Feeds

back to article BIGGEST DDoS in history FAILS to slash interweb arteries

The massive 300Gbit-a-second DDoS attack against anti-spam non-profit Spamhaus this week didn't actually break the internet's backbone, contrary to many early reports. The largest distributed denial-of-service (DDoS) assault in history began on 18 March, and initially hit the Spamhaus website and CloudFlare, the networking biz …

COMMENTS

This topic is closed for new posts.
Silver badge

Well it may not be as bad as first feared but the "pipe" between where I live............

............and the US is currently as slow as treacle. Quite what is really going on currently is not entirely clear.

1
0
Silver badge
Coat

Re: Well it may not be as bad as first feared but the "pipe" between where I live............

Arabs cutting lines with hacksaws, I suppose?

1
0
Mushroom

I'm sure we'll see more of this

I run DNS training courses and have been warning about this type of attack for years, I am surprised it has taken so long for a big attack such as this to come to the fore, unfortunately due to all the publicity, I can't help thinking we will see many of these types of attacks from now on, DNSSEC makes it so much easier to achieve due to the quantity of data now present in signed zones, example here...

http://www.callevanetworks.com/the-biggest-ddos-attack-in-history-all-due-to-dns

Paul

Calleva Networks

1
0
Silver badge
Paris Hilton

Re: I'm sure we'll see more of this

So, why not just disallow zone transfers at the drop of a UDP packet?

I don't see the utility in such an operations, really. It sounds very much an anti-utility operation, because the zone should only be served from the authoritative server in the first place, so no-one has business requesting it.

0
1
Facepalm

Re: I'm sure we'll see more of this

It's got nothing to do with zone transfers, disabling zone transfers doesn't affect the ability of someone to query a DNS server and spoof the source IP address.

1
0
Silver badge

Re: I'm sure we'll see more of this

Well it does, fronty fonzy. If the response is of the same size as the request, guess what - no one cares about the spoofing.

0
3
Silver badge

Re: I'm sure we'll see more of this

All the spoofing in the world won't help attackers much if you simply use the allow-query{} directive in your bond9 config file

in options.conf - allowquery{localnets;}; (add networks which should be making recursive requests to this entry)

For each zone you serve (ie, are authoritative for), add "allow-query{any;};" in the zonefile.

Problem solved - The great unwashed can't use your DNS server as a resolver, EXCEPT for domains you want to make available.

Other DNS servers exist and they all have variants of allow-query. You should also lock down allow-transfer, but that's already been done as part of general security locksdowns, hasn't it?

1
0
FAIL

The Icon says it all

Well

0
2

This post has been deleted by its author

WTF?

The only thing we would like to say is that we (including our clients) did not, and never have been, sent any spam. We have no further comment. Thank you.

That sounds like they're saying they've never been sent any spam, not that they've never sent any...

If sending spam isn't against their TOS then I'm not sure I believe them!

3
0

@Stuart Moore

If they mean what they say, they must be unique on the internet. ... Or their definition of spam is the original and they are saying no one has ever sent them a tin of processed meat - which could well be true.

2
0
Silver badge

The only thing we would like to say is that we (including our clients) did not, and never have been, sent any spam. We have no further comment. Thank you.

At least we know Comical Ali found employment!

1
0
Silver badge

never have been

I'm guessing this is just someone who got their words garbled. Take out the word "been" and you'll get what was likely the intended meaning:

The only thing we would like to say is that we (including our clients) did not, and never have, sent any spam.

0
1
Silver badge
Joke

Re: @Stuart Moore

So who's up for sending them one tin of meat each?

0
0
Anonymous Coward

How ironic

That Spamhaus got Cloudflare to help them with the DDoS mitigation. Only last year Spamhaus were saying that Cloudflare were harbouring spammers, which ended up in July with Spamhaus putting Cloudflare's entire IP range in their block lists, as 'escalation'.

1
0

Here's How It Should Have Been Done

Ummm.... Who set up their firewall? A failed graduate student?

DNS (as well as UTP) comes in via UDP on port 80. Apache listens to TCP, so none of this traffic appears in its logs. UDP port 80 is also used by hackers to control their bots, so anyone serious about security defends UDP port 80, by filtering its traffic.

We're obviously more serious about security than the guys at CloudFlare, so I'll share some of our firewall rules with them:

block in on e1000g0 proto udp all

pass in on e1000g0 proto udp from OUR.DNS.SERVER1/32

pass in on e1000g0 proto udp from OUR.DNS.SERVER2/32

pass in on e1000g0 proto udp from OUR.DNS.SERVER3/32

etc

0
15
Bronze badge

Re: Here's How It Should Have Been Done

DNS is UDP port 53. I'm not sure trying to act as if you're some sort of networking genius but not taking a few milliseconds to google "DNS port" gives me any faith in your firewall advice.

