The largest DDoS attack didn't break the internet, but it did try

The largest DDoS attack didn't break the internet, but it did try

Summary: A 300Gbps distributed denial-of-service attack thought to be the largest in the world has put key internet infrastructure to the test, and, so far, the attack has failed.

SHARE:

CloudFlare has claimed to have mitigated the biggest distributed denial-of-service (DDoS) attack in the history of the internet.

Spamhaus, a not-for-profit anti-spam organisation, came to CloudFlare last week for assistance against a large DDoS attack it was experiencing. Switching over to CloudFlare's network on March 19, the attack began with a 10Gbps flood of traffic, ramping up in excess of 100Gbps later that night. It initially took Spamhaus' website down, with the outage independently observed by the Internet Storm Center at the time.

According to CloudFlare, the majority of the attack was traffic sent using a technique called DNS (domain name system) reflection. Under normal circumstances, DNS resolvers wait for a user request, such as a lookup for the IP address for a domain name, then respond accordingly.

The issue with this system is that the source address of such requests can easily be forged, and in the absence of any checking or authentication, the DNS resolver simply replies to the source IP address. While this is a simple way of "bouncing" a request off a different server, it also has the added benefit of amplifying the damage that an attacker can do, as the response sent from the DNS resolver is often many times larger than the request.

Restricting DNS resolver responses to known IP addresses is one way to control who can or cannot be a potential target, but many DNS resolvers simply aren't configured in this manner — or, as with Google's Public DNS service, are meant to be open to the public.

To mitigate against abuse, a generally accepted practice is to throttle responses, which is what Google currently does. But, according to CloudFlare, the attackers used multiple DNS resolvers to spread the load across many targets, stop any throttling from occurring, and fly under the radar of any security measures. According to the company, it initially recorded over 30,000 DNS resolvers that were tricked into participating in the attack.

CloudFlare's strategy to respond to such distributed attacks is similar. DDoS attacks are typically successful, as a single target is unable to cope with the combined effects of multiple incoming traffic streams, so CloudFlare's response is to create more "targets", each capable of handling a smaller chunk of the traffic. It took the traffic and spread it across 23 of its own datacentres, while also dumping any requests it knew to be bogus.

Moving upstream

Realising their attack wasn't working, the attackers changed tactics, circumventing CloudFlare entirely by moving the attack upstream to CloudFlare's suppliers, which in turn pushed the traffic further up to even larger networks — in simplistic terms, those that service the connections to and from major ISPs that allow countries to talk to each other.

According to CloudFlare, the attack on these networks was in excess of 300Gbps, and further attacks "risk overwhelming the systems that link together the internet itself", referring to the internet exchanges (IXs) that many high-tier ISPs use to talk to each other.

"The largest routers that you can buy have, at most, 100Gbps ports. It is possible to bond more than one of these ports together to create capacity that is greater than 100Gbps; however, at some point, there are limits to how much these routers can handle. If that limit is exceeded, then the network becomes congested and slows down," the company wrote.

Despite admitting that it doesn't have "direct visibility into the traffic loads" that Tier 1 networks are seeing, CloudFlare said, "we've seen congestion across several major tier ones, primarily in Europe, where most of the attacks were concentrated, that would have affected hundreds of millions of people even as they surfed sites unrelated to Spamhaus or CloudFlare. If the internet felt a bit more sluggish for you over the last few days in Europe, this may be part of the reason why."

Sophos Asia-Pacific director Rob Forsyth agreed with CloudFlare's assessment of the impact on the European network, telling ZDNet that Europe is experiencing quite a lot of interruption to its usual flow of traffic, depending on what users are doing. However, he disagreed with any notion that the global internet as a whole was affected.

"People might notice streaming might be disrupted in Europe, but things like delivery of email and traffic of data files and so on is not the sort of thing that's going to be interrupted to any large extent," he said.

"The issue, for the time being, is confined to Europe."

As for Australia, Forsyth said there is "no noticeable reduction of internet capacity", indicating that the attack is not one that "almost broke the internet".

"The internet has been designed to be resilient, and I think internet traffic will be routed around any type of disruption."

