On March 27, 2013 Business Insider reported that the biggest cyber attack in history, a distributed denial of service attack (DDoS), was taking place. The result reported was that Internet speeds around the world slowed noticeably. The first wave of these attacks began back on March 18th. Identified as Open System Interconnection (OSI) Layer 3 attacks, they were focused on the Domain Name Service (DNS) servers operated by the non-profit anti-spam organization Spamhaus. Spamhaus provides DNS services the loss of which destabilized major portions of the Internet. The level of the attack recorded was at a sustained level of 300 gigabits per second! Were it not for the distributed structure of Spamhaus operations it likely would have been completely taken off line. The attack was alleged to have been concocted after Spamhaus blocked a dutch web host company named Cyberbunker in an effort to weed out spammers. Spamhaus subsequently accused Cyberbunker of working with Russian and Eastern European criminal organizations to facilitate the attack.
The largest source of the attack traffic against Spamhaus came from DNS reflection. The basic idea of a DNS reflection attack is to send a source IP spoofed request for a large DNS zone file transfers to a large number of open DNS resolvers. The resolvers respond by transferring the large DNS zone files to the intended victim, in this case to Spamhaus. The attackers requests themselves are only a small fraction of the size of the responses, which enables the attackers to amplify the attack many times beyond the bandwidth of the attacker. Requests were approximately 36 bytes long while the response was approximately 3,000 bytes translating to an amplification factor of 100x. In addition to the DNS reflection, the attackers also threw in an TCP ACK reflection attack where the attacker sends a number of SYN packets to servers with spoofed source IP addresses that point back to the intended victim. The ACKs are symmetrical to the bandwidth owned by the attacker, however, so there is no amplification factor benefit.
There is very little any operational administrator can do when your routers are being asked to process more data than will fit into the pipe. Back in May of 2000 Internet Request For Comments (RFC) 2827, Best Current Practice was published with the title: “Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing.” The RFC describes a network ingress filtering method that can prohibit an DDoS attack from being launched from within the network of an Internet connectivity provider. The purpose of the filters is to preclude an attacker from launching spoofed IP address attacks. Where an Internet connectivity provider is aggregating routing announcements for multiple downline networks then strict traffic shaping would be used to prohibit traffic which appears to have been originated from outside the aggregated announcements. Thus, an attacker would have to launch attacks using their true source IP address, which would rapidly serve to identify the assailants.
This is not to say that ingress filtering is a panacea agains IP spoofed DDoS attacks. Indeed, it does not preclude an attacker who is using a forged source address of another legitimate host within the permitted prefix filter range. However, this requires additional homework on the part of the attacker and the length of time it requires before the attacker is discovered is significantly reduced. Also, the administrator under attack could take concrete steps to stop the attack in progress without affecting other visitors.
