Distributed Denial of Service attacks with DNS amplification against Spamhaus
Date : May 02, 2013
Introduction
Spamhaus is an international organization whose goal since 1998 is to track spam and the responsible persons and/or service providers on the Internet. To reach this goal, Spamhaus maintains several blacklists containing IP addresses marked as spammers, on which several Internet service and email providers rely on.
In March, Spamhaus added to their blacklists the addresses of Internet provider CyberBunker, identified as an important source of spam. Following this action, the organization was targeted by a important Distributed Denial of Service attack (DDoS) which lasted several days.
In this article, we take a closer look at the techniques used to carry out this attack and reach such a traffic level. Then, we focus on the actions Spamhaus and their partners performed to mitigate the attack.
The classic DDoS scheme is not enough anymore
The attack suffered by Spamhaus achieved new records of traffic volumes observed by several major network providers of the Internet. According to CloudFlare, which helped Spamhaus in mitigating the attack, few Tier-1 providers (Tier-1 providers interconnect smaller provider networks) saw traffic peaks reaching 300 Gbps, which would be one of the most important attacks ever observed.
To reach such a level in the involved traffic, attackers used a specific technique to amplify the generated network load: DNS reflexion amplification.
In a common distributed denial of service scheme, the attackers first take the control of an important set of computers in order to establish a network: the botnet. To launch the attack, the hackers simultaneously send to the whole set of compromised machines the order to send traffic to the target (such as a TCP connection request), with the objective of overloading their download bandwidth to such a point they cannot reply to all incoming requests. The service interruption is triggered. The generated network load is directly proportionnal to the botnet size. Today, these attacks are no longer sufficient to saturate the targets, and hackers thus use additional techniques to amplify the network traffic.
A reflection attack scheme…
One technique consists in using the botnet to spoof the target’s identity in order to send connection requests to external uncontroled hosts. The responses of the latter generate an unwanted return traffic towards the target. This technique is called “reflection attack”. In the TCP case for instance, the attackers send, via their botnet, a big number of connection request (SYN) packets spoofing the source IP address of the attack target. The contacted servers reply with a acknoledgement packet (ACK) addressed to the attack target.
This return traffic, which constitutes the attack volume, is therefore proportional to the number of controlled machines (the botnet) multiplied by the number of contacted hosts. Nevertheless, two points give nuance to the attack efficiency in the TCP case:
- The necessary attack traffic to send by the botnet servers is the same as the one received by the target.
- Placing a firewall upstream of the target allows to easily drop the ACK packets that are not matching an existing TCP session, and limit the impact of the attack on the target’s resources.
…amplified by using the DNS protocol
The use of the DNS protocol to carry out a DDoS reflection attack allows the attacker to avoid suffering the two drawbacks mentioned just above. This is what has been done during the attack held against Spamhaus.
So, the hackers sent spoofed DNS requests to servers configured to perform open recursive resolution. Servers configured in such a way are in fact able to reply to every request made from the Internet. Just as in the TCP reflection attack, replies were sent by the DNS servers to the target. The requests contained a demand for all the records of a large DNS zone: ripe.net. Thus, from a simple DNS request of just several dozens of bytes, the replies were easily reaching few kilo-bytes, amplifying the traffic by about 100 times.
As DNS mainly rely on the UDP protocol, it is also more difficult for targets of such attacks to block the return traffic at their network border: it is necessary to use specific security appliances able to perform applicative inspection to check if these replies match already sent requests. Even if the flows are finally blocked, packets are consuming the network capacity and still impact the service availability.
In cause: DNS servers configured as open resolvers…
The possibility of DDoS attacks with DNS amplification ask in reality the question of open resolvers servers, which implement recursive resolution without filtering their clients on the Internet. These servers, very numerous on the Internet, are indeed an easy way for attackers to generate heavy loads on the network. About 30,000 of these servers would have been used during the attack against Spamhaus. The ISC, which publishes the well-known BIND DNS server software, recommands since 2005 to avoid setting such a configuration, and since 2007 changed the default setting of its software to match this policy.
…but also because IP spoofing on the Internet is easy
These attacks also pose the more global problem of address spoofing on the Internet. Ideally, the goal is to check that outgoing packets in a provider network do have a source IP address belonging to this network. Today, most of the Internet actors still blindly route packets in function of their destination IP address only.
The Internet Engineering Task Force (IETF) published in RFC 2827, the “Best Current Pratice 28” in which they advise operators to filter packets transiting on their network and drop those whose source IP address is invalid or do not match existing peering agreements with their clients.
The use of the anycast technologies by CDNs to spread out the attack
To struggle against heavy traffic arriving on their servers, Spamhaus used a Content Delivery Network (CDN) provided by CloudFlare. It is based on the use of anycast: this technology allows routing a request to the closest server (in the meaning of routing distance) to the client. To achieve this goal, CloudFlare owns several datacenters in the world from which they announce the same IP addresses. Because the incriminated DNS servers were located all around the world, the DNS replies (attack traffic) thus automatically spread out to the different points of presence of the CloudFlare network and diluated the received traffic by server, allowing Spamhaus to be reachable again.
Conclusion
The attack taken against Spamhaus showed once again the potential of distributed denial of service attacks. The existence of thousands of open recursive DNS resolvers on the Internet, with the absence of control from network providers on the source of transiting traffic on their network, allowed hackers to amplify their attack in such a way that some Internet exchange points were slowed down.
In response to this threat of DDoS with DNS amplification attacks, some solutions exist for companies facing the Internet:
- The use of security appliances offering DDoS protections (high level protocol inspection, traffic peak detection). These solutions allow to alleviate the system resources inside a company’s network, but do not work on the upstream network resources of the operator affected by an attack.
- The use of CDN-type services, and more generally of the anycast technology. The deployment of a strong geo-redudancy strategy on multiple datacenters annoucing the same IP addresses allows, next to the assurance of a service resilience in case of a failure of a datacenter, to effectively increase the attack surface for hackers, increasing the difficulty for them to interrupt the service.
To be really effective in fighting this type of attacks, operators must act on two challenges:
- Controling transiting traffic on their network in order to limit the possibility for attackers to spoof addresses on the Internet.
- Pushing for the reconfiguration of open DNS resolvers on their networks which constitute real attack tools for hackers.