Overhyped Spamhaus DDoS attack based on old flaw

This article was authored by John C. Tanner, and was originally posted on telecomasia.net.

Last week, news broke that the world’s largest DDoS (distributed denial of service) attack in the history had taken place, almost crippling the internet. Only it might not have been quite as large as reports made it out to be. And it was something that could have been stopped by a fix that’s been around for over a decade.

Anti-spam organization Spamhaus found itself subject to a DDoS attack that actually started March 18, but hit unprecedented scale last week when the attackers generated over 300 Gbps worth of traffic, making it the largest such attack ever recorded, according to CloudFlare, which helped mitigate the attack.

CloudFlare billed it as “The DDoS That Almost Broke the Internet”, and numerous media reports described it in similar fashion. The New York Times, for example, said the attack was “causing widespread congestion and jamming crucial infrastructure around the world”.

However, with the Internet essentially failing to collapse or come anywhere close to it for most users, now there’s disagreement over just how “widespread” the impact was. Take this quote from Technology Review:

“Just the production costs of CNN discussing this were probably higher than the damage this thing might have caused,” says Radu Sion, a computer scientist at Stony Brook University.

n open email from Richard Steenbergen, chief technology officer of nLayer Communications (one of the network providers used by CloudFlare) sent to gadget blog Gizmodo, agreed that the scale of the attack was somewhat exaggerated:

I wouldn’t call it “record smashing” or “game changing” in any special way. It’s just another large attack, maybe 10-15% larger than other similar ones we’ve seen in the past.

However, Steenbergen pointed out that a DDoS attack at a scale of 300 Gbps is a big deal simply because no single network has that much lit capacity to handle it.

Also, he pointed out that the scale of the attack was achieved by going after CloudFlare’s bandwidth providers (including nLayer), which led them to public internet exchange points (IXPs). While that enabled them to generate huge amounts of traffic, it did so using IXPs that represent “more of the ‘long tail’ of networks”, rather than the private point-to-point links that carry most internet traffic:

So, what you actually saw here was an attack affecting a large number of smaller networks, with something which was really a completely unrelated and unintended side-effect of the original attack.

Meanwhile, the real issue seems to be that the exploit used by the attackers – open DNS resolvers – has been known for over a decade. As CloudFlare explained in October 2012:

The best practice, if you’re running a recursive DNS resolver is to ensure that it only responds to queries from authorized clients. In other words, if you’re running a recursive DNS server for your company and your company’s IP space is 5.5.5.0/24 (i.e., 5.5.5.0 – 5.5.5.255) then it should only respond to queries from that range. If a query arrives from 9.9.9.9 then it should not respond.

The problem is, many people running DNS resolvers leave them open and willing to respond to any IP address that queries them.

The Internet Engineering Task Force spelled out a technical method to fix this issue back in 2000, but many web companies have never implemented it, TR reports:

“Misconfigurations are rampant across the Internet,” says Mike Smith, director of the computer-security response team at Akamai, the Web optimization company based in Cambridge, Massachusetts. “There are tools and configuration guides and best practices for ISPs. But people need to use them and know that this is a problem.”

Last week, the Open Resolver Project publicly released the full list of the 21.7 million open resolvers online in an effort to shut them down. Matthew Prince of CloudFlare said in a blog post that the Spamhaus attack “made clear that the bad guys have the list of open resolvers and they are getting increasingly brazen in the attacks they are willing to launch.”

If you haven't already, please take our Reader Survey! Just 3 questions to help us better understand who is reading Telecom Ramblings so we can serve you better!

Categories: Internet Traffic · Security