Did a 300Gb/s DDoS really slow the Net? Only if you believe in Smurfs
Lock up your DNS - the little blue men are back
By John E Dunn | Published: 18:09, 28 March 2013
A day on from what was only yesterday being described as a DDoS attack so large it had slowed the Internet itself, the sceptics have rallied with a simple question: is there a shred of evidence that something of wider significance happened?
No doubt that anti-spam registry Spamhaus came under attack on 19 March, a fact that was noticed by about 0.00000001 percent of Net users when DDoS mitigation firm CloudFlare trumpeted its success at stopping the assault in its tracks in a detailed blog. Well done lads.
As the company explained, Spamhaus had experienced a ‘DNS amplification' attack, once called a ‘Smurf’ attack (after one of the attack tools), a relatively unsophisticated but potentially very successful form of DDoS designed to overload routers.
Router Smurfing was supposed to have been snuffed years ago but a newer form that targets DNS servers has been a growing if unacknowledged issue in recent times.
Turning the working of a DNS server into the basis for DDoS depends on what is termed ‘open DNS resolution.’ The essence of the method is to spoof requests from the target domain (Spamhaus or its shield CloudFlare) to its peers or DNS resolvers, requesting what is called a DNS zone file, a master record of the domains the server can resolve to given IP addresses.
The servers reply to the apparent host, burying it underneath useless traffic. The clever bit: “We recorded over 30,000 unique DNS resolvers involved in the attack. This translates to each open DNS resolver sending an average of 2.5Mb/s, which is small enough to fly under the radar of most DNS resolvers,” said CloudFlare.
The firm jumped in front of a bullet that generated 75Gb/s but the attackers tried again and traffic spiked to 300Gb/s, this time directed not at Spamhaus or CloudFlare directly but the latter’s web of what are called Tier 2 service providers.
It is this widening that caused things to kick off, or so we were told. The Tier 2 providers coped by deflecting it back to even bigger firms called Tier 1 backbone providers, by which point it had reached the claimed 300Gb/s level, a gigantic number by conventional standards.
This is how the Internet works; traffic is moved between these huge carriers, no questions asked. If it didn't the Internet would either slow down or become expensive to run, or both.
This design is one of the compromises that renders the Internet vulnerable to parties (spammers, say) who don't play by the rules, but did this surge in traffic cause the Internet to measurably slow down?
In short, not really. And it shouldn't have because this kind of attack can be mitigated relatively quickly.
Internet Traffic Report, which monitors global speeds, couldn’t see any issue and nor could consumer-facing site Thinkbroadband, which issued a baffled press release saying as much.
“There seems to be very little sign of this [slowdown] from an analysis of the speed tests people are running on our site,” the site said. “There appears to be no evidence to say that UK broadband users have been slowed down across the board.”
How about firms such as Arbor Networks, which has its equipment in enough Tier 1 peers to have meaningful insight into how they are seeing traffic rises and falls?
When Techworld contacted the firm, they were sure and hadn’t yet crunched numbers beyond confirming the attack had generated the 300Gb/s levels claimed for it.
“Perhaps they [the attackers] wanted to demonstrate their capability,” offered Arbor’s Darren Anstee, who agreed that once defenders worked out what was happening traffic could have been black-holed.
Other agreed that this kind of attack while large should have been dealt with by service providers.
“I personally am very puzzled by the success of this attack. It seems to me that for an attack of such magnitude the load on the outgoing communication pipes of the open DNS resolvers should have been big enough for them to notice and take action," said Amichai Shulman, CTO of security firm Imperva.
With self-interested security firms jumping on the attack and the BBC giving it an air of credibility, the real-world effects of 300Gb/s seem to have been lost. Nobody actually said the Internet had slowed down, simply it that it might have. Perhaps it wasn’t the Internet that was slow so much as the response to an unexpected event.
The real story of the Internet traffic-storm of March 2013 wasn’t its size or direct effect on users but its cunning and the ease with which the attackers made a nuisance of themselves.
Having failed to dent Spamhaus, the attackers went after the company defending them in quite a knowing way, after which they went after the companies peering to that infrastructure.
As with the Smurfers of old, they knew what they were doing - that is the real real warning.