Spamhaus vs CyberbunkerWorld’s Largest DDoS AttackB V S NarayanaCISSP, CISA@bvsnarayana03layer4to7.wordpress.com
Who is Spamhauswww.spamhaus.org
Who is CyberbunkerExtract from Wikipedia
Attack Story• On March 18,2013, Spamhaus came under attack.• Attack was volumetric which saturated tehir internet and knoc...
Attack Types and Tools• Large Layer 3 attacks originated from different sources• Basically known as DDoS attacks• Anonymou...
How they Generate Volumetric traffic• Tools are a good source but cant generate huge traffic without a widelyspanned netwo...
How does DNS Reflection Attack work• Attack requests DNS Zone file to Open DNS Resolvers• Attacker spoof’s Sphamhaus IP as...
What are Open DNS Resolvers• DNS Servers are either ISP specific or they are open• User with a ISP1 IP address can only us...
How CloudFlare Mitigated the Attack• Cloudflare uses Anycast between their 23 global Datacenters• Anycast advertises same ...
Referenceshttp://en.wikipedia.org/wiki/Cyberbunkerhttp://www.nytimes.com/2013/03/27/technology/internet/online-dispute-bec...
Upcoming SlideShare
Loading in …5
×

World's Largest DDoS Attack

2,520 views

Published on

Analysis of Spamhaus vs Cyberbunker

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,520
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
22
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

World's Largest DDoS Attack

  1. 1. Spamhaus vs CyberbunkerWorld’s Largest DDoS AttackB V S NarayanaCISSP, CISA@bvsnarayana03layer4to7.wordpress.com
  2. 2. Who is Spamhauswww.spamhaus.org
  3. 3. Who is CyberbunkerExtract from Wikipedia
  4. 4. Attack Story• On March 18,2013, Spamhaus came under attack.• Attack was volumetric which saturated tehir internet and knocked the site offinternet.• On March 19,2013, Spamhaus contacted Cloudflare to protect them againstattack.• CloudFlare recorded an initial attack volume of 10Gbps.• Later the attacks were recorded up to 100Gbps.• On march 22nd, the attack peaked to around 120Gbps• The surge went up to around 300Gbps during the attack tenure
  5. 5. Attack Types and Tools• Large Layer 3 attacks originated from different sources• Basically known as DDoS attacks• Anonymous LOIC is most commonly used tool for DDoS• Botnet networks are also a well known source of generating DDoS• Misconfigured or Open DNS Resolvers are another source of attack• TCP ACK Reflection attack
  6. 6. How they Generate Volumetric traffic• Tools are a good source but cant generate huge traffic without a widelyspanned network of infected PCs or bots• DNS Reflection attacks are the best source of such attacks• DNS based attacks are small in queries/requests and relatively large inresponses• If attacker does these attacks, they may end up themselves with heavyresponse traffic• DNS Reflection sends request with a spoofed IP who is intended to be avictim• DNS Resolvers respond to requests towards the intended victim• Attacker’s request is fraction of size of the response, thus attacker canamplify the attack to many times
  7. 7. How does DNS Reflection Attack work• Attack requests DNS Zone file to Open DNS Resolvers• Attacker spoof’s Sphamhaus IP as a source in their DNS queries• Open DNS Resolvers respond back to Spamhaus IP considering them assource• DNS queries are approximately 36B long• DNS response is approx 3KB in size thus amplifying the attack by 100x• Approx 30,000 unique DNS resolvers were involved in the attack• Each Open DNS Resolver responds with 2.5Mbps, the results thusaggregating to 750Mbps of traffic• Also target Peering ISP’s and internet Exchanges to manifold the attack
  8. 8. What are Open DNS Resolvers• DNS Servers are either ISP specific or they are open• User with a ISP1 IP address can only use ISP1 DNS server to reach out tointernet• ISP2 DNS Server would not respond to queries from ISP1 hosts and vice-versa• However, users can also use Open DNS resolver such 4.2.2.2 or 8.8.8.8 andmany more to eliminate dependency on ISP DNS
  9. 9. How CloudFlare Mitigated the Attack• Cloudflare uses Anycast between their 23 global Datacenters• Anycast advertises same IP address across all 23 datacenters• This ensures that requests reaches the nearest datacenter• Thus volumetric traffic is not directed to a single location but is spreadacross multiple datacenters thus reducing their size• This ensures that no single network/datacenter becomes a bottleneck• This ensures attacks are relatively small and easily handled
  10. 10. Referenceshttp://en.wikipedia.org/wiki/Cyberbunkerhttp://www.nytimes.com/2013/03/27/technology/internet/online-dispute-becomes-internet-snarling-attack.html?_r=0http://blog.cloudflare.com/deep-inside-a-dns-amplification-ddos-attackhttp://blog.cloudflare.com/good-news-open-dns-resolvers-are-getting-closhttp://blog.cloudflare.com/the-ddos-that-almost-broke-the-internethttp://blog.cloudflare.com/the-ddos-that-knocked-spamhaus-offline-and-hohttp://openresolverproject.org/http://bgp.he.net/AS13335#_peershttp://www.spamhaus.org/http://www.cloudflare.com/http://en.wikipedia.org/wiki/Tier_1_network

×