From largest DDoS of ever vs Spamhaus a menace to global internet

The news is circulating and this morning many colleagues called me to have more details on the event … what’s happening to the internet?

All seems to be originated from a single DDoS attack against a unique company, but the event has reached unimaginable proportions with implications for the global network, in particular dragging down Internet speeds in Europe.

The company hit by the powerful attack is Spamhaus, a European anti-spam firm, which drafts and commercializes blacklists containing principal sources of email spam. Spamhaus added to the list Cyberbunker, a controversial Dutch provider.

For the attack has been used a huge botnet, millions of machines infected through an email spam. On March 18^th CloudFlare security firm has been appointed by Spamhaus to mitigate the attack, CloudFlare. CEO Matthew Prince explained to Mashable that the limitation in typical DDoS attack size is due to routing hardware limitations:

“Usually these DDoS attacks have kind of a natural cap in their size, which is around 100 gigabits per second,”

According principal security firm due technological evolution DDoS attacks could reach dimension of 300 gigabits per second.

According CloudFlare blog “The attack, initially, was approximately 10Gbps generated largely from open DNS recursors. On March 19, the attack increased in size, peaking at approximately 90Gbps. The attack fluctuated between 90Gbps and 30Gbps until 01:15 UTC on on March 21. The attackers were quiet for a day. Then, on March 22 at 18:00 UTC, the attack resumed, peaking at 120Gbps of traffic hitting our network”

To mitigate the attack CloudFlare uses Anycast technology which spreads the load of a distributed attack across all our data centers

After the intervention of CloudFlare attackers have not been able to continue the offensive so decided to target directly CloudFlare’s own network providers by exploiting a known fault in the Domain Name System (DNS).

“Beyond attacking CloudFlare’s direct peers, the attackers also attacked the core IX infrastructure on the London Internet Exchange (LINX), the Amsterdam Internet Exchange (AMS-IX), the Frankfurt Internet Exchange (DE-CIX), and the Hong Kong Internet Exchange (HKIX). From our perspective, the attacks had the largest effect on LINX which caused impact over the exchange and LINX’s systems that monitor the exchange, as visible through the drop in traffic recorded by their monitoring systems”

“The congestion impacted many of the networks on the IXs, including CloudFlare’s. As problems were detected on the IX, we would route traffic around them. However, several London-based CloudFlare users reported intermittent issues over the last several days. This is the root cause of those problems.”

Prince added:

“The interesting thing is they stopped going after us directly and they started going after all of the steps upstream from us,”. “Going after our immediate transit providers, then going after their transit providers.” “The attack works by the attacker spoofing the victim’s IP address, sending a request to an open resolver and that resolver reflecting back a much larger response [to the victim], which then amplifies the attack,”

The Domain Name System (DNS) is implemented through a tree-like system of delegations. A recursive process is used to follow the chain of delegations, starting at the Root zone, and ending up at the domain name requested by the client. A recursive name server may need to contact multiple authoritative name servers to resolve given name. Ideally, a recursive name server should only accept queries from a local, or authorized clients but in reality many recursive name servers accept DNS queries from any source. To worsen the situation, many DNS implementations enable recursion by default, even when the name server is intended to only serve authoritative data. We say that a name server is an “open resolver” if it provides recursion to non-local users.

Because DNS resolvers are connected have the huge output bandwidth to point at a target, hackers can manipulate them to amplify standard DDoS attacks from a maximum of about 100 gigabits per second to the neighborhood of 300 gigabits per second.

The technique is known as DNS Amplification Attacks and according to Prince these attacks have been “certainly the largest attacks we’ve seen.””And we’ve seen what we thought were some big attacks,”

The attacks conducted against DNS can have dramatic consequences on the global network, impacting also services and applications not being directly targeted by such an attack.

To prevent these attacks it necessary to operate on both ISP and network administrators side, Internet Service Providers should implement technologies that prevent victim’s IP address spoofing meanwhile network administrators need to protect DNS resolvers running on their network, it is necessary to disable recursion as recommended by US-CERT bullettin, but as usual this setting for DNS ignored.

Given enough servers that enable recursion, large quantities of traffic can be produced from relatively modest numbers of queries. The Internet Engineering Task Force has proposed a best practices to solve the problem, an approach to “ingress filtering” of packets, called BCP 38, that would block forged traffic like DNS amplification attacks. But the proposal hasn’t moved very far forward since it was first submitted in 2000.The best countermeasures against DNS amplification must be taken on server side do not return replies to “.” queries and return shorter responses, reducing the amplification process.  Another option is the limitation of DNS requests to authorized clients.

Price suggested:

“Anyone that’s running a network needs to go to openresolverproject.org, type in the IP addresses of their network and see if they’re running an open resolver on their network,” “Because if they are, they’re being used by criminals in order to launch attacks online. And it’s incumbent on anyone running a network to make sure they are not wittingly aiding in the destruction of the Internet.”

Prince warns DNS-amplified DDoS attacks are not easy to realize:

“The good news about an attack like this is that it’s really woken up a lot of the networking industry and these things that have been talked about for quite some time are now being implemented,”

“There was some progress on shutting down open resolvers before,”I think that’s going to be a constant process — this is a problem that we’re going to have to live with for the next several years.”

The digital world is supporting a network threatened daily by multiple actors … We must do everything to defend it.

[adrotate banner=”9″]

 

Pierluigi Paganini

(Security Affairs – DDoS)