DDoS storm breaks records at 300 Gbps

Discuss

30 Responses to “DDoS storm breaks records at 300 Gbps”

  1. “The Internet has been groaning under the weight of a massive distributed denial of service (DDoS) attack on the Domain Name Service.”

    Um, which one?

    • uplandupland says:

      I’m guessing, but it would probably be the root servers which are responsible for delegating TLDs

      Edit: So I read the NYT article and this is not the case. It’s an amplification attack. The attackers have a list of public DNS servers that are configured to allow open recursion. Anyone can query one of these servers and get a DNS response for any domain. Generally this is a bad idea (but there are some well known ones, like Google’s 8.8.8.8). An attacker’s botnet (A) crafts a spoofed DNS query to DNS servers (B), pretending to be their target (C). That packet is only 60 bytes, but the response generated by B is 4000 bytes, amplified 70:1. For each megabit of spoofed queries A creates, B sends 70 megabits of traffic to C. Botnets themselves can generate large DDoS attacks, amplify that 70 times though, and that’s what you see here, one of the largest publicly disclosed DDoS attacks yet.

    • puppybeard says:

       I think they’re actually exploiting the DNS system to carry out the attack, the attack appears to aimed squarely at SpamHaus.

      The ridiculously high level of traffic is affecting DNS systems along the network, though they aren’t specifically targeted.

  2. Roy Blake says:

    Umm, if it’s really 300 billion bits per second, shouldn’t that be Gb/s, not mbps in the title?

    • dragonfrog says:

      I was going to say – 300 mbps is nothing much in the way of a DDOS.  I mean, you could probably saturate a smaller company’s network connection with less, but Spamhaus might not even notice a DDOS was underway until you reached a couple hundred mbps.

      But 300 Gb/s – that’s something…

    • Nonentity says:

       Gb/s would definitely make a lot more sense in terms of record breaking, too.  At 300Mb/s, I was wondering whether they were just playing up the “publicly announced” portion of it, since it’s rare that targets give their attackers recognition.

      • nebby says:

        Indeed the Mb/s was a typo:

        “(Steve Linford, CEO of Spamhaus) added: “These attacks are peaking at 300 gb/s (gigabits per second).”

        http://www.bbc.co.uk/news/technology-21954636

        • SamSam says:

          Hello, can no one capitalize correctly?

          300 gb/s (from the article) is meaningless, and 300 mbps is even worse, since it has a meaning, but that meaning is one billion times less than the one the author meant to use.

          I guess a milibit could also be said to be meaningless, since you can’t have less than a bit, but that’s wrong — as a rate it makes perfect sense (1 milibit/s == 1 bit per billion seconds).

          In any case, that would probably win the record for the smallest ever DDOS attack ever observed.

          • nebby says:

            Yes, you’re technically correct, but are you seriously going to nitpick on the capitalization? It’s highly unlikely that anyone will mistake mbps as milibits per second.

            In other news, Cloudflare has a nice blog entry describing the attack:
            http://blog.cloudflare.com/the-ddos-that-knocked-spamhaus-offline-and-ho

          • SamSam says:

            The internet exists for people like me to correct others on technicalities. ;p

            I just quite liked the idea of attacking someone with one bit of data every billion seconds — every 31 years, that is.

          • AnthonyC says:

            Also, milli = thousandth, not billionth.

          • SamSam says:

            True! I got confused between my original (correct) statement that there is a billion-times difference between mili- and mega-, and then billion was stuck in my head.

            Muphry’s law, as usual.

  3. am I correct in thinking that this data set – from the guardian (UK) today is the result of a similar root password check malarkey? http://www.guardian.co.uk/news/datablog/interactive/2013/mar/27/day-life-internet-mapped-hack

  4. Michael Curran says:

    So regular users hook their printers up to the Internet? Seems expensive to buy a second connection just for your printer.

    • Stooge says:

      Regular users share their existing connection between devices. You usually have to go to the extreme left of the bell curve to find users who adopt a one connection per device philosophy.

    • jackbird says:

      The university I adjuncted at had a color laser printer (when such things were a big deal) hooked up directly to the net for some reason.  I would frequently accidentally print things to it from home.  I can only imagine how much goatse was in the output tray on the regular.

    • Matt Jones says:

       There are a load of printers wide open to the net. No firewall at all! Some of the printers even have a nice interface to show other printers nearby.

      eg: http://i.imgur.com/smBxFDF.png

      Then there are the various RIPs for high end units that often run some old and unpatched version of windows.

      More about an attack on printers here: http://youtu.be/njVv7J2azY8

    • sdmikev says:

      Dude, I know for a fact (because I talked with the network engineer that finally fixed it) that there was a part of a university network here in the USA 10 years ago that had devices with public addresses.  The reason?  So they could be supported remotely.
      I won’t say more, but these were devices sitting in buildings that should have been behind a firewall on a local LAN.

  5. Mordicai says:

    In case you needed your weekly reminder that we are living in the cyberpunk future.

  6. puppybeard says:

    “These things are essentially like nuclear bombs,” said the man who charges money to protect you against these things.

    Actually I think Cloudflare are pretty cool, but it’s an entertaining piece of hyperbole in any case.

  7. KS2 Problema says:

    A Modest Proposal: 

    How long do you think it would take to get Kickstarter funding for a ‘summary executive action team’ to go sort out the problem with the nice folks at Cyberbunker who have decided to screw the Internet into the ground  because an anti-spam outfit blacklisted them for filling everyone’s mailboxes with spam, scams, and malware?

    Just kidding, of course. I think funding a black ops team might be outside the Kickstarter Terms of Service.

    Still, I’m sure there are millions of folks out there who’d be more than happy to kick in…

    And, getting real for a second, we are NOT far away from a time when such drastic actions are taken on behalf of various national security interests. Heck, I’m pretty sure we’re already there.

    Roll that around in your heads as you’re ‘hunkered down’ in your little hole, Cyberbunker.

Leave a Reply