Internet Under Attack: World's Largest DDoS Attack Almost Broke The Internet

from the the-hidden-war dept

Update: Gizmodo is calling bullshit on these claims. They’re likely correct that this attack was not a “threat” to the overall internet, but I also believe that Gizmodo is underplaying the potential problems from open resolvers.

We’ve known for a while that there are a number of people out there who really dislike Spamhaus, one of the more well known providers of a blacklist of spam IP addresses. For what it’s worth, there are times when it feels like Spamhaus may go overboard in declaring an IP or range of IP addresses as spammers. And, to some extent, because of that, it seems like some who use the Spamhaus list rely on it a bit too strongly. That said, Spamhaus is doing important work in helping to stop the internet from being overrun with spam, and that’s a good thing. But sometimes those who it pisses off aren’t particularly nice people. Last week, Spamhaus added hosting company Cyberbunker to its spamlist. Someone didn’t like that very much, and thus began a very big DDoS attack using open DNS recursors. Spamhaus went to Cloudflare, who was able to mitigate the worst of the attack.

But… that just lead to round two, in which whoever was behind the DDoS went much, much bigger attacking a bunch of the providers who provide Cloudflare with its bandwidth. Basically, it was massive firepower directed at some key points on the internet. And it was a pretty big deal. Cloudflare’s blog post stays away from getting too expressive about the whole thing, but just the fact that they note the attack came close to “breaking” the internet should get you to wake up.

Tier 1 networks don’t buy bandwidth from anyone, so the majority of the weight of the attack ended up being carried by them. While we don’t have direct visibility into the traffic loads they saw, we have been told by one major Tier 1 provider that they saw more than 300Gbps of attack traffic related to this attack. That would make this attack one of the largest ever reported.

The challenge with attacks at this scale is they risk overwhelming the systems that link together the Internet itself. The largest routers that you can buy have, at most, 100Gbps ports. It is possible to bond more than one of these ports together to create capacity that is greater than 100Gbps however, at some point, there are limits to how much these routers can handle. If that limit is exceeded then the network becomes congested and slows down.

Over the last few days, as these attacks have increased, we’ve seen congestion across several major Tier 1s, primarily in Europe where most of the attacks were concentrated, that would have affected hundreds of millions of people even as they surfed sites unrelated to Spamhaus or CloudFlare. If the Internet felt a bit more sluggish for you over the last few days in Europe, this may be part of the reason why.

The attackers say they’re protesting Spamhaus acting as the internet’s police:

Questioned about the attacks, Sven Olaf Kamphuis, an Internet activist who said he was a spokesman for the attackers, said in an online message that, “We are aware that this is one of the largest DDoS attacks the world had publicly seen.” Mr. Kamphuis said Cyberbunker was retaliating against Spamhaus for “abusing their influence.”

“Nobody ever deputized Spamhaus to determine what goes and does not go on the Internet,” Mr. Kamphuis said. “They worked themselves into that position by pretending to fight spam.”

Of course, all of this has exposed clearly a big vulnerability in the setup of the internet, and suggest that slowing down the internet on a large scale is entirely possible. But it’s also made security folks that much more aware of how urgent it is to fix the a key vulnerability that made this possible: the fact that there are so many open DNS resolvers out there, that can be used to launch massive DDoS attacks. Because of that, security folks are rushing around to see if they can convince people to close as many of the approximately 21.7 million open resolvers out there:

While lists of open recursors have been passed around on network security lists for the last few years, on Monday the full extent of the problem was, for the first time, made public. The Open Resolver Project made available the full list of the 21.7 million open resolvers online in an effort to shut them down.

We’d debated doing the same thing ourselves for some time but worried about the collateral damage of what would happen if such a list fell into the hands of the bad guys. The last five days have made clear that the bad guys have the list of open resolvers and they are getting increasingly brazen in the attacks they are willing to launch. We are in full support of the Open Resolver Project and believe it is incumbent on all network providers to work with their customers to close any open resolvers running on their networks.

Basically, over the last week or so, there’s been a war going on, concerning parts of the core of the internet, and while it might not have impacted you yet (or, maybe it did), it’s likely that the next round will be even bigger. In the meantime, the race is on to shut down open resolvers to try to keep the internet working, and hopefully to cut down on the power of such attacks.

