JMH3143· Microsoft MVP, Microsoft Support Visiting Expert,
Discussion Starter · #1 ·
How whitehats stopped the DDoS attack that knocked Spamhaus offline | Ars TechnicaAs an international organization that disrupts spam operators, the Spamhaus Project has made its share of enemies. Many of those enemies possess the Internet equivalent of millions of water cannons that can be turned on in an instant to flood targets with more traffic than they can possibly stand.
On Tuesday, Spamhaus came under a torrential deluge—75 gigabits of junk data every second—making it impossible for anyone to access the group's website (the real-time blacklists that ISPs use to filter billions of spam messages were never effected). Spamhaus quickly turned to CloudFlare, a company that secures websites and helps mitigate the effects of distributed denial-of-service attacks.
This is a story about how the attackers were able to flood a single site with so much traffic, and the way CloudFlare blocked it using a routing methodology known as Anycast.
While attacks of 100Gbps aren't unheard of, the 75Gbps assault was still massive and generally well beyond what most botnets are capable of generating. To magnify their limited amount of bandwidth, the attackers resorted to what's known as DNS (domain name system) amplification—a technique that allows attackers to multiply their junk traffic by as much as 100 fold. As Ars explained in October, DNS amplification attacks work because companies such as AT&T, GoDaddy, SoftLayer, and Pakistan Telecom allow open DNS servers to run on the networks they operate instead of limiting them to just paying customers. DDoS attackers have abused these open DNS resolvers for years in a way that severely aggravates the effects of their crippling assaults.