As for CloudFlare's claims that the largest routers won't be able to scale to support the amount of traffic, some of Cisco's own products appear to more than exceed the capacity required. The multi-shelf version of Cisco's CRS-1 (carrier routing system) router, for example, is able to scale to 92Tbps. Cisco did not return ZDNet's queries as to whether these would be suitable for this application, but it appears that many IXs can handle the 300Gbps of traffic with their existing or minimal upgrades to their infrastructure.

To highlight a few IXs for comparison, Amsterdam IX AMS-IX had peak annual traffic of about 2.2Tbps in the past year, Sweden IX Netnod had peak annual traffic of about 340Gbps, and Moscow IX MSK-IX had peak annual traffic of about 1Tbps.

DNSSEC

Although a security initiative aimed at making DNS more secure exists — DNSSEC — it does not necessarily address the issue of spoofed source addresses. DNS requests and responses typically use the UDP protocol, rather than the TCP protocol. The latter requires a three-way handshake to establish a channel and confirm with the machine it is talking to that it did, in fact, initiate a connection. The former, however, does not.

Instead of being an issue that DNSSEC might solve, it is actually a transport protocol problem that has little to do with the additional security measures that DNSSEC might offer. However, as Cloudflare and others have pointed out in the past, DNSSEC can make the issue worse, as the additional keys required to authenticate records further increases the magnitude of amplification that an attacker has access to.

Yet, Forsyth said that such attacks may have a silver lining, raising awareness of the flaws in DNS and DNSSEC's importance.

"DNSSEC tightens up the rules around the way which the domain name service behaves and provides an additional layer of security, so, as you increase the security on any component, perhaps the cybercriminals will focus on a weaker link somewhere else," he said.

"This might be the catalyst to review all aspects of security, including DNSSEC."

Topics: Security, Cisco, Hardware, Networking

Michael Lee

About Michael Lee

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

17 comments
Log in or register to join the discussion
  • Don't Confuse Ports and Backplanes

    CloudFlare's comment that the fastest ports available today at 100Gb/s is true. This is about ports, the fastest connection that you can acquire. That Cisco makes a backplane in a router with 92Tb/s is not relevant in that context. That 92Tb/s backplane is still bottlenecked by talking to the world through 100Gb/s individual ports. When CloudFlare said that port speed limitations were in place, they were assuming big routers like you are talking about. The backplane just isn't the bottleneck in this case and that's why it's not being talked about.
    scottalanmiller@...
    • What about NIC teaming and load balancing?

      Group a few high speed NICs and the load could possibly be distributed across several ports, could it not? Then the 100Gbps threshold is raised significantly. I would assume that that would be possible (but open to correction from anyone who uses this class of hardware).
      mountjl
  • routers are built to protect against this regardless of traffic

    Specifically routers can drop problematic packets that are related to DDOS attacks,,, normally the setting is low but IP options selective drops can be increased to more restrictive levels rendering the DDOS attacks useless and with round robin IPs (or load balancing) this can, together, make them irrelevant which they were !!!
    The port traffic would peak but drop because of these tools and again, it wouldn't matter how much bandwidth as it would be very very temporary.
    JABBER_WOLF
  • and yet

    it succeeded because you're talking about it.
    wendellgee2
    • Nope.

      At least not likely. I have already read a few explanations for this attack that indicate it wasn’t just for the fame of attempting it. It was a little more goal oriented and only a good shutdown of Spamhaus would have signaled success for the attackers from what I have heard.

      Im pretty sure they are getting no vicarious thrill out of their failure being talked about.
      Cayble
    • Nope.

      We're talking about the attack not the reasons for it.
      Heenan73
  • Who's behind it?

    Is there any thoughts on who was staging this attack and why? This doesn't sound like a geek or a private organization was behind this. It to me smells of a rogue country or a terrorist group with a state backing. Also was this an attack or a dress rehearsal for something bigger later?
    bobmatch@...
    • Cyberbunker?

      The Daily Mail is pointing the finger at CyberBunker, a Dutch company.
      theanimaster
  • it is never going to stop

    This type of thing is never going to stop until those responsible start being punished for their actions. If they are minors put them in Juvenal detention until they come of age them bring back indentured servitude and make them work and reimburse the injured parties for the financial difficulties they incurred.