Filed Under: , , ,
Companies: cyberbunker, spamhaus

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Internet Under Attack: World's Largest DDoS Attack Almost Broke The Internet”

Subscribe: RSS Leave a comment
G Thompson (profile) says:

Re: Re:

Gizmodo, and i really hate to say this.. is absolutely correct in this matter.

also 300gps is a drop in the ocean to T1 systems..

As for the Open DNS resolvers out there, well yes it CAN be a problem but it’s not as bad as anyone thinks it is and upstream systems are in place to mitigate any problems.

Another way to remove these 21.7million ‘open’ resolvers (my bullshit detector just exploded at that figure) is to actually update, and there’s a notion, BIND to the latest version. Something that should be done anyway.

also giving it the ‘recursion no’ option is a good thing no matter what!

The rest of the article about Spamhaus and Cloudfare is FUD made to let them moan and market there services and complain how someone didn’t like them. Oh and make people think things like CISPA are needed even more so. [Look at who benefits from CISPA and who controls both orgs]

Yes Spamhaus is ok, but it’s not the only Spam black lister and anyone who has looked at the way Spamhaus actually manages and authenticates (rarely) their lists knows that they have a huge false flag problem

Anonymous Coward says:

Re: Re: Re:

300Gbs is a drop to an IX, but considering even at Tier 1 providers most are only running 100Gbs links or bonding multiple 10Gbs link at peering points. 300Gbs could easily saturate a link. Cloudflare uses anycast to mitigate the DDoS by distributing it against multiple sites, and they don’t tell you if that 300 is aggregate traffic or at a single site/switch. Definitely has some marketing aspects in the article. Check out the actual email received from Gizmodo by the ISP:

21 Million seems high, but not impossible. I ran nmap with the dns_recursion script against my vps provider and found quite a few within the same C class that I’m assigned.

Updating BIND wouldn’t help, it’s in the configuration about open recursion: allow-recursion { network/cidr };
For authoritive DNS servers, use RRL:

Best option is to stop spoofing with BCP38 so the traffic isn’t faked in the first place. This is DNS currently, but it could easily be any udp traffic such as a game server, which of course I see a lot.

Anonymous Coward says:

Re: Re: Re:

I think my previous comment was a bit long, or delay by work…

300Gbs isn’t much for an IX, but significant to a switch as most link are either 100Gbs or bonded 10Gbs from my experience at various DCs in the US.
Updating BIND doesn’t stop recursive attacks or spoofing, using valid configs and RRL will.

The article is a lot of FUD and marketing for CloudFlare and Spamhaus, but it does show that action needs to be taken in regards to private companies not implementing basic security. BCP38, RRL, ACLs on services, etc…

Josh in CharlotteNC (profile) says:

Re: Re:

Yep, Giz has this one right. It’s really a shame that Cloudflare is trying to hype this up, they’ve got a good track record, provide a useful service, and this really hurts their credibility.

CF is not all wrong. The exchange IPs accepting external traffic issue they mention could have ramifications, but the guys running exchanges know their stuff and are rapidly fixing it.

Ninja (profile) says:

Interesting. There could be ways to tackle this problem without having to wait patiently for some clueless people to close such resolvers. I wonder what it’ll be.

I also believe the attackers aren’t interested in ‘breaking’ the internet. But the US could use this to do some major damage and then put in place the cyber-Patriot Act. Regardless of ppl calling it horseshit or whatever it’s a matter to keep an eye. If it’s fairytales then nice, we are near April 1st but if not..

In any case, even if some bored kids do break the internet this way there’s no reason for anything like CISPA. But it will be used as an example of why it’s needed…

Manabi (profile) says:

Not sure the OpenResolver list is useful

I manage a couple of servers, I just checked that site for the IPs of them all, and one server it has listed. But… It’s configured to not allow recursion except to a limited set of IP addresses that are other servers specifically allowed to access it for DNS lookup. I just tested it and it is NOT allowing recursion to other addresses, so it’s working properly.

Apparently BIND reports that recursion is enabled, even if it’s not available for the IP address doing the check. So how many of those servers are like mine, allowing recursive lookups for only specific IPs and not doing recursion to the Internet at large? Those servers aren’t part of the problem.

