Well it may not be as bad as first feared but the "pipe" between where I live............
............and the US is currently as slow as treacle. Quite what is really going on currently is not entirely clear.
The massive 300Gbit-a-second DDoS attack against anti-spam non-profit Spamhaus this week didn't actually break the internet's backbone, contrary to many early reports. The largest distributed denial-of-service (DDoS) assault in history began on 18 March, and initially hit the Spamhaus website and CloudFlare, the networking biz …
I run DNS training courses and have been warning about this type of attack for years, I am surprised it has taken so long for a big attack such as this to come to the fore, unfortunately due to all the publicity, I can't help thinking we will see many of these types of attacks from now on, DNSSEC makes it so much easier to achieve due to the quantity of data now present in signed zones, example here...
http://www.callevanetworks.com/the-biggest-ddos-attack-in-history-all-due-to-dns
Paul
Calleva Networks
So, why not just disallow zone transfers at the drop of a UDP packet?
I don't see the utility in such an operations, really. It sounds very much an anti-utility operation, because the zone should only be served from the authoritative server in the first place, so no-one has business requesting it.
All the spoofing in the world won't help attackers much if you simply use the allow-query{} directive in your bond9 config file
in options.conf - allowquery{localnets;}; (add networks which should be making recursive requests to this entry)
For each zone you serve (ie, are authoritative for), add "allow-query{any;};" in the zonefile.
Problem solved - The great unwashed can't use your DNS server as a resolver, EXCEPT for domains you want to make available.
Other DNS servers exist and they all have variants of allow-query. You should also lock down allow-transfer, but that's already been done as part of general security locksdowns, hasn't it?
This post has been deleted by its author
The only thing we would like to say is that we (including our clients) did not, and never have been, sent any spam. We have no further comment. Thank you.
That sounds like they're saying they've never been sent any spam, not that they've never sent any...
If sending spam isn't against their TOS then I'm not sure I believe them!
Ummm.... Who set up their firewall? A failed graduate student?
DNS (as well as UTP) comes in via UDP on port 80. Apache listens to TCP, so none of this traffic appears in its logs. UDP port 80 is also used by hackers to control their bots, so anyone serious about security defends UDP port 80, by filtering its traffic.
We're obviously more serious about security than the guys at CloudFlare, so I'll share some of our firewall rules with them:
block in on e1000g0 proto udp all
pass in on e1000g0 proto udp from OUR.DNS.SERVER1/32
pass in on e1000g0 proto udp from OUR.DNS.SERVER2/32
pass in on e1000g0 proto udp from OUR.DNS.SERVER3/32
etc
I suspect the Spamhaus and Cloudflare engineers actually have a better grasp of the problem than you.
Just because you firewall the traffic from your servers doesn't actually remove it from the wire... it's still clogging up the pipe, so with the assistance of your ISP you block it off as far up the pipe as you can but at some point if there's enough of it, it's still saturating links.
Unless I'm more confused than normal, the only way an IP packet with a spoofed source address can arrive is if the spoofer's ISP has not implemented RFC 2827 (ingress filtering), which has been best current practice since May 2000, updated by RFC 3704 in 2004. There is simply no excuse for the apparently large number of ISPs that don't do this; they are completely responsible for allowing this kind of DDOS.
This post has been deleted by its author
I can't upvote this enough!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
ISP's and people related to ISP's PLEASE SPREAD THE GODDAMN WORD ALREADY!!!!!!!!!!
Know this as a FACT beyond speculation that PREPUBESCENT CHILDREN, BASEMENT DWELLING BOFFINS THAT DON'T TAKE SHOWERS, and THIRD WORLD FILTH ARE RUNNING ***YOUR*** NETWORKS A GOOD PERCENTAGE OF THE TIME BECAUSE OF THE CRIMINALLY NEGLIGENT IGNORANCE PRESENT IN YOUR ADMINISTRATIVE DEPARTMENTS!!!!!!!
Little children should not be allowed to command 300 gigabits per second!!!
Please Please PLEASE implement what this good man above me is referring to already!!!!!
Sir (I'm making assumptions)
I would suggest that you find a failed graduate student and get him (or her) to read over your submissions before you hit the submit button, your postings may then attract less negativity.
I associate Apace with web servers rather than DNS servers, why are you talking about UDP & port 80?
If you are talking about bots being controlled via port 80 you are commenting on the wrong article, this is pointing out that bots are not necessary for a DDOS
Back to other points
Would an absurd amount traffic hitting your firewall (rejected or otherwise) not cause problems ?
HINT: Yes it will !
Funny enough we see a lot of traffic on UTP and on many other ports and not just on port 80, that's because it's a fucking network cable.
that's great on your own machines. However, upstream providers still send the data through to it, being paid on the 95th they will happily fill your pipe since trash traffic is still paid traffic. It's why Cloud Flare had to turn off their exchanges. My basic understanding, from living with a netadmin, is you have to black hole the receiving IPs. That has to propagate upstream so eventually all traffic to that IP is simply discarded.
But then it's funny because spamhaus is in it for the money and they will be seriously out a bit now. bw ain't free even in an attack, but maybe they can renegotiate for a bulk rate on the month. I expect they will be back to extorting small and independent ISPs with their delisting fee. Also, I wonder why nobody has put a price tag on the attack?
Randy Vaughn and Gadi Evron beat you to it by more than two years, and that was on BUGTRAQ, which anyone at all concerned with IT security should be following.
DNS Amplification attacks were already being seen in the wild then. Really, how anyone (such as F5's Joakim Sundberg, quoted in the article) in IT security can claim this is in any way "new" is beyond me. V&E published their study seven years ago, and they refer to sources that "anticipated" the attack from as far back as 1999 - CIAC's J-063 bulletin - so this attack vector has been documented, publicly, by whitehats, for over 13 years. (It's true that in 1999 the maximum amplification factor was smaller, but it was still significant, and lack of ingress filtering and other countermeasures at most sites meant this wasn't much of a mitigating factor.)