Largest-Ever DDoS Campaign Demonstrates Danger of New Attack Method

By Robert Lemos  |  Print this article Print

A DDoS attack on Internet blacklist maintainer Spamhaus topped 300G bps, powered by “open recursive resolvers,” which let attackers turn modest attacks into floods of traffic.

A distributed denial-of-service (DDoS) attack on Internet blacklist maintainer Spamhaus has topped 300G bps, powered by “open recursive resolvers,” which allow attackers to turn modest attacks into overwhelming floods of traffic.

A DDoS attack using a technique known as DNS reflection has resulted in what many security experts are calling the largest DDoS attack to date, which generated traffic volumes of 300G bps, or about three times larger than any known previous attacks.

The series of attacks, which have taken place since the third week of March, hit the anti-spam organization Spamhaus, whose blacklists are used by many companies to block traffic from questionable servers. Spamhaus’ services have angered spam distributors and their hosting providers and the attack is just the latest effort to protest and thwart Spamhaus’ work.

While Spamhaus has often come under DDoS attack, the latest onslaught has exceeded any past data flood, Adam Wosotowsky, a threat researcher with security firm McAfee, said in an email interview with eWEEK.

"The volume is the biggest surprise," he said. "While there have been some significant DDoS attacks over the years, doing so tends to expose the botnet to detection and eventual takedown. Spamhaus apparently really hit a wasp nest on this one."

The high attack bandwidth is made possible because attackers are using misconfigured domain-name service (DNS) servers—known as open recursive resolvers or open recursors—to amplify a much smaller attack into a larger data flood. Known as DNS reflection, the technique uses requests for a relatively large zone file that appear to be sent from the intended victim's network. Because the DNS server is not configured properly, it will respond to each request by sending the zone file to the victim's address, overwhelming the network.

By using DNS reflection, the attacker could amplify their own bandwidth by about 100-fold, turning modest resources into a large attacks, Matthew Prince, CEO of CloudFlare, wrote in an analysis of the attack. For the past week, CloudFlare has worked with Spamhaus to mitigate the latest attack.

"In the last year they have become the source of the largest Layer 3 DDoS attacks we see--sometimes well exceeding 100G bps," Prince said in the analysis. "Open DNS resolvers are quickly becoming the scourge of the Internet and the size of these attacks will only continue to rise until all providers make a concerted effort to close them."

At 300G bps, the attacks have already exceeded the network speed of the infrastructure routers that form the Internet backbone, Prince said.

"The largest routers that you can buy have, at most, 100G bps ports," Prince said. "It is possible to bond more than one of these ports together to create capacity that is greater than 100 Gbps. However, at some point, there are limits to how much these routers can handle. If that limit is exceeded then the network becomes congested and slows down."

Internet exchanges need to protect the infrastructure connecting Tier-1 providers, wrote Prince in a later analysis. First, the companies should prevent public-Internet traffic from reaching the IP addresses. Then they should only allow routing infrastructure from other exchanges to send data to their core routers.