Upload
bvs-narayana
View
2.172
Download
3
Embed Size (px)
DESCRIPTION
Analysis of Spamhaus vs Cyberbunker
Citation preview
Spamhaus vs Cyberbunker World’s Largest DDoS Attack
B V S Narayana CISSP, CISA
@bvsnarayana03
layer4to7.wordpress.com
Who is Spamhaus
www.spamhaus.org
Who is Cyberbunker
Extract from Wikipedia
Attack Story
• On March 18,2013, Spamhaus came under attack. • Attack was volumetric which saturated tehir internet and knocked the site off
internet. • On March 19,2013, Spamhaus contacted Cloudflare to protect them against
attack. • CloudFlare recorded an initial attack volume of 10Gbps. • Later the attacks were recorded up to 100Gbps. • On march 22nd, the attack peaked to around 120Gbps
• The surge went up to around 300Gbps during the attack tenure
Attack Types and Tools
• Large Layer 3 attacks originated from different sources
• Basically known as DDoS attacks
• Anonymous LOIC is most commonly used tool for DDoS
• Botnet networks are also a well known source of generating DDoS
• Misconfigured or Open DNS Resolvers are another source of attack
• TCP ACK Reflection attack
How they Generate Volumetric traffic
• Tools are a good source but cant generate huge traffic without a widely spanned network of infected PCs or bots
• DNS Reflection attacks are the best source of such attacks
• DNS based attacks are small in queries/requests and relatively large in responses
• If attacker does these attacks, they may end up themselves with heavy response traffic
• DNS Reflection sends request with a spoofed IP who is intended to be a victim
• DNS Resolvers respond to requests towards the intended victim
• Attacker’s request is fraction of size of the response, thus attacker can amplify the attack to many times
How does DNS Reflection Attack work
• Attack requests DNS Zone file to Open DNS Resolvers
• Attacker spoof’s Sphamhaus IP as a source in their DNS queries
• Open DNS Resolvers respond back to Spamhaus IP considering them as source
• DNS queries are approximately 36B long
• DNS response is approx 3KB in size thus amplifying the attack by 100x
• Approx 30,000 unique DNS resolvers were involved in the attack
• Each Open DNS Resolver responds with 2.5Mbps, the results thus aggregating to 750Mbps of traffic
• Also target Peering ISP’s and internet Exchanges to manifold the attack
What are Open DNS Resolvers
• DNS Servers are either ISP specific or they are open
• User with a ISP1 IP address can only use ISP1 DNS server to reach out to internet
• ISP2 DNS Server would not respond to queries from ISP1 hosts and vice-versa
• However, users can also use Open DNS resolver such 4.2.2.2 or 8.8.8.8 and many more to eliminate dependency on ISP DNS
How CloudFlare Mitigated the Attack
• Cloudflare uses Anycast between their 23 global Datacenters
• Anycast advertises same IP address across all 23 datacenters
• This ensures that requests reaches the nearest datacenter
• Thus volumetric traffic is not directed to a single location but is spread across multiple datacenters thus reducing their size
• This ensures that no single network/datacenter becomes a bottleneck
• This ensures attacks are relatively small and easily handled
References
http://en.wikipedia.org/wiki/Cyberbunker
http://www.nytimes.com/2013/03/27/technology/internet/online-dispute-becomes-internet-snarling-attack.html?_r=0
http://blog.cloudflare.com/deep-inside-a-dns-amplification-ddos-attack
http://blog.cloudflare.com/good-news-open-dns-resolvers-are-getting-clos
http://blog.cloudflare.com/the-ddos-that-almost-broke-the-internet
http://blog.cloudflare.com/the-ddos-that-knocked-spamhaus-offline-and-ho
http://openresolverproject.org/
http://bgp.he.net/AS13335#_peers
http://www.spamhaus.org/
http://www.cloudflare.com/
http://en.wikipedia.org/wiki/Tier_1_network