Wednesday, 27 March 2013

Update on DDoS

This is a follow-up to my previous post, and is itself followed up by "Update 2 on DDoS".

There's a great article on The Register about a recent, giant attack on Spamhaus, based on the Cloudflare blog. At its peak, for one hour, one of their upstream networks was receiving 300Gb/s of traffic - the highest ever reported for a DDoS.

Details below the fold...


That's big, but just how big? 


One way is to consider network adaptors. A desktop computer now probably has a 1Gb/s network and will struggle to use all its capacity. In the datacentre, your server will have one or more 10Gb/s ports. Big datacentres will concentrate traffic from many servers on a large router to send data onto the internet proper, the biggest port you can buy here is 100Gb/s. The DDoS would have saturated three of these ports.

Another way is to consider a huge InternetExchange (the people who connect all the ISPs to the Internet). The London INternet eXchange (LINX) averages 1Tb/s, so this attack by itself increased traffic by one third of all UK traffic. The DDoS also attacked Internet Exchanges in 3 other cities.

A third way is to think about using a disk array to produce the same traffic. As a rule of thumb, a disk drive supports about 100MB/s. Over an hour, this is 360GB - about the size of a small disk. And you need 375 of them to produce 300Gb/s.

Disks can't simply be plugged into a network - they need a disk array. Let's assume we use ones like this. Let's also assume that the system can saturate its 10Gb/s network. We would need 30 disk arrays, each with 12 disks. That's two racks, together drawing 10kW. And to hit 4 exchanges, we would need 8 racks of disks.

Something of this scale:


What was the attack?


The form of the attack was compromised computers in a botnet sent forged DNS zone requests to millions of open DNS resolvers (DNS servers that accept requests form anyone on the net). The forged request meant the DNS resolver sent the reply not to the sender, but to Spamhaus or upstream network providers, swamping their networks.




How could a group generate such traffic?



In a word, amplification.

The botnet commander sent a single command to the botnet of hundreds of thousands or perhaps millions of computers. Each compromised computer in the network send small requests. However, the response is perhaps 100x larger than the request.













The average data flowing into and out of servers is shown below - other than Spamhaus, I doubt anyone noticed any individual computer doing anything strange:



What did Spamhaus do?


Spamhaus turned to a Content Delivery Network (Cloudflare) to support them during this attack. And, kudos to Cloudflare, they survived. Even if the traffic load slowed the entire Internet down over several days.

The major takeaway from this is, if you are under attack, go to the professionals.


No comments:

Post a Comment