Spamhaus vs Cyberbunker World’s Largest DDoS Attack

B V S Narayana CISSP, CISA

@bvsnarayana03

layer4to7.wordpress.com

Who is Spamhaus

www.spamhaus.org

Who is Cyberbunker

Extract from Wikipedia

Attack Story

• On March 18,2013, Spamhaus came under attack. • Attack was volumetric which saturated tehir internet and knocked the site off

internet. • On March 19,2013, Spamhaus contacted Cloudflare to protect them against

attack. • CloudFlare recorded an initial attack volume of 10Gbps. • Later the attacks were recorded up to 100Gbps. • On march 22nd, the attack peaked to around 120Gbps

• The surge went up to around 300Gbps during the attack tenure

Attack Types and Tools

• Large Layer 3 attacks originated from different sources

• Basically known as DDoS attacks

• Anonymous LOIC is most commonly used tool for DDoS

• Botnet networks are also a well known source of generating DDoS

• Misconfigured or Open DNS Resolvers are another source of attack

• TCP ACK Reflection attack

How they Generate Volumetric traffic

• Tools are a good source but cant generate huge traffic without a widely spanned network of infected PCs or bots

• DNS Reflection attacks are the best source of such attacks

• DNS based attacks are small in queries/requests and relatively large in responses

• If attacker does these attacks, they may end up themselves with heavy response traffic

• DNS Reflection sends request with a spoofed IP who is intended to be a victim

• DNS Resolvers respond to requests towards the intended victim

• Attacker’s request is fraction of size of the response, thus attacker can amplify the attack to many times

How does DNS Reflection Attack work

• Attack requests DNS Zone file to Open DNS Resolvers

• Attacker spoof’s Sphamhaus IP as a source in their DNS queries

• Open DNS Resolvers respond back to Spamhaus IP considering them as source

• DNS queries are approximately 36B long

• DNS response is approx 3KB in size thus amplifying the attack by 100x

• Approx 30,000 unique DNS resolvers were involved in the attack

• Each Open DNS Resolver responds with 2.5Mbps, the results thus aggregating to 750Mbps of traffic

• Also target Peering ISP’s and internet Exchanges to manifold the attack

What are Open DNS Resolvers

• DNS Servers are either ISP specific or they are open

• User with a ISP1 IP address can only use ISP1 DNS server to reach out to internet

• ISP2 DNS Server would not respond to queries from ISP1 hosts and vice-versa

• However, users can also use Open DNS resolver such 4.2.2.2 or 8.8.8.8 and many more to eliminate dependency on ISP DNS

How CloudFlare Mitigated the Attack

• Cloudflare uses Anycast between their 23 global Datacenters

• Anycast advertises same IP address across all 23 datacenters

• This ensures that requests reaches the nearest datacenter

• Thus volumetric traffic is not directed to a single location but is spread across multiple datacenters thus reducing their size

• This ensures that no single network/datacenter becomes a bottleneck

• This ensures attacks are relatively small and easily handled

References

http://en.wikipedia.org/wiki/Cyberbunker

http://www.nytimes.com/2013/03/27/technology/internet/online-dispute-becomes-internet-snarling-attack.html?_r=0

http://blog.cloudflare.com/deep-inside-a-dns-amplification-ddos-attack

http://blog.cloudflare.com/good-news-open-dns-resolvers-are-getting-clos

http://blog.cloudflare.com/the-ddos-that-almost-broke-the-internet

http://blog.cloudflare.com/the-ddos-that-knocked-spamhaus-offline-and-ho

http://openresolverproject.org/

http://bgp.he.net/AS13335#_peers

http://www.spamhaus.org/

http://www.cloudflare.com/

http://en.wikipedia.org/wiki/Tier_1_network