Noticed any anomalies online in the last week or so? Do you live in Europe or North America? Chances are if you said yes to both you are being impacted by the largest distributed denial of service (DDoS) ever recorded.

IT security vendor, Sophos talks about a massive DDoS attack against anti-spam provider which may have impacted millions of internet users over the past one week.

What is happening? A little over a week ago a questionable internet hosting provider in The Netherlands called Cyberbunker took umbrage with SpamHaus, a non-profit organization that was founded in 1998 to take on spammers and the internet hosts who profit from their activities.

Cyberbunker takes its name from the former NATO bunker that the company operates out of. Not surprisingly they appear to be offline at the moment, whether that is due to a DDoS attack or other circumstances is difficult to discern.

Cyberbunker caters to customers who are unwanted by or afraid to use traditional web hosts because of the activities they are involved in.

Their target markets include copyright abusers, spammers, malware malcontents and just about any other type of activity… Except child porn and terrorism (thank god for that).

Because of the nature of Cyberbunker’s traffic Spamhaus decided to add Cyberbunker’s IP addresses to their blacklist of dodgy, spammy hosts. Cyberbunker proceeded to attempt to take Spamhaus offline in retribution.

How big is the attack? At times it has been reported to be as large as 300 gigabits per second. Traditionally even large botnets are only able to deliver hundreds of megabits or a few gigabits per second.

What is so special about this attack? It is a large scale DNS reflection attack that takes advantage of misconfigured DNS servers to amplify the power of a much smaller botnet.

Cloudflare, an anti-DDoS provider, was hired by Spamhaus to protect their systems (which remain online). They have reported that in a much smaller attack in late 2012 more than 68,000 DNS servers were utilized in a single attack.

How big is this problem? The Open Resolver Project reports more than 21.7 million insecure/misconfigured DNS servers on the IPv4 internet today.

Why does this make my internet slow? Despite the laughter echoing throughout the internet when a US Senator called the internet a system of tubes, it is in fact that way to a degree.

Many of the primary internet backbones (“tier 1 service providers”) are being overwhelmed by the volume of traffic from this attack. This can make access to some sites slow or even temporarily impossible during peak attack volumes. These sites and providers could be considered collateral damage.

How does a DNS reflection attack work? DNS requests are typically sent over UDP, a connectionless protocol. This allows an attacker to forge the from address on the packets to appear to come from the victim of the attack rather than the actual originating computer.

As mentioned above, over 21.7 million DNS servers are misconfigured to allow anyone to query them for name services without any filtering or rate-throttling.

The attackers begin by identifying these vulnerable assets and use a sizable botnet to begin forging queries to the DNS servers. That is the reflection part, next comes the amplification component.

If a DNS request or response is under 512 bytes it uses UDP, so the attackers make sure the requests are very small. If a DNS response exceeds 512 bytes, DNS will switch to using TCP and the accompanying three-way handshake that is both time consuming and bandwidth amplifying.

Not only does DNS begin using TCP the replies are designed to be a couple of KBytes. So for only 300 bytes of botnet traffic you get over 3,000 bytes of attack traffic.

Unfortunately this problem has been made even worse by a security technology, DNSSEC. The signing of DNS is an important step toward preventing abuse, but it also makes DNS replies even larger, sometimes upwards of 5,000 bytes or more total.

You can see how a few hundred megabits of botnet bandwidth can quickly turn into gigabits of attack traffic from servers, which often have more processing and bandwidth available to them.

What can you do? If you are a regular user of the internet, not much. Don’t panic, your data is safe you are simply being denied service or experiencing delays.

If you are an administrator of DNS services, it is critical that you configure your recursive name servers to only reply to your own network.

If you must provide public DNS, be sure to apply filtering for abusive queries and ensure the frequency of queries is commensurate with your expected volumes.

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He wrote this for Sophos Naked Security: http://nakedsecurity.sophos.com/2013/03/28/massive-ddos-attack-against-anti-spam-provider-impacts-millions-of-internet-users/

Leave a Reply