Sunday 28 April 2013

Update 2 on DDoS

The Register reports that a man has been arrested in connection with the DDoS attack on SpamHaus - the one that involved a throughput of 300Gbps in one major Internet exchange.

Without commenting on the arrest itself, there are now more details on the DDoS. It's estimated that the attack used about 30,000 DNS resolvers to generate the traffic, so we can update the statistics:

While there may be 21m open resolvers, the attack used perhaps 30,000. Each open resolver was receiving an average of about 100kb/s traffic inbound and emitting an average of 10Mb/s. This is a lot more noticeable than the 15kb/s, but still not necessarily a big deal in a major data centre.

It did, however, trigger an alarm for Trevor Pott, the author of the Sysadmin blog on The Register. In his article, he reports:
The alarm went off late Tuesday night reporting DNS traffic of 10Mbit. 
My mistake stems from the simple assumption that BIND disables recursion by default. The change was made with BIND 9.4 way back in 2007. For reasons incomprehensible to me CentOS 5.9 ... is running BIND 9.3.6 which means that by default recursion requests are honoured. 
The fix required is simple ... I needed to ... instruct BIND to only honour recursion requests from servers inside my datacenter. 
But what of the future? Unfortunately, this attack is likely to be repeated. The Open DNS Resolver Project tracks open resolvers and has been reporting a steady growth in number. At the time of the attack, it estimated about 21m open resolvers. This week's survey has grown by another 4m. Cloudflare's future looks bright.