The site seems to recognize this but not explicitly, only saying that of the 27 million servers they list, only roughly 25 million post a threat. If they want the owners of servers to fix things, they need to provide more information than they have available. Hopefully this is just a hurried attempt to get the site up and they’ll be adding more info. Otherwise I suspect it’s going to be useless in the goal of reducing the number of open resolvers.

Anonymouse says:

Re: Not sure the OpenResolver list is useful

The problem is, even if you don’t recurse for everyone, you probably respond to recursion queries for those you dont recurse for with a “que? authorative server is” which of course still generates traffic. This is a minor issue compared to correct egress filtering on the border gateways of every ISP that should be in place, but in most cases is not.
The reason this kind of attack works is because UDP (simple DNS query) does not handshake, so you can get some machines under your control to send falsified UDP query packets with the falsified source address of your target to even legit DNS servers, those that will always be around and they will respond to your target, not you, obviously, but if the target address does not fall within the scope of the ISP, where you remote machine is sitting and this ISP has proper egress filtering, this would fail, since the packet would get silently dropped, so no issue.

G Thompson (profile) says:

For those interested this article at RT [ ]shows a lot more about what Spamhaus actually is and the reasons why Cyberbunker think it was attacked.

Personally I can’t stand Spamhaus and how they try to place themselves above actual laws and due process. And neither can a lot of other people, Cloudfare also have a lot of explaining to do as to why they tried to push the attack onto their upstream provider LINX and why they didn’t remove the Spamhuas site (as per industry standard practice) instead of allowing there other 1000+ customers to suffer losses due to one specific attack to a SINGLE customer. And lets not get into that the attack was NOT on the IX infrastructure but instead purely directed at Cloudfare/Spamhuas only, and Cloudfare then used there IX IP’s to bear traffic instead which is WRONG and a cause for any customer of Cloudfare to re-assess their contract !

As for Cloudfare’s blog post.. Total marketing hype and a cause for concern is there usage of the top graphic of the two faces which in reality is actually the photo used by the English band Massive Attack [ ]. They hype and FUD and bullshit is strong in this whole story

Anonymous Coward says:

Re: Re:

I’m also no fan of Spamhaus. They make some dumb-ass mistakes from time to time and won’t take the responsibility for those. I understand that Spamhaus needs a literal firewall to protect itself against the hate of SPAMmers but they should allow victims of the mistakes they made to contact them easily and fix the problem ASAP.

Another problem is that a lot of MTAs rely on Spamhaus only. That’s a bad design decision and helps Spamhaus to maintain their power! There are much more methods to fight SPAM without using RBLs. There are even more effective! Don’t rely on a single third party! It’s a massive SPOF!

Anonymous Coward says:

Re: Re:

Honestly, using a BotNet to attack a company that you don’t like? It’s not like anyone is forcing people to use Spamhaus or Cyberbunker, so why should they be using third parties’ internet connections to play out their little shouting match.

IE. Don’t defend DDoS attacks, especially if you are in security…

Now I do hold some of these third parties responsible to some extent, but there is definitely blame on Cyberbunker if they admit to DDoSing. Did it take out the internet? No… Did it take out CloudFlare a bit? Sure, but that’s their marketing pitch and they tried to swing their outage in a positive light.

horse with no name says:

almost broke the internet is like almost pregnant. it didn’t happen, so no biggie.

Even if it did “break” the internet, what would really happen? For a while, some sites might not be reachable. The world would not end, people would not starve, the planet would not stop spinning. If it happens, it happens, move along and go watch TV for a while instead.

The Old Man in The Sea says:

Effects of attack on Spamhaus and Cloudfare for us

About the only effect I’ve seen so far has been a slow down of video downloading from youtube (woodworking videos). I thought it was because I had reached my limit on downloads. But my downloads were still far too fast for that.

Yawn, yawn to attack.

