back to article BIGGEST DDoS in history FAILS to slash interweb arteries

The massive 300Gbit-a-second DDoS attack against anti-spam non-profit Spamhaus this week didn't actually break the internet's backbone, contrary to many early reports. The largest distributed denial-of-service (DDoS) assault in history began on 18 March, and initially hit the Spamhaus website and CloudFlare, the networking biz …


This topic is closed for new posts.
  1. Arctic fox

    Well it may not be as bad as first feared but the "pipe" between where I live............

    ............and the US is currently as slow as treacle. Quite what is really going on currently is not entirely clear.

    1. Destroy All Monsters Silver badge

      Re: Well it may not be as bad as first feared but the "pipe" between where I live............

      Arabs cutting lines with hacksaws, I suppose?

  2. fronty

    I'm sure we'll see more of this

    I run DNS training courses and have been warning about this type of attack for years, I am surprised it has taken so long for a big attack such as this to come to the fore, unfortunately due to all the publicity, I can't help thinking we will see many of these types of attacks from now on, DNSSEC makes it so much easier to achieve due to the quantity of data now present in signed zones, example here...


    Calleva Networks

    1. Destroy All Monsters Silver badge
      Paris Hilton

      Re: I'm sure we'll see more of this

      So, why not just disallow zone transfers at the drop of a UDP packet?

      I don't see the utility in such an operations, really. It sounds very much an anti-utility operation, because the zone should only be served from the authoritative server in the first place, so no-one has business requesting it.

      1. fronty

        Re: I'm sure we'll see more of this

        It's got nothing to do with zone transfers, disabling zone transfers doesn't affect the ability of someone to query a DNS server and spoof the source IP address.

        1. Destroy All Monsters Silver badge

          Re: I'm sure we'll see more of this

          Well it does, fronty fonzy. If the response is of the same size as the request, guess what - no one cares about the spoofing.

    2. Alan Brown Silver badge

      Re: I'm sure we'll see more of this

      All the spoofing in the world won't help attackers much if you simply use the allow-query{} directive in your bond9 config file

      in options.conf - allowquery{localnets;}; (add networks which should be making recursive requests to this entry)

      For each zone you serve (ie, are authoritative for), add "allow-query{any;};" in the zonefile.

      Problem solved - The great unwashed can't use your DNS server as a resolver, EXCEPT for domains you want to make available.

      Other DNS servers exist and they all have variants of allow-query. You should also lock down allow-transfer, but that's already been done as part of general security locksdowns, hasn't it?

  3. Duffaboy

    The Icon says it all


  4. This post has been deleted by its author

  5. Stuart Moore

    The only thing we would like to say is that we (including our clients) did not, and never have been, sent any spam. We have no further comment. Thank you.

    That sounds like they're saying they've never been sent any spam, not that they've never sent any...

    If sending spam isn't against their TOS then I'm not sure I believe them!

    1. JassMan

      @Stuart Moore

      If they mean what they say, they must be unique on the internet. ... Or their definition of spam is the original and they are saying no one has ever sent them a tin of processed meat - which could well be true.

      1. Allan George Dyer

        Re: @Stuart Moore

        So who's up for sending them one tin of meat each?

    2. Rampant Spaniel

      The only thing we would like to say is that we (including our clients) did not, and never have been, sent any spam. We have no further comment. Thank you.

      At least we know Comical Ali found employment!

    3. Ole Juul

      never have been

      I'm guessing this is just someone who got their words garbled. Take out the word "been" and you'll get what was likely the intended meaning:

      The only thing we would like to say is that we (including our clients) did not, and never have, sent any spam.

  6. Anonymous Coward
    Anonymous Coward

    How ironic

    That Spamhaus got Cloudflare to help them with the DDoS mitigation. Only last year Spamhaus were saying that Cloudflare were harbouring spammers, which ended up in July with Spamhaus putting Cloudflare's entire IP range in their block lists, as 'escalation'.

  7. MarkSitkowski

    Here's How It Should Have Been Done

    Ummm.... Who set up their firewall? A failed graduate student?

    DNS (as well as UTP) comes in via UDP on port 80. Apache listens to TCP, so none of this traffic appears in its logs. UDP port 80 is also used by hackers to control their bots, so anyone serious about security defends UDP port 80, by filtering its traffic.

    We're obviously more serious about security than the guys at CloudFlare, so I'll share some of our firewall rules with them:

    block in on e1000g0 proto udp all

    pass in on e1000g0 proto udp from OUR.DNS.SERVER1/32

    pass in on e1000g0 proto udp from OUR.DNS.SERVER2/32

    pass in on e1000g0 proto udp from OUR.DNS.SERVER3/32


    1. Anonymous Coward
      Anonymous Coward

      Re: Here's How It Should Have Been Done

      DNS is UDP port 53. I'm not sure trying to act as if you're some sort of networking genius but not taking a few milliseconds to google "DNS port" gives me any faith in your firewall advice.

