Massive DDoS attack against anti-spam provider impacts millions of internet users

Filed Under: Botnet, Denial of Service, Featured, Law & order, Spam

shutterstock_Disconnect170Noticed any anomalies online in the last week or so? Do you live in Europe or North America? Chances are if you said yes to both you are being impacted by the largest distributed denial of service (DDoS) ever recorded.

What is happening? A little over a week ago a questionable internet hosting provider in The Netherlands called Cyberbunker took umbrage with SpamHaus, an non-profit organization that was founded in 1998 to take on spammers and the internet hosts who profit from their activities.

Cyberbunker takes its name from the former NATO bunker that the company operates out of. Not surprisingly they appear to be offline at the moment, whether that is due to a DDoS attack or other circumstances is difficult to discern.

Cyberbunker caters to customers who are unwanted by or afraid to use traditional web hosts because of the activities they are involved in.

Their target markets include copyright abusers, spammers, malware malcontents and just about any other type of activity... Except child porn and terrorism (thank God for that).

shutterstock_Spamlist170Because of the nature of Cyberbunker's traffic Spamhaus decided to add Cyberbunker's IP addresses to their blacklist of dodgy, spammy hosts. Cyberbunker proceeded to attempt to take Spamhaus offline in retribution.

How big is the attack? At times it has been reported to be as large as 300 gigabits per second. Traditionally even large botnets are only able to deliver hundreds of megabits or a few gigabits per second.

What is so special about this attack? It is a large scale DNS reflection attack that takes advantage of misconfigured DNS servers to amplify the power of a much smaller botnet.

Cloudflare, an anti-DDoS provider, was hired by Spamhaus to protect their systems (which remain online). They have reported that in a much smaller attack in late 2012 more than 68,000 DNS servers were utilized in a single attack.

How big is this problem? The Open Resolver Project reports more than 21.7 million insecure/misconfigured DNS servers on the IPv4 internet today.

shutterstock_pipes170Why does this make my internet slow? Despite the laughter echoing throughout the internet when a US Senator called the internet a system of tubes, it is in fact that way to a degree.

Many of the primary internet backbones ("tier 1 service providers") are being overwhelmed by the volume of traffic from this attack. This can make access to some sites slow or even temporarily impossible during peak attack volumes. These sites and providers could be considered collateral damage.

How does a DNS reflection attack work? DNS requests are typically sent over UDP, a connectionless protocol. This allows an attacker to forge the from address on the packets to appear to come from the victim of the attack rather than the actual originating computer.

As mentioned above, over 21.7 million DNS servers are misconfigured to allow anyone to query them for name services without any filtering or rate-throttling.

The attackers begin by identifying these vulnerable assets and use a sizable botnet to begin forging queries to the DNS servers. That is the reflection part, next comes the amplification component.

shutterstock_bullhorn170If a DNS request or response is under 512 bytes it uses UDP, so the attackers make sure the requests are very small. If a DNS response exceeds 512 bytes, DNS will switch to using TCP and the accompanying three-way handshake that is both time consuming and bandwidth amplifying.

Not only does DNS begin using TCP the replies are designed to be a couple of KBytes. So for only 300 bytes of botnet traffic you get over 3,000 bytes of attack traffic.

Unfortunately this problem has been made even worse by a security technology, DNSSEC. The signing of DNS is an important step toward preventing abuse, but it also makes DNS replies even larger, sometimes upwards of 5,000 bytes or more total.

You can see how a few hundred megabits of botnet bandwidth can quickly turn into gigabits of attack traffic from servers, which often have more processing and bandwidth available to them.

What can you do? If you are a regular user of the internet, not much. Don't panic, your data is safe you are simply being denied service or experiencing delays.

shutterstock_recursion170If you are an administrator of DNS services, it is critical that you configure your recursive name servers to only reply to your own network.

If you must provide public DNS, be sure to apply filtering for abusive queries and ensure the frequency of queries is commensurate with your expected volumes.

Disconnect, spam list, pipes, megaphone and recursion images courtesy of Shutterstock.

, , , , , ,

You might like

18 Responses to Massive DDoS attack against anti-spam provider impacts millions of internet users

  1. woodelf · 384 days ago

    OK, thanks Chester for the clear explanation.
    Now, how can I verify my Windows 2008 domain server (with Sophos EndPoint Security) is configured correctly?
    "critical that you configure your recursive name servers to only reply to your own network"

    • Chester Wisniewski · 383 days ago

      From an external IP to your organization (like a home DSL) query your externally facing DNS server for a domain you do not own.