A note though, a town in the west of the state had a fire in the local exchange which did knock out communications and the last to get back up was the internet (apparently took weeks to fix). So for my book, actual physical destruction stops access rather than software related problems.

lfroen (profile) says:

Load of crap

First of all: it’s technically impossible to “overwhelm” T1 network. It’s not your crappy $50 home router; it’s designed to remain functional under near 100% utilization.
Second, 100G is not that match (in such network). There’re routers where _every_ _single_ _port_ is 100G.
Yes, you read this correctly: while your home router port is usually 1G, and typically utilized at 30%, in T1 networks, routers designed to be “wire-speed”, and can utilize all of 100G ports at almost 100% at once without hanging/stacking/etc.
So no, Internet was not close to be “broken”, whatever it means; and yes, Techdirt again publish rubbish about technical subjects. Please stay on patents/copyrights topics next time.

Anonymouse says:

The resolvers are't the issue the ISPs are

don’t know why it submitted before I pressed submit, the issue here is that the various ISPs should put ingress and egress filters on their gateways, if the source address trying to leave my network isn’t on my network it goes to /dev/null, the same for incoming traffic, if the destination trying to enter my network isn’t on my network or routed by me to another network again it goes nowhere, the main problem is solved this way. Even if all the DNS servers out there reachable are only the ones that are authorative for a few zones are the ones remaining, this can still cause problems, the network needs to be cleaned up from a routing perspective, but I guess too many lazy ISPs and their techies couldn’t care less about what traffic traverses their pipes.

Anonymous Coward says:

Re: The resolvers are't the issue the ISPs are

The problem with that is that people will move their business where there’s no filtering in place to allow them the freedom they want.

Any ISP that has that sort of filter in place will make me ask myself what other sort of packet inspection they’re doing, and to what extent they’re spying on me.

Now think about web hosting. How can you deny people running their own nameservers? Sure, block all the traffic but then back to square one. So what then? Force them to take a test? Scan their servers for problems? Ok sure, but not for free, and people don’t want to pay… etc.

White labelled ISPs pride themselves with the lack of filtering and the ability for anyone to resell without branding. This gives their customers ultimate freedom but at a cost of security.

The solution, as bad as it is, is to wait for attacks to be reported (or noticed) then act to make it stop or bring the server offline. You can only prevent so much while trying to keep freedom and quality.

nasch (profile) says:

Re: Re: The resolvers are't the issue the ISPs are

Any ISP that has that sort of filter in place will make me ask myself what other sort of packet inspection they’re doing, and to what extent they’re spying on me.

I’m not a networking expert, but what is the problem with the kind of filtering he’s describing? What legitimate reason is there to spoof packets’ source address? What reason does an ISP have to accept a packet that is addressed to somewhere it isn’t going to be able to send it?

Anonymous Coward says:

Re: Re: Re: The resolvers are't the issue the ISPs are

By definition if it’s spoofed you don’t know where it’s coming from. How do you judge which packet to stop or which to allow? How do you decide it’s not a legit packet and block it?

So then you have to establish deep packet inspection to learn more about the packets, thus more monitoring and very high costs especially if you have lots of traffic.

The problem is that if you assume the end user will take care of it, you’ll have a network with lots of security issues. But if you force security over your users, you’ll lose your users.

DNS is a very basic system required by every business with an online presence. Sure, you can host using DNS hosters, but then you put your DNS in the hands of someone else.

If distributions concentrated on security instead of user-friendliness, this wouldn’t be happening. But when you apt-get install bind/powerdns/etc, it has to work with minimal comprehension and reading of the manual, because you know, otherwise people will stay with Windows.

nasch (profile) says:

Re: Re: Re:2 The resolvers are't the issue the ISPs are

By definition if it’s spoofed you don’t know where it’s coming from. How do you judge which packet to stop or which to allow? How do you decide it’s not a legit packet and block it?

If it originates from within your network but says it comes from somewhere else, no? Likewise if it’s coming into your network but not going anywhere your network can handle. Am I missing something here (genuine question because maybe it’s not as simple as it sounds)?

Mason Wheeler (profile) says:

Re: Re: Re:2 The resolvers are't the issue the ISPs are

By definition if it’s spoofed you don’t know where it’s coming from. How do you judge which packet to stop or which to allow? How do you decide it’s not a legit packet and block it?

You make it sound like such a difficult question.

If it’s spoofed, you don’t judge it, you don’t inspect it, you kill it immediately. If its IP addresses are bad, then it’s either corrupt or malicious, so shut it down.

