Your SlideShare is downloading. ×
World's Largest DDoS Attack
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

World's Largest DDoS Attack


Published on

Analysis of Spamhaus vs Cyberbunker

Analysis of Spamhaus vs Cyberbunker

Published in: Technology

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Spamhaus vs CyberbunkerWorld’s Largest DDoS AttackB V S NarayanaCISSP,
  • 2. Who is
  • 3. Who is CyberbunkerExtract from Wikipedia
  • 4. Attack Story• On March 18,2013, Spamhaus came under attack.• Attack was volumetric which saturated tehir internet and knocked the site offinternet.• On March 19,2013, Spamhaus contacted Cloudflare to protect them againstattack.• CloudFlare recorded an initial attack volume of 10Gbps.• Later the attacks were recorded up to 100Gbps.• On march 22nd, the attack peaked to around 120Gbps• The surge went up to around 300Gbps during the attack tenure
  • 5. Attack Types and Tools• Large Layer 3 attacks originated from different sources• Basically known as DDoS attacks• Anonymous LOIC is most commonly used tool for DDoS• Botnet networks are also a well known source of generating DDoS• Misconfigured or Open DNS Resolvers are another source of attack• TCP ACK Reflection attack
  • 6. How they Generate Volumetric traffic• Tools are a good source but cant generate huge traffic without a widelyspanned network of infected PCs or bots• DNS Reflection attacks are the best source of such attacks• DNS based attacks are small in queries/requests and relatively large inresponses• If attacker does these attacks, they may end up themselves with heavyresponse traffic• DNS Reflection sends request with a spoofed IP who is intended to be avictim• DNS Resolvers respond to requests towards the intended victim• Attacker’s request is fraction of size of the response, thus attacker canamplify the attack to many times
  • 7. How does DNS Reflection Attack work• Attack requests DNS Zone file to Open DNS Resolvers• Attacker spoof’s Sphamhaus IP as a source in their DNS queries• Open DNS Resolvers respond back to Spamhaus IP considering them assource• DNS queries are approximately 36B long• DNS response is approx 3KB in size thus amplifying the attack by 100x• Approx 30,000 unique DNS resolvers were involved in the attack• Each Open DNS Resolver responds with 2.5Mbps, the results thusaggregating to 750Mbps of traffic• Also target Peering ISP’s and internet Exchanges to manifold the attack
  • 8. What are Open DNS Resolvers• DNS Servers are either ISP specific or they are open• User with a ISP1 IP address can only use ISP1 DNS server to reach out tointernet• ISP2 DNS Server would not respond to queries from ISP1 hosts and vice-versa• However, users can also use Open DNS resolver such or andmany more to eliminate dependency on ISP DNS
  • 9. How CloudFlare Mitigated the Attack• Cloudflare uses Anycast between their 23 global Datacenters• Anycast advertises same IP address across all 23 datacenters• This ensures that requests reaches the nearest datacenter• Thus volumetric traffic is not directed to a single location but is spreadacross multiple datacenters thus reducing their size• This ensures that no single network/datacenter becomes a bottleneck• This ensures attacks are relatively small and easily handled
  • 10. References