Linked by Thom Holwerda on Thu 28th Mar 2013 00:36 UTC, submitted by MOS6510
Internet & Networking "The New York Times this morning published a story about the Spamhaus DDoS attack and how CloudFlare helped mitigate it and keep the site online. The Times calls the attack the largest known DDoS attack ever on the Internet. We wrote about the attack last week. At the time, it was a large attack, sending 85Gbps of traffic. Since then, the attack got much worse. Here are some of the technical details of what we've seen."
Thread beginning with comment 556971
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE: Comment by marcp
by Alfman on Thu 28th Mar 2013 18:48 UTC in reply to "Comment by marcp"
Alfman
Member since:
2011-01-28

marcp,

"Please, don't spread the nonsense. It could possibly block some popular sites, but NOT "break" the internet."

Granted the headline was exaggerated and overgeneralized. But DDOS attacks, while boring and uninteresting, are often very effective. Much like an arm's race, the side with the most bandwidth will win a denial of service attack. The *only* reason this attack failed is because CloudFlare had enough bandwidth to withstand it. Most DOS victims fall very easily. The internet does not do anything to protect victims from DDOS today.




"How could you even brake the internet, when it was designed and created just so it would not break in such situations? de-centralisation and many routes."

The internet was designed to be resilient in the face of outright outages (deliberate or accidental), but it actually doesn't do very much to protect against IP based attacks. Maybe core DNS/BGP attacks would be more interesting to you?


I remember the news surrounding this following incident:

http://www.techrepublic.com/blog/networking/black-hole-routes-the-g...

This was an accident and not an attack, but for all intents and purposes a malicious attack against "the internet" could be achieved the same way. The BGP protocol, which tells all backbone routers where to route IP traffic, is inherently vulnerable to peers lying about IP connectivity. The administrators of such peers have the power to blackhole IPs at will (even those which aren't traversing their networks).

Presumably anyone guilty of doing this will be found out and eventually kicked out from the BGP peering, but it is a strong example of how the backbone internet is fundamentally built on *trust* in order to operate.

Reply Parent Score: 2

RE[2]: Comment by marcp
by Soulbender on Fri 29th Mar 2013 03:35 in reply to "RE: Comment by marcp"
Soulbender Member since:
2005-08-18

but for all intents and purposes a malicious attack against "the internet" could be achieved the same way.


Sure, but there's no way to be anonymous when you do this.
As soon as other providers figured who was doing the blackhole routing your little take-over-the-internet plan is toast and trust me, it would not take them long to find you.
This is threat is also diminished by the fact that any serious peer will limit the prefixes they will accept from you, usually only accepting the prefixes you've been assigned

but it is a strong example of how the backbone internet is fundamentally built on *trust* in order to operate.


Only if by "trust* you mean contracts. You can't just establish a BGP peering with anyone, it requires you to establish a business relationship with those you peer with and unless you're a "Tier 1" player your peers will only accept the prefixes you've been assigned.

Reply Parent Score: 2

RE[3]: Comment by marcp
by Alfman on Fri 29th Mar 2013 03:53 in reply to "RE[2]: Comment by marcp"
Alfman Member since:
2011-01-28

Soulbender,

"Sure, but there's no way to be anonymous when you do this. As soon as other providers figured who was doing the blackhole routing your little take-over-the-internet plan is toast and trust me, it would not take them long to find you."

I'd like you to give this deeper thought, more like a hacker. For example, a malicious country could advertise routes that are cheaper than they truly are to get foreign routers to route traffic to them. Once they get the packets, they may be able to complete the circuit to the legitimate destination, but now they have not only the ability to snoop packets, but also to filter them using much more discriminate deep packet filtering and even perform targeted injections. It would be very hard for any single organization to prove BGP routes are being manipulated for nefarious purposes.


"Only if by "trust* you mean contracts. You can't just establish a BGP peering with anyone, it requires you to establish a business relationship with those you peer with and unless you're a "Tier 1" player your peers will only accept the prefixes you've been assigned."

Well, consider real world scenarios where A-B are friends and B-C are friends but A-C are enemies. A can abuse the internet's trust relationship to harm C and visa versa.

Edit: I'm just theorizing here, but if anyone knows of cases where this has actually happened, please jump in! I think subtle BGP manipulations could be achieved without detection, but large changes would give rise to latency and routing bottlenecks such that someone would have to investigate the cause.

Edited 2013-03-29 04:02 UTC

Reply Parent Score: 2