Anonymouse says:

Re: Re: Re:2 The resolvers are't the issue the ISPs are

You seem to have a lack of networking experience, no packet inspection necessary ever, if the source IP address of a packet trying to leave your network is not part of your network it gets dropped, since packets originating from your network should have source IP address that are part of your network. Simple, since the source and destination addresses need to be “looked” at by your router anyway (strictly only the destination), your are not doing any “packet inspection” other than verifying the address validity.

Anonymous Coward says:

Re: The resolvers are't the issue the ISPs are

This is ABSOLUTELY correct. There is a long and serious discussion on this very point happening on the NANOG mailing list this week: see if you want to follow along.

As to Spamhaus: those of you slamming it are (a) spam-supporting parasites or (b) clueless. Spamhaus performs a function precisely equivalent to Consumer Reports: they express an opinion, one which you are free to heed or ignore. This is no different from hundreds of other DNSBLs, RHSBLs, static lists, etc. ALL of them express opinions, NONE of them enforce them on anyone.

Anonymous Coward says:

Re: Re: The resolvers are't the issue the ISPs are

Wrong. They enforce it indirectly to everyone.

I’m trying to send Bob an email. Bob is using SpamHouse. I can’t send Bob an email from home because my ISP is blacklisted for having “dynamic DNS” (let’s not get into THAT).

So I email Alice and ask her to email Bob, which she does. She asks Bob to remove SpamHouse from his blocklists, but Bob also uses his ISP email and cannot do anything.

SpamHouse are one of the worst out there. They almost always refuse to remove blacklists even when the issue is resolved and you have evidence, if you get an answer at all, and they often refuse to provide the reasons as to why you were blocked in the first place.

If only they charged for removal we could officially label them a scam.

Anonymous Coward says:

Re: Re: Re: The resolvers are't the issue the ISPs are

You’re full of shit.

If someone’s ISP is refusing email as a consequence of a Spamhaus listing, then it’s because that ISP chose to use Spamhaus. Nobody makes them do it.

Second, sending mail direct-to-MX from dynamic IPs is very, very stupid. It’s a worst practice. So no whining that you can’t do it, you shouldn’t even be trying.

Third, Spamhaus is very prompt about removing listings once the reason for them has been resolved. In fact, they’re TOO prompt, TOO nice about it, and occasionally they get scammed because the reason resurfaces shortly after they pull the listing.

Fourth, you have to really, REALLY work hard to earn a Spamhaus listing. Either (a) you have to be a prolific spammer or (b) you have to be an utterly incompetent, hopelessly lazy, throughly stupid network/system admin to get onto their list. Spamhaus is VERY lenient and VERY tolerant, often to my annoyance.

Fifth, it’s trivially easy to see why something is listed by Spamhaus: they have a web interface that you can query and thus access a wealth of information. So when you say that “they often refuse to provide the reasons”, you are — once again — lying.

Sixth, Spamhaus listings rarely happen in isolation. If you check numerous other DNSBLs/RHSBLs, you will see that the same IP addresses/network blocks/domains that show up on one, tend to show up on many. Given that they’re all independently run by people with very different criteria — people who often argue with each other — then it should be obvious that when this happens, it’s not because they all woke up and decided arbitrarily to make it happen. It’s because there’s a real problem.

I’m sure none of this will stop you from continuing to lie about Spamhaus, of course. Which spammer did you say you were>?

Anonymous Coward says:

Re: Re: Re:2 The resolvers are't the issue the ISPs are

While I understand the reason’s behind not being able to send mail direct-to-MX, it’s breaking the end to end principle as well. So blocking direct-to-MX is bad, but a necessary evil.
Getting listed on a RBL is rather trivial, but a good RBL will respect valid operators that research the reason for the listing and stop the offending emails. I’ve never had a problem with Spamhaus, so I don’t know how easy it is to contact them. Like you stated though, everyone can choose their own hosting provider and use any RBLs or nothing if that is what they wish.

Anonymouse says:

Re: Re: Re:3 The resolvers are't the issue the ISPs are

This is quite easy, quite a few ISPs pay per bandwidth, quite heftily, in fact, so traffic not carried (blacklist) is bandwidth not wasted, as opposed to accepting the traffic, then running a Bayesian filter over it and possibly still determining it to be spam, when they could have avoided the traffic and CPU cycles in the first place.

