infrastructure without damaging it much, there is little incentive to do it.

Oh I'm well aware of that. This is why there's a coordinated underway to identify vulnerable name servers and work with the hosts to get them patched (ie it's the most realistic solution to this immediate concern).

My comment regarding the router checks was what I'd prefer to see; "ideal world" thinking etc. But as that post was quickly becoming my second essay in this thread I decided to cut some detail out for the sake of getting back to work ;)

[edit]
reworded a lot of this as it really wasn't clear what I was trying to say.

Edited 2013-03-28 12:52 UTC

Reply Parent Score: 2

puidelup Member since:
2013-03-19

It is a new vector in attack in that it's only really been exploited like this in recent years.


Well here you might be right.

This is a type of Reflected DDoS (http://en.wikipedia.org/wiki/Denial-of-service_attack#Reflected_.2F...), of which there are many. They were "all the rage" in the late 90ties (smurf attacks, DC attacks anyone?). If specifically DNS amplification attacks are something new, especially on this scale, I don't know. But they're just a variation of the same basic concept.

I've known about DNS amplification attacks for ~3 years, and by quickly googling around I found that in 2006-2007 they were considered new (http://www.theinquirer.net/inquirer/news/1015743/dns-amplification-..., http://securitytnt.com/dns-amplification-attack/). I really thought this was older ;)

so this may be relatively new, but it's yet another form of reflective DDOS

Reply Parent Score: 2

Laurence Member since:
2007-03-26


Well here you might be right.

This is a type of Reflected DDoS (http://en.wikipedia.org/wiki/Denial-of-service_attack#Reflected_.2F...), of which there are many. They were "all the rage" in the late 90ties (smurf attacks, DC attacks anyone?). If specifically DNS amplification attacks are something new, especially on this scale, I don't know. But they're just a variation of the same basic concept.

I'm aware of that. But you're still missing my point that the previous reflective attacks didn't amplify requests by nearly the same ratio as this one does. And that's the crux of the issue. Previously, reflective attacks were largely used for anonymity (with minor amplification being a bonus). Here the reflection is done specifically for amplification where anonymity is a fortunate (for them) side effect.


I've known about DNS amplification attacks for ~3 years, and by quickly googling around I found that in 2006-2007 they were considered new (http://www.theinquirer.net/inquirer/news/1015743/dns-amplification-..., http://securitytnt.com/dns-amplification-attack/). I really thought this was older ;)

so this may be relatively new, but it's yet another form of reflective DDOS

Again, you're arguing points that were never in dispute. I really don't know how many times I have to reiterate that I'm aware the concept is an old one before you move off that moot point. You're like a dog with a bone :p

Reply Parent Score: 2