Follow Us

War on Error

Did a 300Gb/s DDoS really slow the Net? Only if you believe in Smurfs

Lock up your DNS - the little blue men are back.

A day on from what was only yesterday being described as a DDoS attack so large it had slowed the Internet itself, the sceptics have rallied with a simple question: is there a shred of evidence that something of wider significance happened?

No doubt that anti-spam registry Spamhaus came under attack on 19 March, a fact that was noticed by about 0.00000001 percent of Net users when DDoS mitigation firm CloudFlare trumpeted its success at stopping the assault in its tracks in a detailed blog. Well done lads. Thumbnail image for Techie Smurf.jpg

As the company explained, Spamhaus had experienced a ‘DNS amplification' attack, once called a ‘Smurf’ attack (after one of the attack tools), a relatively unsophisticated but potentially very successful form of DDoS designed to overload routers.

Router Smurfing was supposed to have been snuffed years ago but a newer form that targets DNS servers has been a growing if unacknowledged issue in recent times.

PeakDDoSAttack_rev2.jpgTurning the working of a DNS server into the basis for DDoS depends on what is termed ‘open DNS resolution.’ The essence of the method is to spoof requests from the target domain (Spamhaus or its shield CloudFlare) to its peers or DNS resolvers, requesting what is called a DNS zone file, a master record of the domains the server can resolve to given IP addresses.

The servers reply to the apparent host, burying it underneath useless traffic. The clever bit: “We recorded over 30,000 unique DNS resolvers involved in the attack. This translates to each open DNS resolver sending an average of 2.5Mb/s, which is small enough to fly under the radar of most DNS resolvers,” said CloudFlare.

The firm jumped in front of a bullet that generated 75Gb/s but the attackers tried again and traffic spiked to 300Gb/s, this time directed not at Spamhaus or CloudFlare directly but the latter’s web of what are called Tier 2 service providers.

It is this widening that caused things to kick off, or so we were told. The Tier 2 providers coped by deflecting it back to even bigger firms called Tier 1 backbone providers, by which point it had reached the claimed 300Gb/s level, a gigantic number by conventional standards.

This is how the Internet works; traffic is moved between these huge carriers, no questions asked. If it didn't the Internet would either slow down or become expensive to run, or both.

This design is one of the compromises that renders the Internet vulnerable to parties (spammers, say) who don't play by the rules, but did this surge in traffic cause the Internet to measurably slow down?

In short, not really. And it shouldn't have because this kind of attack can be mitigated relatively quickly.

Internet Traffic Report, which monitors global speeds, couldn’t see any issue and nor could consumer-facing site Thinkbroadband, which issued a baffled press release saying as much.

“There seems to be very little sign of this [slowdown] from an analysis of the speed tests people are running on our site,” the site said. “There appears to be no evidence to say that UK broadband users have been slowed down across the board.”

How about firms such as Arbor Networks, which has its equipment in enough Tier 1 peers to have meaningful insight into how they are seeing traffic rises and falls?

When Techworld contacted the firm, they were sure and hadn’t yet crunched numbers beyond confirming the attack had generated the 300Gb/s levels claimed for it.

“Perhaps they [the attackers] wanted to demonstrate their capability,” offered Arbor’s Darren Anstee, who agreed that once defenders worked out what was happening traffic could have been black-holed.

Other agreed that this kind of attack while large should have been dealt with by service providers.

“I personally am very puzzled by the success of this attack. It seems to me that for an attack of such magnitude the load on the outgoing communication pipes of the open DNS resolvers should have been big enough for them to notice and take action," said Amichai Shulman, CTO of security firm Imperva.

With self-interested security firms jumping on the attack and the BBC giving it an air of credibility, the real-world effects of 300Gb/s seem to have been lost. Nobody actually said the Internet had slowed down, simply it that it might have. Perhaps it wasn’t the Internet that was slow so much as the response to an unexpected event.

The real story of the Internet traffic-storm of March 2013 wasn’t its size or direct effect on users but its cunning and the ease with which the attackers made a nuisance of themselves.

Having failed to dent Spamhaus, the attackers went after the company defending them in quite a knowing way, after which they went after the companies peering to that infrastructure.

As with the Smurfers of old, they knew what they were doing - that is the real real warning.

Enhanced by Zemanta

Tags: arbor networks, cloudflare, denial-of-service attack, domain name system, internet traffic, ip address, spamhaus, the spamhaus project

RSSSubscribe to this blog

More from Techworld

More relevant IT news

Contact Us

For editorial queries:
Mike Simons

For website issues:

For commercial queries
Russell Kearney

For more contact details click here.

Email this to a friend

* indicates mandatory field

Techworld White Papers

Optimising data protection for virtual environments

VM environments require the same level of data protection as does the physical server environment. Companies may use data protection tools built for the physical environment in the virtual world, but this has serious disadvantages.

Download Whitepaper

PCI Compliance: Are UK businesses ready?

Exploring the results of a recent survey, including: ? Levels of understanding of the standard ? Current perceptions of actual compliance status ? Attitudes toward addressing compliance

Download Whitepaper

Mobility Management for Dummies

Your complete guide to managing and securing mobile devices such as laptops and smartphones.

Download Whitepaper

Magic Quadrant for midrange and high-end NAS solutions

It is difficult to find one midrange or high-end NAS product that can cater to all needs. File systems embedded in NAS are often designed to solve one major pain point, with additional features being added later to broaden use cases and benefits.

Download Whitepaper

Techworld UK - Technology - Business

Oracle Video

Enabling agile and intelligent businesses

 Changing markets, competitive pressures and evolving customer needs are placing increasing pressure on IT to deliver greater flexibility and speed. Explore truly flexible SOA foundations with this Oracle video.

COLT White Paper

IT Misuse Survey

Complete this survey and you could win a Nexus One

Techworld are running a short survey to discover how UK businesses are managing Internet and email misuse in the Enterprise.

Complete Survey

Complete our survey and you could win a Sony E-book Reader.
Techworld have teamed up with HP to compile a survey relating to server virtualisation. Complete the short survey and you could be the lucky winner of a Sony E-book reader.

Complete the survey here

Site Map