Anonymous Coward says:

Re: Re: Re:2 The resolvers are't the issue the ISPs are

First, it’s very difficult to take you seriously when you start off by “You’re full of shit”.

Second, tons of ISPs allow direct-to-MX from dynamic IPs. Tons. Did I say tons? Tons.

Third, SpamHouse are known to be the nazis of blacklists and refuse to remove a single listing if other IPs in the same /24 are listed. I’ve been dealing with them for over 6 years, and it’s mostly only problems.

Fourth, you don’t have to work hard. You only need to run a hosting company and let the users take care of it for you.

Fifth, the interface is useless because you still have to apply to get delisted and the idiot human behind the scenes always refuses, because “you have other networks listed”.

Sixth, Spamhouse block tons of people that no other blocklist do. As I said above, in the web hosting world, they’re known as the Nazis. Simple as that. Talk to some people that have inside knowledge for spam management.

I’m not sure if this will confirm you’re a spamhaus employee or just someone without knowledge of spam. Which scammer err.. spamhauser did you say you were?

I work for a reputable company that fights with those idiots day after day. What scammers do you work for again? Hitler is that you?! Sorry I couldn’t resist.

Anonymouse says:

Re: Re: Re:3 The resolvers are't the issue the ISPs are

1st – you did take him serious, else you wouldn’t have responded 🙂

2nd – strange you measuring the ISPs by weight, I guess its because they’re sinking due to all the SPAM

3d Maybe SpamHouse are a bit overzealous, but it works… to have a little story, assume everyone on your block uses the loo, like most civilized humans do, but you crap in the hand basin, not to want to talk to anyone on your block may cause peer pressure to make you change your behaviour and use the loo instead, until you do, don’t expect me to accept your mail

4th there’s the rub, not working and letting users loose on the infrastructure who are not educated enough about correct internet procedures gets you listed…

5th oh yes, refer to 3d above

6th oh yes, again refer to 3d above and there’s the second problem, if you’re doing WEB hosting, why would DNS Blacklisting, which only impacts MAIL have anything to do with you?

I doubt he’s a SpamHouse employee, neither am I, but I was happily using their services from ’98? ’99? onwards.

Yup a reputable company, like the tons referred to in 2nd above…

There never is a reason to accept mail from a dynamically assigned IP address, if they really want to send out email, simple, they just configure their SMTP server to relay out via their ISPs SMTP server, problem solved and SpamHouse won’t have you listed, unless, of course, that ISP transports lots of SPAM out and doesn’t do a thing to clean this up.

Anonymous Coward says:

Re: Re: Re:4 The resolvers are't the issue the ISPs are

1st – I said it was hard.

2nd – Strange you say that. I never measured anything. I pointed out the obvious, obviously.

3d No. The correct analogy would be that you prevent everyone from using the hand basin until that one person stops? this punishing everyone because something 1 person did.

4th Enjoy running your company without clients. I guess you never worked in web hosting – or no much about it for that matter.

5th oh yes, refer to 3d above – yes exactly

6th Web hosting includes email. Again, you should learn the lingo before trying to use it without understanding it.

Yup a reputable company, like the tons referred to in 2nd above… said the guy who can’t understand basics of web hosting.

“There never is a reason to accept mail from a dynamically assigned IP address, if they really want to send out email, simple, they just configure their SMTP server to relay out via their ISPs SMTP server, problem solved and SpamHouse won’t have you listed, unless, of course, that ISP transports lots of SPAM out and doesn’t do a thing to clean this up.”

Exactly, so leave it up to the nazis to decide what is dynamic and what is not, which was exactly the problem in the first place.

Anonymous Coward says:

I believe whoever wrote that blog post on cloudflare doesn’t understand much about routing and tier1 providers.

From experience, any major traffic peak that *can* (not necessarily does) affect their customers will be nullrouted at the first ingress (or egress) router, thus traffic goes nowhere. Then they’ll contact you with the reason for the nullroute and the target.

Also, they assume that at any point there is a single 100gbps router handing the traffic, which couldn’t be further from the truth unless you use known low-quality tier1’s. Routers are stacked for redundancy and to share cpu power.

