Analysis of Spamhaus vs Cyberbunker

1. Spamhaus vs Cyberbunker
World’s Largest DDoS Attack
B V S Narayana
CISSP, CISA
@bvsnarayana03
layer4to7.wordpress.com

2. Who is Spamhaus
www.spamhaus.org

3. Who is Cyberbunker
Extract from Wikipedia

4. Attack Story
• On March 18,2013, Spamhaus came under attack.
• Attack was volumetric which saturated tehir internet and knocked the site off
internet.
• On March 19,2013, Spamhaus contacted Cloudflare to protect them against
attack.
• CloudFlare recorded an initial attack volume of 10Gbps.
• Later the attacks were recorded up to 100Gbps.
• On march 22nd, the attack peaked to around 120Gbps
• The surge went up to around 300Gbps during the attack tenure

5. Attack Types and Tools
• Large Layer 3 attacks originated from different sources
• Basically known as DDoS attacks
• Anonymous LOIC is most commonly used tool for DDoS
• Botnet networks are also a well known source of generating DDoS
• Misconfigured or Open DNS Resolvers are another source of attack
• TCP ACK Reflection attack

6. How they Generate Volumetric traffic
• Tools are a good source but cant generate huge traffic without a widely
spanned network of infected PCs or bots
• DNS Reflection attacks are the best source of such attacks
• DNS based attacks are small in queries/requests and relatively large in
responses
• If attacker does these attacks, they may end up themselves with heavy
response traffic
• DNS Reflection sends request with a spoofed IP who is intended to be a
victim
• DNS Resolvers respond to requests towards the intended victim
• Attacker’s request is fraction of size of the response, thus attacker can
amplify the attack to many times

7. How does DNS Reflection Attack work
• Attack requests DNS Zone file to Open DNS Resolvers
• Attacker spoof’s Sphamhaus IP as a source in their DNS queries
• Open DNS Resolvers respond back to Spamhaus IP considering them as
source
• DNS queries are approximately 36B long
• DNS response is approx 3KB in size thus amplifying the attack by 100x
• Approx 30,000 unique DNS resolvers were involved in the attack
• Each Open DNS Resolver responds with 2.5Mbps, the results thus
aggregating to 750Mbps of traffic
• Also target Peering ISP’s and internet Exchanges to manifold the attack

8. What are Open DNS Resolvers
• DNS Servers are either ISP specific or they are open
• User with a ISP1 IP address can only use ISP1 DNS server to reach out to
internet
• ISP2 DNS Server would not respond to queries from ISP1 hosts and vice-
versa
• However, users can also use Open DNS resolver such 4.2.2.2 or 8.8.8.8 and
many more to eliminate dependency on ISP DNS

9. How CloudFlare Mitigated the Attack
• Cloudflare uses Anycast between their 23 global Datacenters
• Anycast advertises same IP address across all 23 datacenters
• This ensures that requests reaches the nearest datacenter
• Thus volumetric traffic is not directed to a single location but is spread
across multiple datacenters thus reducing their size
• This ensures that no single network/datacenter becomes a bottleneck
• This ensures attacks are relatively small and easily handled

10. References
http://en.wikipedia.org/wiki/Cyberbunker
http://www.nytimes.com/2013/03/27/technology/internet/online-dispute-
becomes-internet-snarling-attack.html?_r=0
http://blog.cloudflare.com/deep-inside-a-dns-amplification-ddos-attack
http://blog.cloudflare.com/good-news-open-dns-resolvers-are-getting-clos
http://blog.cloudflare.com/the-ddos-that-almost-broke-the-internet
http://blog.cloudflare.com/the-ddos-that-knocked-spamhaus-offline-and-ho
http://openresolverproject.org/
http://bgp.he.net/AS13335#_peers
http://www.spamhaus.org/
http://www.cloudflare.com/
http://en.wikipedia.org/wiki/Tier_1_network