How the Biggest DDoS Attack in History Could Have Been Easily Avoided, or Not
By David Gibson
This particular attack has not only affected Spamhaus, it has also affected Internet speed and availability for millions of users and sites in the UK and in Europe. According to an article by John Markoff and Nicole Perlroth in the New York Times, “a number of computer security specialists pointed out that the attacks would have been impossible if the world’s major Internet firms simply checked that outgoing data packets truly were being sent by their customers, rather than botnets.”
While the piece does a good job explaining the high level concepts of the attack, here is a little more detail on how the attack works, and how these attacks can be stopped:
Imagine some “attacker” can “spoof” your phone number so that your number shows up on other people’s phones when they call. Now imagine the attacker calls a bunch of people and hangs up before they answer— you’ll probably get a bunch of calls back from those people, because it looks like you called and hung up when you didn’t. Now imagine thousands of attackers doing this—you’d certainly have to change your phone number. With enough calls, the entire phone system would be impaired.
That’s similar to what’s happening in this DDoS attack. Attackers are spoofing Spamhaus’s IP addresses (IP addresses are like a phone number on the Internet), sending traffic (let’s call this “stimulus”) to servers that they know will respond to this traffic, and these servers dutifully send their responses back to Spamhaus’ servers. Armed with the power of thousands of computers in a botnet, the attackers are sending a lot of stimulus. To make matters worse, the responses are much larger, in terms of size, than the stimulus. This means that for every packet of stimuli, there are many more response packets. (In our example above, imagine that all those hang up calls were to phone numbers that would automatically leave 3 minute messages on your voicemail or keep calling back over and over).
So what servers are drowning Spamhaus (and the rest of us) in response packets? These servers are called domain name servers, or DNS, and perform a critical function—they match a human friendly name (e.g. google.com) with a machine friendly number (i.e. an IP address). Computers need to know each other’s IP addresses in order to communicate (or the IP address of the firewall that is protecting the computers).
DNS in friendly terms? When you try to browse to google.com, your computer queries a DNS to learn its IP address. If your computer can’t connect to a DNS, or the DNS can’t resolve google.com to an IP address, you’re out of luck. You can see this in action by going to a command prompt or shell on your computer, and typing:
If successful, you’ll see one or more IP addresses for Google.
Without DNS, instead of typing www.google.com in our web browser, we’d be typing, “188.8.131.52” or something similar. I can’t even remember my own phone number anymore—imagine if we had to remember these?
Why is DNS so vulnerable? The primary protocol that DNS servers happen to use is called UDP (User Datagram Protocol). This is important because UDP is “connectionless,” meaning there is no “handshake” when the initial connection is set up. “Handshakes,” like those used in TCP communications, offer a reasonable amount of host authentication—in other words, with TCP connections, you can be reasonably certain that both computers are who they say they are. With UDP, you cannot be sure, especially with short bursts of communications like DNS queries.
So, using a botnet, the attackers are sending millions of DNS queries that appear to be from the victim’s computer (“spoofing” the victim’s IP addresses), and the much larger responses from the DNS servers actually go to the victim’s computers. It’s kind of the ultimate “crank call.”
How can these attacks be stopped? Follow the guidance in BCP38, which explains how Internet providers can filter out spoofed traffic. The idea is simple— every router (the devices that connect the Internet) understands which addresses should be coming from which direction (interface, in router terms). If a packet arrives that says it’s coming from an IP address that shouldn’t be arriving from that interface, the packet should be dropped.
Why is this hard? It’s not. So why haven’t Internet providers taken these simple steps?
Actually, most of them have—according to research by the MIT ANA Spoofer Project, cited in an article on Senki written in June of 2012, 80% of Internet providers had already implemented the recommendations in BCP38, and were already blocking spoofed traffic. It’s the remaining 20% that remain responsible for allowing “spoofed” traffic.
We’re seeing more and more that when fundamental blocking and tackling is missing, our interdependence shows—when a few parties don’t take basic security measures, other parties suffer. Just like on the road, where a few (or many) distracted or careless drivers can cause harm to countless others, a group of sloppily configured routers can allow attackers to disrupt critical infrastructure that we’ve come to depend on. 80% just isn’t good enough.
We can’t turn off DNS. Though it’s theoretically possible to make everyone use TCP instead of UDP for DNS queries (which would make these queries much more difficult to spoof), so many people would be adversely affected during the transition that this might make things worse than just living with the DDoS attacks.
Our best choice is to create a culture of security and responsible computing, where it becomes unacceptable to be in the remaining 20%. Imagine if 20% of the drivers on the road didn’t obey traffic signals—it would no longer be safe to drive. It should be equally unacceptable that so many computers are now in botnet armies that can do such tremendous damage—80% isn’t really good enough there, either. If 20% of the computers in the world are allowed to become part of a botnet, we’re going to have much bigger problems. The culture of security and responsible computing needs to extend to Internet providers, and Internet users.
David Gibson has been in the IT industry for over fifteen years, with a breadth of experience in data governance, network management, network security, system administration, and network design. He is currently Vice President of Strategy at Varonis Systems, the leading provider of comprehensive data governance software. David holds many certifications, including CISSP. As a former a technical consultant, he has helped many companies design and implement enterprise network architectures, VPN solutions, enterprise security solutions, and enterprise management systems.