It’s not the first laugh we have about some non-tech person claiming the possibility to break the internet, remember the root nameserver one?

Anonymous Coward says:

Re: Re:

Yeah! It’s complete BS that 300Gbit/s are able to almost break the internet. 300Gbit/s is some nice piece of traffic but not enough to cause major trouble. Just checked the statistics for decix (public peering point in Germany). Peak traffic is about 2.5Tbits/s for the last weeks as usual, no spikes for the DDoS. Let’s call that a marketing hype!

anonymouse says:


Ok i dont understand the technology or the problme with this massive attack, but if someone could explain it to me like i am five i would really appreciate it.

From what i have read 300gb of traffic has been directed at spamhous whihc is a site that creates blocklists of potential spammers. They have then been attacked by someone they listed as a spam generating entity.

Is there now a chance that developers will spend some time preventing these type of attacks from happening again? surely it would be simple enough to prevent ddos attacks by having a system where after a certain amount of attempts to dos attack an entity the servers would automatically restrict and future connection attempts , thereby completely nullifying the attack close to where it is being generated from. Simply block every attempt to attack a specific ip range.
Maybe i am simplifying this too much and don’t understand the problem but surely the main structure of the internet should be able to identify this type of attack and prevent it from spreading.

Anonymous Coward says:

Re: wow

Yes simple. Tell every nameserver distributing software/distribution to disable open resolvers by default instead of enabling them. Problem solved.

If you force the user to read up on a feature because being able to use it, then the user will learn about that feature and make the conscious decision of enabling it or not. I believe RedHat and all its derivatives ship with it enabled by default. Possible other distros as well.

Theo de Raadt made a presentation about DNSSEC and how it could be used to amplify these sorts of attacks. The video’s on youtube. Basically with misconfigured DNSSEC the attack could have been 10x, maybe even 100x worse.

Anonymouse says:

Re: Re: wow

To that other anonymouse, the DNS resolvers are not so much the issue as proper routing procedures not being implemented by ISPs.

Assume you sit behind an ADSL connection, which assigns you one IP address, the router port on the ISPs end of the circuit, should, once assigning you the IP address, add 2 restrictions on their end:
1. allow traffic into the network from you, coming from your assigned IP address
2. drop/block everything else
To panic about open resolvers ignores ICMP problems and any other services that utilize UDP and that don’t require handshaking and are thus prone to being used in spoof attacks.
The same goes for a leased line connection with a block of IP Addresses
1. allow traffic into the network from you, coming from your assigned network range, for example
2. drop/block everything else
Then for good measure, on the routers to the rest of the world, allow outgoing traffic from the IP addresses that are local to the ISP and drop/block everything else. No impact on the users, no packet inspection, no developers needing to do anything.

To identicon, you are missing the big picture, think of the children… DNS is a minor and non-issue, the issue is that ISPs knew about the spoofing issues back in the last century and have had the tools/option to setup the rules on their gateways since then, but it is a bit of work and these lazy so and so’s should be kicked in the nuts for not implementing this lot ages ago already. Implementing the best practices rules on the gateways would take care of any and all ICMP and UDP spoof attacks, I am sure others may arise, they can then be dealt with in a way appropriate for those attacks, yelling DNS and open resolver does not solve the actual problem. The network as a whole should be cleanly set up, which includes every ISP from tier 1 on down to your local one man shop with half a class C assigned to him.

Gunntherd (profile) says:

Totally agree, they (Government) need to “cause” issue’s, which keep getting bigger and bigger, which the liberal media will just go along with the claims until the minority beg the powers that be, to do something, which in the end will be the backdoor to taking control of the internet so the children and unknowledgeable internet users will be safe from terrorism by means of a cyber attack. I call bullshit on this too!! Nothing but a power grab to invoke another knee-jerk reaction to do nothing but take control of more of our freedoms.

Lurker Keith says:


Yesterday, & only yesterday, I had problems getting to Popehat, & only Popehat. I didn’t notice anything else.

No clue if this was related or not. It’s the first time I had difficulty navigating to Popehat since I started visiting it around the time The Oatmeal train wreck got underway.

Granted, I’m in the US.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...