Large-scale DNS DDoS attack on Spamhaus
Almost unnoticed by the public, the most aggressive DDoS (Distributed Denial of Service) attack in the history of the internet was carried out last week. At least this is what the New York Times reports, referring to statements made by a high-ranking member of staff at content distribution provider Akamai. The attack targeted the Spamhaus anti-spam organisation.
Apparently, Spamhaus seriously trod on various spammers' toes before the attack. The organisation had added IP address blocks belonging to Cyberbunker, a Dutch hosting service that is considered to be spammer friendly, to its blacklist. As almost 80 per cent of anti-spam filters use this blacklist and consequently began to block Cyberbunker, customers of the hosting service suddenly found themselves almost unable to send out any emails.
Shortly afterwards, on 19 March, an initially moderate, but then greatly intensifying DDoS attack was unleashed on the Spamhaus web servers. According to Akamai, the attack's data stream reached up to 300 GBits/s at peak times. Only a few hours after the attack began, Spamhaus commissioned security company Cloudflare to mitigate the attack. In a blog post (and later follow-up post) Cloudflare CEO Matthew Prince describes how the attack progressed and analyses the attackers' techniques.
According to Prince, the majority of junk traffic was generated using a DNS amplification attack or DNS reflection attack. This well known method relies on the fact that there are thousands of open DNS servers worldwide that will respond to any request without performing any checks. The attackers send requests with their victim's spoofed IP address to these "open resolvers" – then the responses arrive on the victim's system.
In the current case, each request was about 36 bytes long and requested a DNS zone file of around 3,000 bytes. Therefore, the DNS servers amplified each request by a factor of almost 100. Prince explained that Cloudflare registered at least 30,000 requesting DNS servers. According to the CEO, the attackers only needed 750 MBits/s of outgoing bandwidth to generate an average traffic load of 75 GBits/s for their victim. Only "a small sized botnet" was therefore needed to knock the Spamhaus web site offline, added Prince.
The Cloudflare executive didn't hesitate to compare the DNS reflection technique to a nuclear bomb: "It’s so easy to cause so much damage," he said, according to the New York Times. Patrick Gilmore from Akamai likened the technique to using a machine gun to spray an entire crowd in order to kill one person. Akamai found that the attack had significant effects on global network loads, added Gilmore. Apparently, web pages were temporarily inaccessible and streaming services such as Netflix suffered noticeable disruptions.