Linked by Thom Holwerda on Thu 28th Mar 2013 00:36 UTC, submitted by MOS6510
Internet & Networking "The New York Times this morning published a story about the Spamhaus DDoS attack and how CloudFlare helped mitigate it and keep the site online. The Times calls the attack the largest known DDoS attack ever on the Internet. We wrote about the attack last week. At the time, it was a large attack, sending 85Gbps of traffic. Since then, the attack got much worse. Here are some of the technical details of what we've seen."
Thread beginning with comment 557010
To view parent comment, click here.
To read all comments associated with this story, please click here.
Member since:

that the 'net is full of routers that perform none of the sanity checks which would block such spoofed packets, regardless of what daemon we discover to be exploitable next week.

A) This should be done on the customer-facing equipment, not on border routers.
B) Most ISP's already do this. Really.
C) You don't need to spoof the source to make use of open DNS resolvers. That is the crux of the problem, that this attack is created by "valid" packets.

Reply Parent Score: 2

Alfman Member since:


Depending on which article you read, cloudflare was talking about two types of DDOS attacks.

You are talking about recursive DNS resolvers, which can be done without spoofing. But to be fair, this particular attack WAS based on spoofing the source IP as the victim to get the large DNS responses (rather than the small requests) to eat up their bandwidth. It's how the bandwidth multiplication was achieved.

"The basic technique of a DNS reflection attack is to send a request for a large DNS zone file with the source IP address spoofed to be the intended victim to a large number of open DNS resolvers. The resolvers then respond to the request, sending the large DNS zone answer to the intended victim. The attackers' requests themselves are only a fraction of the size of the responses, meaning the attacker can effectively amplify their attack to many times the size of the bandwidth resources they themselves control."

A non-spoofing recursive DNS attack is possible too, but it's not clear that this could have achieved the amount of bandwidth multiplication they got by spoofing the victim's IP. Let me know if I'm overlooking something.

Reply Parent Score: 3

Soulbender Member since:

Ah I see. That's disturbing. Spoofing should almost be impossible today but I guess there's no accounting for incompetence.
All the technical means already exist to prevent this from happening yet it does.

Reply Parent Score: 2