      For example:

      dig google.com @x.x.x.x (your server's IP)

      or

      nslookup google.com x.x.x.x (your server's IP)

      Either way should fail. Your server should only resolve names externally for the domains you are authoritative for.

      nslookup mycompany.example.com x.x.x.x

      If you replace mycompany.example.com with your domain name and DNS server's external IP from your home connection you should get back a valid reply.

  2. JimboC_Security · 383 days ago

    Thanks for the information on this attack and the advice DNS server admins can use to prevent their servers contributing to this attack.

    I will pass on this advice whenever I can.

    Presumably SpamHaus will continue to blacklist Cyberbunker especially since it retaliated with this kind of attack?

  3. Afeef.veetil · 383 days ago

    There are debate going on , that this entire news is a scam and there is no actual log on this. We would like to see some analysis from Sophos.

    • Chester Wisniewski · 383 days ago

      There were certainly disruptions as I experienced them myself. Mostly in Europe, although servers being used by the reflection attack could be located almost anywhere and have impact on the normal users of those systems.

    • Chester Wisniewski · 378 days ago

      It is not a scam. Consider who you are hearing things from and decide for yourself.

  4. Carlos · 383 days ago

    I agree that the "series of tubes" analogy was a good one. It annoys me when people mock it, because it was an effective way to explain the point he was making.

  5. We try.. we try.

    We're hardly the biggest team in the world, y'know, and have "other" jobs besides posting up here. Generally I like to think that Naked Security does a good job, but I acknowledge we were a little late on this one.

    I've been laid up for a few days with illness (that's my excuse) and Chet (who wrote this article) was tied up speaking to the world's press so much that he couldn't get fingers to keyboard. :)

    Hopefully you'll forgive us on this occasion. FWIW, the long Easter break is approaching and Naked Security will probably be quieter for the next few days. Don't leave a message grumbling about that, just because we're chasing the Easter Bunny and scoffing hot cross buns, ok? :)

  6. I had been under the impression that Sophos had been under a DDOS attack since the beginning of this week. These pages are taking over two minutes to load, while last week they loaded in seconds. ???

    • Sophos or Naked Security's website? (They're different sites, using different infrastructure)

      Speaking for Naked Security - we've seen no problems accessing the site from here Neil. I think we'd have heard other reports if the issue you are experiencing was widespread.

  7. Chester Wisniewski · 383 days ago

    Not at all. Consider your sources.

  8. Chester Wisniewski · 383 days ago

    Not only was Graham away and I was a bit overwhelmed, but letting the dust settle sometimes is important. There are two approaches I take with breaking stories:

    1. Be first and stay on it like a pig in mud.

    2. Gather all of the facts and put together a more comprehensive post that can help everyone get their heads around a very technically specific problem (like this one).

    We don't have a big staff, so we can't always be first, but we can work hard to try and be the best.

  9. mtflis · 383 days ago

    "You might've read some headlines today—in very reputable publications—saying that there's an online attack underway. The biggest in history. Enough to slow down the internet. This would be exciting and scary, except it's just not true." ~ Sam Biddle [GIZMODO] http://is.gd/fjrqRp

    Care to respond?

    • Chester Wisniewski · 378 days ago

      Consider the source. While most internet users were not impacted (at least those outside of the UK and Europe), that doesn't make facts into fiction. I personally had issues communicating with our UK office a week and a half ago and while I cannot prove it was because of this attack, all signs point to that being the case.

      We usually don't comment on stories that appear to be a PR grab by other companies, but too many people were involved in this for it to be a scam.

  10. Nigel · 383 days ago

    “Their target markets include copyright abusers, spammers, malware malcontents and just about any other type of activity... Except child porn and terrorism (thank God for that).”

    Indeed, one can be thankful for small favors---in this case the favor being that Cyberpunker is only a bunch of thieves & bullies rather than murderers and perverts. Even so, I’d say their DDoS attack could, under slightly different circumstances, easily nudge them into the “terrorist” category…if they’re not already arguably there.

  11. snert · 383 days ago

    Is Cyberbunker stuffing cat hair balls in the internet tubes? That's soooo rude.

  12. RichO · 382 days ago

    Does this mean we'll start seeing the end of public DNS servers such as 4.2.2.1 and 4.2.2.2? Since they respond from anywhere. Are they considered "mis-configured"? Apparently, they (Level 3) were affected by this attack; I'm assuming that's because they were used as a relay.

    • Chester Wisniewski · 378 days ago

      There are many things that can be done aside from only responding to queries from within your address space such as rate-limiting. It remains unclear what the Googles, OpenDNSs and root name server operators will do to avoid abuse.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.