

Spamhaus DDOS Suspect Arrested - dylangs1030
http://www.informationweek.com/security/attacks/spamhaus-ddos-suspect-arrested/240153788

======
codexon
That's nice but what do start-ups and other less famous organizations do?

Any competitor can buy a 30+ gbps attack for a few dollars.

[http://hackforums.net/forumdisplay.php?fid=232](http://hackforums.net/forumdisplay.php?fid=232)

And it costs $2000/month just for 20 gbps of protection.

[https://www.staminus.net/ddos-protection](https://www.staminus.net/ddos-
protection)
[https://ordering.blacklotus.net/cart.php?pid=10](https://ordering.blacklotus.net/cart.php?pid=10)

DDoS attacks are going to get larger and more frequent.

~~~
jamesaguilar
I wager it's pretty rare for the following conditions to exist simultaneously:

    
    
        - Small enough that $2k a month is a serious spend.
        - Big enough to draw the attention of someone who cares to DDoS you.
        - Important enough to one's customers that a few hours of downtime 
          is a serious issue.
    

If you somehow cause all three to exist at once, either you're going out of
your way to piss off the wrong people, or you're not charging enough.

(Also, there's always the option to roll your own DDoS protection. It's
complicated, but not super complicated, at least for a 90% solution. If I'm
not mistaken, it basically involves detecting anomalous traffic and telling
upstream routers that you don't exist for the source IP generating that
traffic. Someone who knows more about it might be able to fill in some
details.)

~~~
codexon
$2k is just the beginning. If you looked at the forum I just posted, attacks
can go up to 60 gbps and still only cost a couple of dollars.

This can easily cost as much as a full time employee, and many large sites can
be run by 1-2 people. Having to spend 33% more just to stay online is not
negligible.

You can't just roll your own DDoS protection. If you do this you are looking
at rolling your own data centers. Once an attack gets bigger than the port at
one of your standard hosts, your host is going to null route you and even kick
you off if it happens too often.

You are going to be hard pressed to find a host that is willing to broadcast
your /24, let alone getting a /24 with this IP shortage if you were going to
do your own cloudflare.

 _" If I'm not mistaken, it basically involves detecting anomalous traffic and
telling upstream routers that you don't exist for the source IP generating
that traffic."_

This is called null routing. It involves telling your upstream that the IP
can't be routed to. This blocks ALL traffic to that IP so your port doesn't
get maxed. Large transit providers are going to charge you an arm and a leg to
give you an API to insert ACLs because routers have a limited number of rules.

~~~
jlgaddis
> Large transit providers are going to charge you an arm and a leg to give you
> an API to insert ACLs because routers have a limited number of rules.

It's been my experience that pretty much every transit provider supports this
(and at no extra cost). All of my transit providers do.

I offer RTBH'ing (by tagging /32s with a specific community) to my customers
because I can propagate those to my upstreams in order stop them from sending
the traffic to me. Those providers would rather drop 10 Gbps of DDoS traffic
at the edge than to worry about an extra entry in routing table.

~~~
codexon
He is talking about ACLs, not RTBH.

------
txutxu
Blink:

"Spanish police said that upon his arrest, the suspect identified himself as a
diplomat, saying he was the Minister of Telecommunications and Foreign Affairs
for the Republic of Cyberbunker."

I think from monday, at work, I will identify myself as a diplomat, the
"Minister of Telecommunications and Foreign Affairs of the Republic of the
Local Domain". Sounds nice.

------
gojomo
[April 29, 2013]

Previous submissions about this around that time:

[https://news.ycombinator.com/item?id=5614179](https://news.ycombinator.com/item?id=5614179)

[https://news.ycombinator.com/item?id=5613891](https://news.ycombinator.com/item?id=5613891)

------
SchizoDuckie
Why is there an article from 4 months ago on the frontpage?

------
Core-TX
Spamhaus does not only build the Autobahn, but also enforces American
definitions and trade policy whenever disputes arise.

------
dylangs1030
In case you're unaware of what Spamhaus is, its severity as a DDOS, and the
ongoing investigation into its operations, read here:

[http://arstechnica.com/security/2013/03/spamhaus-ddos-
grows-...](http://arstechnica.com/security/2013/03/spamhaus-ddos-grows-to-
internet-threatening-size/)

~~~
sillysaurus2
I think it's a marvelous feat of engineering that people were able to prevent
Spamhaus from being knocked offline by that massive DDoS.

[http://arstechnica.com/security/2013/03/how-whitehats-
stoppe...](http://arstechnica.com/security/2013/03/how-whitehats-stopped-the-
ddos-attack-that-knocked-spamhaus-offline/)

~~~
codexon
Anycast isn't difficult to implement and is widely used to create CDNs. It is
simply costly. You need to buy a large block of IPs and have multiple data
centers.