    If they are adults then again make them indentured servants until they have repaid the financial loss. The same for those that create Trojans, viruses, etc. But instead they end up getting hired and paid money to explain how they accomplished what they did. Which is just wrong and encourages other to follow.
    pappa_piglet@...
    • Good reading for you.

      Tom Clancy's Net Force series of books. They are about a Paramilitary group working with FBI and NSA to root out and stomp cyber crimes.
      Skid Palace
  • What's really sad...

    ... is that when I learned of a co-worker experiencing a " midwestern region-wide" internet failure a couple days ago, I immediately thought of just this scenario; and wondered if we have the infrastructure to deal with it.

    I've been seeing a resurgence in Alureon-infected PCs in the wild recently; I'm wondering if they are a part of this puzzle. I know Alureon is typically used for data-mining; but the tenacity of it and the level of remote command it gives over an infected host would make it perfect for this kind of abuse...


    mnem
    Things that make you go Hmmm...
    mnemennth
    • Google it.

      Google search for "Windows botnets"
      Joe.Smetona
      • There are a lot of results of other OSes botnets.

        And also there is a lot of results with "mac os x botnets" and "linux botnets" queries. OS companies must continue to make security the number one priority instead of features.
        lorenzosjb
  • Internet gets broken. Then what?

    What are these F-ing morons going to do after they succeed in finally breaking the internet? Get a job flipping burgers? Without electronic communications the drive through at the fast food vendor won't work. DUH, you need the internet to do that.

    What is their Plan? What are these idiots going to do when a big portion of the internet is disabled, or they crash the entire system?

    1] Brag about it online? DUH, you need the internet to do that. MORON-FAIL.
    2] Blackmail everyone into sending them $$$ to *unlock* the system by wiring money to off shore account/s? DUH, you need the internet to do that. MORON-FAIL.
    3] Forcing the population of the world into going backwards to non-internet communication methods? This puts the dDOS perpetrators (perper-"traitors") and all the MORON-FAIL clique into the local unemployment lines. Want your unemployment check? Try cashing the check in a non-internet connected bank. DUH, you need the internet to do that. MORON-FAIL.

    Seriously, has any thought been attempted in these doo-doo's adolescent thoughts?

    And the same basic results happen to the state-sponsored lunatics. After a supposed successful Great Attack, what's next on Ye Ol' Bucket List? Watering the herd animals? MORON-FAIL.

    And there are numerous other repercussions, with the UNINTENDED CONSEQUENCES overwhelmingly out-weighing the current goal which seems to be disabling someone ELSE'S computer system/s. Could that be such a noble goal as to risk the future of the human race? Look at the benefits such a Great Attack would undo: markets for everything go dark (you cannot buy or sell things that are no longer able to be made); no money available; little or no health care available; no food production at any reasonable scale; no potable water systems available; no way to be protected from freezing to death (electricity, natural gas and petroleum products do NOT grow on trees); no international or national or even regional shipments of ANYTHING; no medicines; no video games (no power supply = no games); and thousands of other modern accouterments... so add up just the few items on the above list and see if the Great Internet Take-down Attack (GITA) is really worth the effort.

    Finally... if the GITA happens and the culprits are found and convicted, the *Gentlemen* in prison will be Very Happy to help the f-ing morons um, adapt to their new lifestyle as bunk buddies. But if sentencing were up to me, I would give the GITA kiddies a choice of punishment: Chinese Water Torture; or flesh eating ants; death of a thousand cuts; or something as civilized as the above.
    RB1955
    • One word.

      Cyber-war. One country may want to take down another country's internet. This would be the way to do it.
      The disruption to (for example) the US would be huge. Government communications - dead. Business communications - dead. The place would die. Imagine the chaos and consternation!
      The attackers wouldn't care if they weren't affected. Which they'd make darn well sure they weren't!
      LanguageDude
  • Everything but the kitchen sink, and people most need to know about it.

    Where is the power for the attack coming from. Botnet infected Windows computers. There, I said it.
    Joe.Smetona
    • Get the scoop.

      A ZDnet article, Propaganda's finest hour.
      Joe.Smetona