An organization known as Cyberbunker was blacklisted by Spamhaus – a cyber defense agency dedicated to protecting the world against DDoS attacks. A chronicle events foretold:
Along with malware and identity theft, Distributed Denial of Service (DDoS) attacks are frequently becoming the bane of global netizens’ existence. In layman terms, DDoS attacks may be likened to a zombie outbreak that threatens to destroy the infrastructure.
Attacks on major corporations happen much too often, and even non-profit organizations are not spared. One of the biggest DDoS attacks to have occurred in recent history is the Spamhaus DDoS attack.
Read on to relive the brief history of the Great Spamhaus DDoS Attack.
Spamhaus reports a barrage of DDoS attacks using Botnets and DNS reflection, presumably perpetrated by Cyberbunker’s supporters. This is a direct retaliation of Spamhaus blacklisting Cyberbunker, an Internet service provider based in Holland. Supporters led by Sven Olaf Kamphuis who was the unofficial spokesman, announced that the attacks were made to protest Spamhaus abusing their power.
: Sought help from protection service provider Cloudflare when the attack traffic hovered between 30G and 90G.
: Attack traffic reached a high point of 120G.
: Attacks stopped momentarily after causing isolated congestion in Europe, but resume two days later. Spamhaus also bombarded Cloudflare but failed to make impact. The attacks returned in full force but were directed towards Cloudflare’s Internet bandwidth provider and its Internet exchange infrastructure partner.
: The attack traffic grew from 10G up to 300G on March 27th, 2013, thus, it is believed to be the largest-scale DDoS attack event in Internet history.
: Sven Olaf Kamphius and a 16-year-old British schoolboy were arrested by the authorities and taken in for questioning. The latter was thought to be part of an organized crime gang, and Cyberbunker did not comment on whether or not it was affiliated to the suspect.
The DDoS attacks were largely attributed to DNS reflection technology, which is also the culprit behind elaborate DDoS attacks these days. The attackers basically sent out a large number of DNS queries to open resolvers but not before changing the source address of origin. This misleading act results in the attackers’ intended victim being bombarded with 8 times more traffic than they would receive. The full effect of the attack stunned everyone when it was discovered that 30,000 unique DNS resolvers were possibly involved in the act.
The solution: Unfortunately, the DNS reflection technique cannot be eradicated easily. It takes a lot of efforts by infrastructure providers before significant changes can slowly phase it out (this may involve permanently disabling open DNS resolvers). To properly fight back, we need to create awareness and educate certain parties about the dangers of DNS reflection technology when used by the malicious individuals.
Those responsible for the Spamhaus attacks also employed the ATK reflection technique where a number of SYN packets were sent to open DNS servers using a faked source IP address as the target. Similar to the DNS reflection method, this technique masks the source of the attack, but perhaps luckily enough, it does not involve amplifying the traffic used to bombard the target. In short, the absence of protection against feeding of spoofed IP packets contributed to Spamhaus’ momentary fall.
We can implement BCP38 to lessen the impact of spoofed-packets DDoS attacks: Besides having infrastructure providers realize how reducing open recursive DNS resolvers can restrict this kind of DDoS attack, additional steps are also needed to counter the attackers. One efficient way is to implement BCP38 (Best Current Practice #38), hence preventing packages with spoofed IPs from entering the victim’s networks.
We can place limits on authoritative nameservers: To avoid having them exploited as traffic amplifiers and doing more harm to the attackers’ target, we can install rate-limiting patches on them, thus making them less attractive for the attackers to abuse.
We can focus on proper protection for open DNS servers: There are many providers offering solutions for managing IT and infrastructure, so perhaps the best way to prevent DDoS attacks is to get to the root of the problem. By applying customized protection via built-in DNS protection algorithm, we can restrict attacks and lower threats.
DDoS attackers do not just target big corporations. Smaller companies and entities may also be at their mercy, so it pays to open up your ears and mind as to how DDoS attacks are perpetrated, and how you can fight back Spamhaus / Cloudflare style!
For more information regarding domain name system (DNS) amplification attacks, click here.
Adam Prattler is a freelance IT consultant and technology enthusiast. His hobbies are skiing, swimming and Paddleboarding.