Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message


War on Error

John E Dunn

Did a 300Gb/s DDoS really slow the Net? Only if you believe in Smurfs

Article comments

Lock up your DNS - the little blue men are back

Lock up your DNS - the little blue men are back.

A day on from what was only yesterday being described as a DDoS attack so large it had slowed the Internet itself, the sceptics have rallied with a simple question: is there a shred of evidence that something of wider significance happened?

No doubt that anti-spam registry Spamhaus came under attack on 19 March, a fact that was noticed by about 0.00000001 percent of Net users when DDoS mitigation firm CloudFlare trumpeted its success at stopping the assault in its tracks in a detailed blog. Well done lads. Thumbnail image for Techie Smurf.jpg

As the company explained, Spamhaus had experienced a ‘DNS amplification' attack, once called a ‘Smurf’ attack (after one of the attack tools), a relatively unsophisticated but potentially very successful form of DDoS designed to overload routers.

Router Smurfing was supposed to have been snuffed years ago but a newer form that targets DNS servers has been a growing if unacknowledged issue in recent times.

PeakDDoSAttack_rev2.jpgTurning the working of a DNS server into the basis for DDoS depends on what is termed ‘open DNS resolution.’ The essence of the method is to spoof requests from the target domain (Spamhaus or its shield CloudFlare) to its peers or DNS resolvers, requesting what is called a DNS zone file, a master record of the domains the server can resolve to given IP addresses.

The servers reply to the apparent host, burying it underneath useless traffic. The clever bit: “We recorded over 30,000 unique DNS resolvers involved in the attack. This translates to each open DNS resolver sending an average of 2.5Mb/s, which is small enough to fly under the radar of most DNS resolvers,” said CloudFlare.

The firm jumped in front of a bullet that generated 75Gb/s but the attackers tried again and traffic spiked to 300Gb/s, this time directed not at Spamhaus or CloudFlare directly but the latter’s web of what are called Tier 2 service providers.

It is this widening that caused things to kick off, or so we were told. The Tier 2 providers coped by deflecting it back to even bigger firms called Tier 1 backbone providers, by which point it had reached the claimed 300Gb/s level, a gigantic number by conventional standards.

This is how the Internet works; traffic is moved between these huge carriers, no questions asked. If it didn't the Internet would either slow down or become expensive to run, or both.

This design is one of the compromises that renders the Internet vulnerable to parties (spammers, say) who don't play by the rules, but did this surge in traffic cause the Internet to measurably slow down?

In short, not really. And it shouldn't have because this kind of attack can be mitigated relatively quickly.

Internet Traffic Report, which monitors global speeds, couldn’t see any issue and nor could consumer-facing site Thinkbroadband, which issued a baffled press release saying as much.

“There seems to be very little sign of this [slowdown] from an analysis of the speed tests people are running on our site,” the site said. “There appears to be no evidence to say that UK broadband users have been slowed down across the board.”

How about firms such as Arbor Networks, which has its equipment in enough Tier 1 peers to have meaningful insight into how they are seeing traffic rises and falls?

When Techworld contacted the firm, they were sure and hadn’t yet crunched numbers beyond confirming the attack had generated the 300Gb/s levels claimed for it.

“Perhaps they [the attackers] wanted to demonstrate their capability,” offered Arbor’s Darren Anstee, who agreed that once defenders worked out what was happening traffic could have been black-holed.

Other agreed that this kind of attack while large should have been dealt with by service providers.

“I personally am very puzzled by the success of this attack. It seems to me that for an attack of such magnitude the load on the outgoing communication pipes of the open DNS resolvers should have been big enough for them to notice and take action," said Amichai Shulman, CTO of security firm Imperva.

With self-interested security firms jumping on the attack and the BBC giving it an air of credibility, the real-world effects of 300Gb/s seem to have been lost. Nobody actually said the Internet had slowed down, simply it that it might have. Perhaps it wasn’t the Internet that was slow so much as the response to an unexpected event.

The real story of the Internet traffic-storm of March 2013 wasn’t its size or direct effect on users but its cunning and the ease with which the attackers made a nuisance of themselves.

Having failed to dent Spamhaus, the attackers went after the company defending them in quite a knowing way, after which they went after the companies peering to that infrastructure.

As with the Smurfers of old, they knew what they were doing - that is the real real warning.

Enhanced by Zemanta


More from Techworld

More relevant IT news


Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *