Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Wednesday, March 27, 2013

BIGGEST DDoS ATTACK IN HISTORY hammers Spamhaus

A massive 300Gbps was thrown against Spamhaus’ website but the anti-spam organisation was able to recover from the attack and get its core services back up and running.  CloudFlare, the content delivery firm hired by Spamhaus last week to guard against an earlier run of DDoS attacks, was also hit, forcing it into taking the highly unusual step of dropping London as a hub in its network - as a Twitter update by CloudFlare on Monday explained. The blacklists supplied by the not-for-profit organisation are used by ISPs, large corporations and spam filtering vendors to block the worst sources of junk mail before other spam filtering measures are brought into play. Spamhaus turned to CloudFlare for help and the content delivery firm was able to mitigate attacks that reached a peak of 75Gbps, as explained in a blog post here.

Things remained calm for a few days before kicking off again with even greater intensity - to the extent that collateral damage was seen against services such as Netflix, the New York Times reports.

A blog post by CloudFlare, written last week before the latest run of attacks, explains the mechanism of the attack against Spamhaus and how it can be usde to amplify packet floods.

The basic technique of a DNS reflection attack is to send a request for a large DNS zone file with the source IP address spoofed to be the intended victim to a large number of open DNS resolvers. ...  The attackers’ requests themselves are only a fraction of the size of the responses, meaning the attacker can effectively amplify their attack to many times the size of the bandwidth resources they themselves control.


...The requests were likely approximately 36 bytes long (e.g. dig ANY ripe.net @X.X.X.X +edns=0 +bufsize=4096, where X.X.X.X is replaced with the IP address of an open DNS resolver) and the response was approximately 3,000 bytes, translating to a 100x amplification factor. “Because the attacker used a DNS amplification, the attacker only needed to control a botnet or cluster of servers to generate 750Mbps - which is possible with a small sized botnet or a handful of AWS instances,” it explains.

Link: http://www.theregister.co.uk/2013/03/27/spamhaus_ddos_megaflood/

Posted on 03/27
NewsPermalink