4. Attack Story
• On March 18,2013, Spamhaus came under attack.
• Attack was volumetric which saturated tehir internet and knocked the site off
internet.
• On March 19,2013, Spamhaus contacted Cloudflare to protect them against
attack.
• CloudFlare recorded an initial attack volume of 10Gbps.
• Later the attacks were recorded up to 100Gbps.
• On march 22nd, the attack peaked to around 120Gbps
• The surge went up to around 300Gbps during the attack tenure
5. Attack Types and Tools
• Large Layer 3 attacks originated from different sources
• Basically known as DDoS attacks
• Anonymous LOIC is most commonly used tool for DDoS
• Botnet networks are also a well known source of generating DDoS
• Misconfigured or Open DNS Resolvers are another source of attack
• TCP ACK Reflection attack
6. How they Generate Volumetric traffic
• Tools are a good source but cant generate huge traffic without a widely
spanned network of infected PCs or bots
• DNS Reflection attacks are the best source of such attacks
• DNS based attacks are small in queries/requests and relatively large in
responses
• If attacker does these attacks, they may end up themselves with heavy
response traffic
• DNS Reflection sends request with a spoofed IP who is intended to be a
victim
• DNS Resolvers respond to requests towards the intended victim
• Attacker’s request is fraction of size of the response, thus attacker can
amplify the attack to many times
7. How does DNS Reflection Attack work
• Attack requests DNS Zone file to Open DNS Resolvers
• Attacker spoof’s Sphamhaus IP as a source in their DNS queries
• Open DNS Resolvers respond back to Spamhaus IP considering them as
source
• DNS queries are approximately 36B long
• DNS response is approx 3KB in size thus amplifying the attack by 100x
• Approx 30,000 unique DNS resolvers were involved in the attack
• Each Open DNS Resolver responds with 2.5Mbps, the results thus
aggregating to 750Mbps of traffic
• Also target Peering ISP’s and internet Exchanges to manifold the attack
8. What are Open DNS Resolvers
• DNS Servers are either ISP specific or they are open
• User with a ISP1 IP address can only use ISP1 DNS server to reach out to
internet
• ISP2 DNS Server would not respond to queries from ISP1 hosts and vice-
versa
• However, users can also use Open DNS resolver such 4.2.2.2 or 8.8.8.8 and
many more to eliminate dependency on ISP DNS
9. How CloudFlare Mitigated the Attack
• Cloudflare uses Anycast between their 23 global Datacenters
• Anycast advertises same IP address across all 23 datacenters
• This ensures that requests reaches the nearest datacenter
• Thus volumetric traffic is not directed to a single location but is spread
across multiple datacenters thus reducing their size
• This ensures that no single network/datacenter becomes a bottleneck
• This ensures attacks are relatively small and easily handled