    2. Tim Brown 1

      Re: Here's How It Should Have Been Done

      I suspect the Spamhaus and Cloudflare engineers actually have a better grasp of the problem than you.

      Just because you firewall the traffic from your servers doesn't actually remove it from the wire... it's still clogging up the pipe, so with the assistance of your ISP you block it off as far up the pipe as you can but at some point if there's enough of it, it's still saturating links.

      1. Yes Me Silver badge

        Re: Here's How It Should Have Been Done

        Unless I'm more confused than normal, the only way an IP packet with a spoofed source address can arrive is if the spoofer's ISP has not implemented RFC 2827 (ingress filtering), which has been best current practice since May 2000, updated by RFC 3704 in 2004. There is simply no excuse for the apparently large number of ISPs that don't do this; they are completely responsible for allowing this kind of DDOS.

        1. This post has been deleted by its author

        2. bottled leetsauce
          Big Brother

          Re: Here's How It Should Have Been Done

          I can't upvote this enough!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

          ISP's and people related to ISP's PLEASE SPREAD THE GODDAMN WORD ALREADY!!!!!!!!!!


          Little children should not be allowed to command 300 gigabits per second!!!

          Please Please PLEASE implement what this good man above me is referring to already!!!!!

    3. Rob Crawford

      Re: Here's How It Should Have Been Done

      Sir (I'm making assumptions)

      I would suggest that you find a failed graduate student and get him (or her) to read over your submissions before you hit the submit button, your postings may then attract less negativity.

      I associate Apace with web servers rather than DNS servers, why are you talking about UDP & port 80?

      If you are talking about bots being controlled via port 80 you are commenting on the wrong article, this is pointing out that bots are not necessary for a DDOS

      Back to other points

      Would an absurd amount traffic hitting your firewall (rejected or otherwise) not cause problems ?

      HINT: Yes it will !

      Funny enough we see a lot of traffic on UTP and on many other ports and not just on port 80, that's because it's a fucking network cable.

    4. knightred

      Re: Here's How It Should Have Been Done

      that's great on your own machines. However, upstream providers still send the data through to it, being paid on the 95th they will happily fill your pipe since trash traffic is still paid traffic. It's why Cloud Flare had to turn off their exchanges. My basic understanding, from living with a netadmin, is you have to black hole the receiving IPs. That has to propagate upstream so eventually all traffic to that IP is simply discarded.

      But then it's funny because spamhaus is in it for the money and they will be seriously out a bit now. bw ain't free even in an attack, but maybe they can renegotiate for a bulk rate on the month. I expect they will be back to extorting small and independent ISPs with their delisting fee. Also, I wonder why nobody has put a price tag on the attack?

  8. Cipher


    Do not ever publish your companies name. Ever. If this is the extent of your knowledge, you will attract many "Unique Visitors" you haven't seen before. The Script kiddies must be licking their chops at the chance to have a go at you...

    1. Rob Crawford

      Sssh, he is pretending that he has a job that involves networks (it's not real)

  9. Anonymous Coward
    Anonymous Coward

    I see bars in their future

    Prison bars for the perps.

  10. Anonymous Coward
    Anonymous Coward

    so it was merely a coincidence...

    it was merely a coincidence that Netflix dropped to low bandwidth delivery and became unresponsive to streaming requests for the wife and I at the time of the barrage?

  11. fronty

    I wrote about this on El Reg over 4 years ago!

    1. Michael Wojcik Silver badge

      Re: I wrote about this on El Reg over 4 years ago!

      Randy Vaughn and Gadi Evron beat you to it by more than two years, and that was on BUGTRAQ, which anyone at all concerned with IT security should be following.

      DNS Amplification attacks were already being seen in the wild then. Really, how anyone (such as F5's Joakim Sundberg, quoted in the article) in IT security can claim this is in any way "new" is beyond me. V&E published their study seven years ago, and they refer to sources that "anticipated" the attack from as far back as 1999 - CIAC's J-063 bulletin - so this attack vector has been documented, publicly, by whitehats, for over 13 years. (It's true that in 1999 the maximum amplification factor was smaller, but it was still significant, and lack of ingress filtering and other countermeasures at most sites meant this wasn't much of a mitigating factor.)

  12. Alan Brown Silver badge

    apart from the DDoS

    It looks like Cyberbunker/c3rob were playing other games:

    Why AS 34109 isn't widely shitholed is a matter of conjecture.

This topic is closed for new posts.

Other stories you might like