Last month, the largest DDOS attack that has been seen almost broke the Internet.
A massive 300Gbps was thrown against the Internet blacklist maintainer, “Spamhaus”, but CloudFare, the anti-spam organization, was able to recover from the attack and get its core services back up and running.
Spamhaus is a non-profit group based in both London and Geneva. The group aims to help email providers filter out spam and other unwanted content. Spamhaus is pretty resilient, as its own network is distributed across many countries, but the attack was still enough to knock its site offline on March 18.
A group calling itself “STOPhaus”, an alliance of hactivists and cyber criminals is believed to be responsible for bombarding Spamhaus with up to 300Gbps.
Attacks on Spamhaus illustrate a larger problem with the vulnerability of key systems to the architecture of the Internet, the domain name servers (DNS). The high bandwidth attack is possible because the attackers are using misconfigured domain name service (DNS) known as open recursive resolvers or recursors open to amplify a much smaller attack on a larger data flood.
What is a DDoS attack?
Known as DNS reflection, the technique uses requests for a relatively large zone file that appears to be sent from the intended victim’s network. According to CloudFlare, it initially recorded over 30,000 DNS resolvers that were tricked into participating in the attack.
There are as many as 25 million of these open recursive resolvers at the disposal of attackers.
In the Spamhaus case, the attacker was sending requests for the DNS zone file for ripe.net to open DNS resolvers. The attacker spoofed the Cloud Flare IPs we’d issued for Spamhaus as the source in their DNS requests.
The open resolvers responded with DNS zone file, generating collectively approximately 75Gbps of attack traffic.
The requests were likely approximately 36 bytes long (e.g. dig ANY ripe.net @X.X.X.X +edns=0 +bufsize=4096, where X.X.X.X is replaced with the IP address of an open DNS resolver) and the response was approximately 3,000 bytes, translating to a 100x amplification factor.
DDoS attacks have raised concerns that further escalations of the retaliatory attacks could affect banking and email systems. DDoS attacks are typically carried out to extort money from targeted organizations or as a weapon to disrupt organizations or companies in the pursuit of ideological, political, or personal interests.