11
0
FAIL

Re: Here's How It Should Have Been Done

I suspect the Spamhaus and Cloudflare engineers actually have a better grasp of the problem than you.

Just because you firewall the traffic from your servers doesn't actually remove it from the wire... it's still clogging up the pipe, so with the assistance of your ISP you block it off as far up the pipe as you can but at some point if there's enough of it, it's still saturating links.

7
0
Facepalm

Re: Here's How It Should Have Been Done

Unless I'm more confused than normal, the only way an IP packet with a spoofed source address can arrive is if the spoofer's ISP has not implemented RFC 2827 (ingress filtering), which has been best current practice since May 2000, updated by RFC 3704 in 2004. There is simply no excuse for the apparently large number of ISPs that don't do this; they are completely responsible for allowing this kind of DDOS.

5
0
FAIL

Re: Here's How It Should Have Been Done

Sir (I'm making assumptions)

I would suggest that you find a failed graduate student and get him (or her) to read over your submissions before you hit the submit button, your postings may then attract less negativity.

I associate Apace with web servers rather than DNS servers, why are you talking about UDP & port 80?

If you are talking about bots being controlled via port 80 you are commenting on the wrong article, this is pointing out that bots are not necessary for a DDOS

Back to other points

Would an absurd amount traffic hitting your firewall (rejected or otherwise) not cause problems ?

HINT: Yes it will !

Funny enough we see a lot of traffic on UTP and on many other ports and not just on port 80, that's because it's a fucking network cable.

6
0
Devil

Re: Here's How It Should Have Been Done

that's great on your own machines. However, upstream providers still send the data through to it, being paid on the 95th they will happily fill your pipe since trash traffic is still paid traffic. It's why Cloud Flare had to turn off their exchanges. My basic understanding, from living with a netadmin, is you have to black hole the receiving IPs. That has to propagate upstream so eventually all traffic to that IP is simply discarded.

But then it's funny because spamhaus is in it for the money and they will be seriously out a bit now. bw ain't free even in an attack, but maybe they can renegotiate for a bulk rate on the month. I expect they will be back to extorting small and independent ISPs with their delisting fee. Also, I wonder why nobody has put a price tag on the attack?

0
1

This post has been deleted by its author

Big Brother

Re: Here's How It Should Have Been Done

I can't upvote this enough!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

ISP's and people related to ISP's PLEASE SPREAD THE GODDAMN WORD ALREADY!!!!!!!!!!

Know this as a FACT beyond speculation that PREPUBESCENT CHILDREN, BASEMENT DWELLING BOFFINS THAT DON'T TAKE SHOWERS, and THIRD WORLD FILTH ARE RUNNING ***YOUR*** NETWORKS A GOOD PERCENTAGE OF THE TIME BECAUSE OF THE CRIMINALLY NEGLIGENT IGNORANCE PRESENT IN YOUR ADMINISTRATIVE DEPARTMENTS!!!!!!!

Little children should not be allowed to command 300 gigabits per second!!!

Please Please PLEASE implement what this good man above me is referring to already!!!!!

0
1
Bronze badge
FAIL

@MarkSitkowski:

Do not ever publish your companies name. Ever. If this is the extent of your knowledge, you will attract many "Unique Visitors" you haven't seen before. The Script kiddies must be licking their chops at the chance to have a go at you...

3
0

Sssh, he is pretending that he has a job that involves networks (it's not real)

0
0
Anonymous Coward

I see bars in their future

Prison bars for the perps.

0
0
Anonymous Coward

so it was merely a coincidence...

it was merely a coincidence that Netflix dropped to low bandwidth delivery and became unresponsive to streaming requests for the wife and I at the time of the barrage?

0
0

I wrote about this on El Reg over 4 years ago!

http://forums.theregister.co.uk/forum/1/2008/08/11/cache_poisoning_threat_remains/#c_291865

0
0
Silver badge

Re: I wrote about this on El Reg over 4 years ago!

Randy Vaughn and Gadi Evron beat you to it by more than two years, and that was on BUGTRAQ, which anyone at all concerned with IT security should be following.

DNS Amplification attacks were already being seen in the wild then. Really, how anyone (such as F5's Joakim Sundberg, quoted in the article) in IT security can claim this is in any way "new" is beyond me. V&E published their study seven years ago, and they refer to sources that "anticipated" the attack from as far back as 1999 - CIAC's J-063 bulletin - so this attack vector has been documented, publicly, by whitehats, for over 13 years. (It's true that in 1999 the maximum amplification factor was smaller, but it was still significant, and lack of ingress filtering and other countermeasures at most sites meant this wasn't much of a mitigating factor.)

2
0
Silver badge

apart from the DDoS

It looks like Cyberbunker/c3rob were playing other games:

https://greenhost.nl/2013/03/21/spam-not-spam-tracking-hijacked-spamhaus-ip/

Why AS 34109 isn't widely shitholed is a matter of conjecture.

0
0
This topic is closed for new posts.