After you have that, it is trivial to block all DNS packets, especially due to
the fact that Cloudflare doesn't need to receive DNS packets on their public
endpoints because they only serve HTTP traffic.

~~~
sillysaurus2
Hmm, is it very hard to DDoS DNS servers? I'm a bit confused about the DNS
part of what you said.

~~~
codexon
Not to be rude but if you don't understand what I just said, you might want to
re-read the article you just cited.

~~~
sillysaurus2
You are being rude, but I care about learning more than rudeness, so if you'll
kindly help me out:

 _But DNS servers can also be queried for the IP addresses of huge swaths of
the Internet, putting the person listed as making the request on the receiving
end of a massive response. In a blog post published Wednesday, CloudFlare CEO
Matthew Prince said each DNS request sent by the Spamhaus attackers was likely
only 36 bytes long, while each response was about 3,000 bytes. By spoofing the
requests to make them appear as if they originated with Spamhaus, the
attackers can turn the firepower of all those networks against their opponent,
all but guaranteeing it won 't be available to process legitimate traffic._

I'm still not really getting it. Which IP addresses are they referring to when
they say "huge swaths of the internet"?

 _To get Spamhaus back online, CloudFlare relied on Anycast, a routing
technique that distributes the same IP address across 23 data centers across
the world. Internet traffic almost always chooses the shortest physical path.
Anycast allows the geographically dispersed junk traffic to be absorbed by
dozens of individual centers, where each packet is then inspected. When it
bears signatures found in the attack traffic—for example, if it 's a
3,000-byte response from an open DNS resolver—it is discarded in the
CloudFlare data center. Only Legitimate Web requests are allowed to be
forwarded to the Spamhaus data center._

How do they differentiate between a legit query and a DDoS query?

~~~
MaulingMonkey
_I 'm still not really getting it. Which IP addresses are they referring to
when they say "huge swaths of the internet"?_

Most IP addresses... most notably including the victim's IP address. Scenario:
Attacker sends 36 byte DNS query with a falsified sender address (that of his
victim) to, say, Google's DNS servers. If the origin isn't verified through
something like IPsec, Google won't be able to tell that the sender was forged.
Google then sends 3000 bytes to the victim, thinking they're simply replying
to a request, whereas they're really (unknowingly) facilitating a DNS
amplification attack (so called because the attacker turns e.g. 2Gb/s of
botnet traffic to DNS servers into 200Gb/s of DNS responses to the victim.)

Your random residential ISP may limit their DNS service to customers only --
unless the victim also happens to be a customer of said ISP (the very rare
case), the victim's IP address will be refused service, and not sent a
response. While this blocks "legitimate" requests (without forged senders) as
well unless you're actually on that ISPs network, in practice this is rarely a
problem -- DHCP is probably advertising the DNS servers which will respond to
you on whatever network you're on. Aside from preventing other ISPs from
having their customers freeload off your ISP's DNS server, this also prevents
the attack (at least with regards to DNS servers.)

 _How do they differentiate between a legit query and a DDoS query?_

CloudFlare, being on the sending side of the equation, can track what DNS
requests are going outbound even without IPsec, and drop inbound responses
which can't be matched up against one of those requests. That sounds expensive
however. I imagine they do something much cheaper, like simply drop all
inbound DNS traffic except the approved list of DNS servers that are probably
advertised over DHCP anyways. Again, this can block technically "legitimate"
requests where someone really did want to intentionally use some other DNS
server, but again, rarely a problem.

~~~
sillysaurus2
Oh, hey, it's MaulingMonkey! How are ya? #gamedev 4 lyfe, yo. How is that old
channel nowadays anyway?

Thanks for the thorough and very clear explanation.

~~~
MaulingMonkey
Same old same old.

------
D9u
If being attacked with a DDoS why not set the source of the attacks as the
address to resolve your IP address to?

~~~
kyrra
It depends on the type of DOS attack being used by the attackers. If they are
using a SYN attack you can change the source ip as you don't care to hear
back. But a SYN attack can be mitigated a bit easier once you know about it.

If you are doing a more application specific attack, you need to establish a
connection (assuming it is TCP), so you can't hide you IP in that case.

~~~
D9u
It's not "hiding" your IP address, it's changing your affected nameservers to
that of the attacker.

