DDoS storm breaks records at 300 Gbps

The Internet has been groaning under the weight of a massive distributed denial of service (DDoS) attack on the Domain Name Service, apparently aimed at anti-spam vigilantes Spamhaus, in retaliation for their blacklisting of Dutch free speech hosting provider Cyberbunker. At 300 mbps, the DDoS is the worst in public Internet history.

“These things are essentially like nuclear bombs,” said Matthew Prince, chief executive of Cloudflare. “It’s so easy to cause so much damage.”

The so-called distributed denial of service, or DDoS, attacks have reached previously unknown magnitudes, growing to a data stream of 300 billion bits per second.

“It is a real number,” Mr. Gilmore said. “It is the largest publicly announced DDoS attack in the history of the Internet.”

Spamhaus, one of the most prominent groups tracking spammers on the Internet, uses volunteers to identify spammers and has been described as an online vigilante group.

In the past, blacklisted sites have retaliated against Spamhaus with denial-of-service attacks, in which they flood Spamhaus with traffic requests from personal computers until its servers become unreachable. But in recent weeks, the attackers hit back with a far more powerful strike that exploited the Internet’s core infrastructure, called the Domain Name System, or DNS.

As bad as this is, it could be a lot worse. An anonymous paper called Internet Census 2012: Port scanning /0 using insecure embedded devices reports on a researcher's project to scan every IPv4 address for publicly available machines that will accept a telnet connection and yield up a root login to a default password. The researcher reports that 1.2 million such devices are available online (s/he compromised many of these machines in order to run the census). These machines are things like printers and routers with badly secured firmware, visible on the public net. They are often running an old version of GNU/Linux and can be hijacked to form part of a staggeringly large botnet that would be virtually unkillable, since the owners of these devices are vanishingly unlikely to notice that they are silently running attackware, and the devices themselves are completely unregarded.

Firm Is Accused of Sending Spam, and Fight Jams Internet [NYT/John Markoff & Nicole Perlroth]

(via Hacker News)


  1. “The Internet has been groaning under the weight of a massive distributed denial of service (DDoS) attack on the Domain Name Service.”

    Um, which one?

    1. I’m guessing, but it would probably be the root servers which are responsible for delegating TLDs

      Edit: So I read the NYT article and this is not the case. It’s an amplification attack. The attackers have a list of public DNS servers that are configured to allow open recursion. Anyone can query one of these servers and get a DNS response for any domain. Generally this is a bad idea (but there are some well known ones, like Google’s An attacker’s botnet (A) crafts a spoofed DNS query to DNS servers (B), pretending to be their target (C). That packet is only 60 bytes, but the response generated by B is 4000 bytes, amplified 70:1. For each megabit of spoofed queries A creates, B sends 70 megabits of traffic to C. Botnets themselves can generate large DDoS attacks, amplify that 70 times though, and that’s what you see here, one of the largest publicly disclosed DDoS attacks yet.

        1. There’s a 13 servers responsible for all of IPV4 DNS, all queries chain down to them. Calling them “servers” is really a misnomer, because each is way more than a single box.

          1. So I’m guessing these are what the end-user DNS system uses as the source of the information?

            I was just a bit confused at DNS being referenced in the singular!

    2.  I think they’re actually exploiting the DNS system to carry out the attack, the attack appears to aimed squarely at SpamHaus.

      The ridiculously high level of traffic is affecting DNS systems along the network, though they aren’t specifically targeted.

  2. Umm, if it’s really 300 billion bits per second, shouldn’t that be Gb/s, not mbps in the title?

    1. I was going to say – 300 mbps is nothing much in the way of a DDOS.  I mean, you could probably saturate a smaller company’s network connection with less, but Spamhaus might not even notice a DDOS was underway until you reached a couple hundred mbps.

      But 300 Gb/s – that’s something…

    2.  Gb/s would definitely make a lot more sense in terms of record breaking, too.  At 300Mb/s, I was wondering whether they were just playing up the “publicly announced” portion of it, since it’s rare that targets give their attackers recognition.

        1. Hello, can no one capitalize correctly?

          300 gb/s (from the article) is meaningless, and 300 mbps is even worse, since it has a meaning, but that meaning is one billion times less than the one the author meant to use.

          I guess a milibit could also be said to be meaningless, since you can’t have less than a bit, but that’s wrong — as a rate it makes perfect sense (1 milibit/s == 1 bit per billion seconds).

          In any case, that would probably win the record for the smallest ever DDOS attack ever observed.

          1. The internet exists for people like me to correct others on technicalities. ;p

            I just quite liked the idea of attacking someone with one bit of data every billion seconds — every 31 years, that is.

          2. True! I got confused between my original (correct) statement that there is a billion-times difference between mili- and mega-, and then billion was stuck in my head.

            Muphry’s law, as usual.

  3. So regular users hook their printers up to the Internet? Seems expensive to buy a second connection just for your printer.

    1. Regular users share their existing connection between devices. You usually have to go to the extreme left of the bell curve to find users who adopt a one connection per device philosophy.

    2. The university I adjuncted at had a color laser printer (when such things were a big deal) hooked up directly to the net for some reason.  I would frequently accidentally print things to it from home.  I can only imagine how much goatse was in the output tray on the regular.

      1. Please tell me more about the printer with the jam inside. Is there a command to find out what flavor the jam is? Does this particular printer have a toast tray?

        1. Does jelly count? http://www.dezeen.com/2013/03/27/food-is-the-next-frontier-of-3d-printing-janne-kytannen/

    3. Dude, I know for a fact (because I talked with the network engineer that finally fixed it) that there was a part of a university network here in the USA 10 years ago that had devices with public addresses.  The reason?  So they could be supported remotely.
      I won’t say more, but these were devices sitting in buildings that should have been behind a firewall on a local LAN.

  4. “These things are essentially like nuclear bombs,” said the man who charges money to protect you against these things.

    Actually I think Cloudflare are pretty cool, but it’s an entertaining piece of hyperbole in any case.

  5. A Modest Proposal: 

    How long do you think it would take to get Kickstarter funding for a ‘summary executive action team’ to go sort out the problem with the nice folks at Cyberbunker who have decided to screw the Internet into the ground  because an anti-spam outfit blacklisted them for filling everyone’s mailboxes with spam, scams, and malware?

    Just kidding, of course. I think funding a black ops team might be outside the Kickstarter Terms of Service.

    Still, I’m sure there are millions of folks out there who’d be more than happy to kick in…

    And, getting real for a second, we are NOT far away from a time when such drastic actions are taken on behalf of various national security interests. Heck, I’m pretty sure we’re already there.

    Roll that around in your heads as you’re ‘hunkered down’ in your little hole, Cyberbunker.

Comments are closed.