Largest DDoS of ever vs Spamhaus a menace to global internet

What’s happening to internet? Who threatened to destroy it and how it is possible to do?

Exactly one year ago Anonymous menaced the world of internet with a failed campaign dubbed Operation Global Blackout, this time something of similar is happened.

The problems started when a DDoS attack hit the company Spamhaus, an European anti-spam firm, which commercializes blacklists containing principal sources of email spam. It’s not clear who has arranged the attacks but IT community is convinced that Spamhaus has been hit because it added to the malicious list the Duck Provider Cyberbunker.

The New York Times, Sven Olaf Kamphuis associated with hosting provider “the CyberBunker,” which has a reputation for “bulletproof hosting,” allowing to host any content they like, except child porn and anything related to terrorism.

All started on March 16th, 2013, a distributed denial of service (DDoS) attack took spamhaus.org website and a portion of its e-mail services. On March 18th CloudFlare security firm has been appointed by Spamhaus to mitigate the attack, CloudFlare.

SpamHaus restored connectivity in the same day however it still facing with a massive, ongoing DDoS attack.

“The attackers appear to have hijacked at least one of SpamHaus’ IP addresses via a maliciously announced BGP route and subsequently used a Domain Name System (DNS) server at the IP to return a positive result for every SpamHaus Domain Name System-based Block List (DNSBL) query. This caused all SpamHaus customers querying the rogue nameserver to erroneously drop good connections.”

Kamphuis also allegedly connection of Cyberbunker with the StopHaus group which publicly claimed responsibility for the BGP hijack attack via Twitter.

shambhs

shampbs tweet

Following a timeline of the events

 

  • March 27, 2013    – DDoS attacks continue, SpamHaus weathers storm
  • March 18th 2013  – CloudFlare security firm has been appointed by Spamhaus to mitigate the attack
  • March 22, 2013 – DDoS at SpamHaus goes from 30Gbps to over 140Gbps
  • March 21, 2013 – CBL site recovers
  • March 20, 2013 – DDoS attacks take down the CBL
  • March 18, 2013 – SpamHaus site recovers
  • March 16, 2013 – DDoS attacks take down SpamHaus website and MX IP

CloudFlare CEO Matthew Prince speaking of limitation in DDoS attack size due to routing hardware limitations:

“Usually these DDoS attacks have kind of a natural cap in their size, which is around 100 gigabits per second,”

Security experts in various occasions have declared that similar attacks could reach dimension of 300 gigabits per second.

According CloudFlare blog “The attack, initially, was approximately 10Gbps generated largely from open DNS recursors. On March 19, the attack increased in size, peaking at approximately 90Gbps. The attack fluctuated between 90Gbps and 30Gbps until 01:15 UTC on on March 21. The attackers were quiet for a day. Then, on March 22 at 18:00 UTC, the attack resumed, peaking at 120Gbps of traffic hitting our network”

CloudFlare used Anycast technology which spreads the load of a distributed attack across all its data centers to mitigate the DDoS.

After the intervention of CloudFlare attackers targeted also CloudFlare’s own network providers by exploiting a known fault in the Domain Name System (DNS).

“Beyond attacking CloudFlare’s direct peers, the attackers also attacked the core IX infrastructure on the London Internet Exchange (LINX), the Amsterdam Internet Exchange (AMS-IX), the Frankfurt Internet Exchange (DE-CIX), and the Hong Kong Internet Exchange (HKIX). From our perspective, the attacks had the largest effect on LINX which caused impact over the exchange and LINX’s systems that monitor the exchange, as visible through the drop in traffic recorded by their monitoring systems”

“The congestion impacted many of the networks on the IXs, including CloudFlare’s. As problems were detected on the IX, we would route traffic around them. However, several London-based CloudFlare users reported intermittent issues over the last several days. This is the root cause of those problems.”

Graph

Prince added:

“The interesting thing is they stopped going after us directly and they started going after all of the steps upstream from us,”. “Going after our immediate transit providers, then going after their transit providers.”

“The attack works by the attacker spoofing the victim’s IP address, sending a request to an open resolver and that resolver reflecting back a much larger response [to the victim], which then amplifies the attack,”

How does it work the attack?

The technique used by hackers is known as DNS Amplification Attacks and according Prince these attacks have been “certainly the largest attacks we’ve seen.” “And we’ve seen what we thought were some big attacks,”

Attacks conducted against DNS can have dramatic consequences on global network, impacting also services and applications not being directly targeted by such an attack.

Let’s see the main concept behind the technique …  the Domain Name System (DNS) is implemented through a tree-like system of delegations. A recursive process is used to follow the chain of delegations, starting at the Root zone, and ending up at the domain name requested by the client. A recursive name server may need to contact multiple authoritative name servers to resolve given name. Ideally, a recursive name server should only accept queries from a local, or authorized clients but in reality many recursive name servers accept DNS queries from any source. To worsen the situation, many DNS implementations enable recursion by default, even when the name server is intended to only serve authoritative data. We say that a name server is an “open resolver” if it provides recursion to non-local users.

Dns Attackt

Because DNS resolvers are connected have huge output bandwidth to point at a target, hackers can manipulate them to amplify standard DDoS attacks from a maximum of about 100 gigabits per second to the neighborhood of 300 gigabits per second.

How to prevent these DDoS?

To prevent these attacks it necessary to operate on both ISP and network administrators side, Internet Service Providers must implement technologies that prevent victim’s IP address spoofing meanwhile network administrators need to protect DNS resolvers running on their network, it is necessary to disable recursion as recommended by US-CERT bullettin, but as usually this setting for DNS ignored.

Given enough servers that enable recursion, large quantities of traffic can be produced from relatively modest numbers of queries. The Internet Engineering Task Force has proposed a best practices to solve the problem, an approach to “ingress filtering” of packets, called BCP 38, that would block forged traffic like DNS amplification attacks. But the proposal hasn’t moved very far forward since it was first submitted in 2000.The best countermeasures against DNS amplification must be taken on server side do not returning replies to “.” queries and return shorter responses, reducing the amplification process.  Another option is the limitation of DNS requests to authorized clients.

Price suggested:

“Anyone that’s running a network needs to go to openresolverproject.org, type in the IP addresses of their network and see if they’re running an open resolver on their network,” “Because if they are, they’re being used by criminals in order to launch attacks online. And it’s incumbent on anyone running a network to make sure they are not wittingly aiding in the destruction of the Internet.”

Prince warns DNS-amplified DDoS attacks are not easy to realize:

“The good news about an attack like this is that it’s really woken up a lot of the networking industry and these things that have been talked about for quite some time are now being implemented,”

“There was some progress on shutting down open resolvers before,””I think that’s going to be a constant process — this is a problem that we’re going to have to live with for the next several years.”

The digital world is supporting a network threatened daily by multiple actors … we must do everything to defend it.

One final thought … if the IT world has condemned Cyberbunker, we must ask who is providing connectivity to these gentlemen … there is nothing ahead but I refer you to the interesting article

Who Supplies CyberBunker?” published by Larry Seltzer

March 29, 2013

cyber defense awardsWe are in our 11th year, and Global InfoSec Awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.
Cyber Defense Awards

12th Anniversary Global InfoSec Awards for 2024 are now Open! Take advantage of co-marketing packages and enter today!

X