The Spamhaus DDoS that hit its peak around the twenty-seventh of March is the largest distributed denial-of-service attack the public internet has yet seen, and the technique it uses is going to dominate DDoS work for the next several years. Three hundred gigabits per second of DNS-reflection traffic, coordinated through the open-recursive-resolver infrastructure of the global DNS, with the spoofed source-IP being Spamhaus and the destination being whatever DNS server the attacker chose to abuse. CloudFlare provided the mitigation services and have written a detailed account of what the attack actually looked like on their blog. The technical scope is unprecedented. The structural implication for DDoS defence is that the operational answer that worked against Estonia in 2007 and Anonymous Operation Payback in 2010 is no longer adequate.
The DNS reflection technique itself is not novel. The cryptographic-protocol community have been discussing it as a theoretical risk since at least 2002, and there have been small demonstrations through the late 2000s. What is new is the scale at which it has been deployed against Spamhaus. The attack mechanism is roughly: the attacker sends a small DNS query to an open recursive resolver, with the source IP spoofed to be the target (Spamhaus). The recursive resolver, which has no authentication on the request, sends a much larger DNS response (sixty-four bytes of query becoming one to two kilobytes of response, an amplification factor of approximately fifty). The target receives the response. Multiply by the open-recursive-resolver count globally — roughly twenty-five million on present open-resolver-project data — and the volumetric arithmetic for a 300 Gbps attack is straightforward: a few hundred megabits per second of attacker-side traffic, amplified through DNS, becomes hundreds of gigabits per second of target-side traffic. The attacker only needs a modestly-sized botnet to generate the source traffic; the open-resolver infrastructure does the amplification work.
The attribution is straightforward in this case. Sven Olaf Kamphuis and the Cyberbunker / Stophaus operators have been publicly involved with the campaign, with Kamphuis effectively confirming his involvement in his Stophaus statements. Cyberbunker is the Dutch hosting provider that Spamhaus has been blacklisting for hosting various "no-content-restrictions" customer sites; the campaign is, on Kamphuis's framing, retaliation for the blacklisting. The Dutch and Spanish authorities are involved; arrest seems likely within weeks. BBC reporting on the wider story is the right summary of the public-press picture.
The structural lesson is at the open-recursive-resolver layer. There are, on the Open Resolver Project's data, approximately twenty-five million open recursive resolvers reachable on the public internet. Most of them are not infrastructure that anyone is paying attention to — they are home routers running default DNS configurations, university networks with permissive ACLs, small ISPs with legacy configurations. None of these need to be open recursive resolvers. The defensive answer is to close them, which requires the operators of those resolvers to be motivated to do so. The current incident is going to motivate substantial closure work; whether the closure is sustained or whether the resolvers will drift back open as configuration changes happen is the operational question.
For the engagements I run, the post-Spamhaus conversation has been a different conversation from the post-2010 DDoS-for-hire conversation. The 2010 conversation was about volumetric DDoS at, say, ten gigabits per second, which most enterprise internet connections cannot absorb but which can be mitigated through commercial services like CloudFlare or Akamai. The 2013 conversation is about volumetric DDoS at 300 gigabits per second, which is approaching the carrier-level capacity at which even the major mitigation providers have to coordinate across multiple peering points to absorb. The threshold for a target being able to defend against this scale of attack on their own is now essentially zero; the operational answer is mitigation provider plus carrier coordination, and the cost of that arrangement is meaningfully higher than most clients have budgeted for.
For the Hedgehog SOC, the detection-content addition this week is the patterns associated with being on either side of the DNS-reflection chain — clients who run resolvers we monitor will get detection content for "your resolver is being used in a reflection attack", and clients with public-facing infrastructure will get detection content for "you are the target of a reflection attack". The detection patterns are reasonably clean once the operational signature is established. The pattern is now in the engagement-team material.
The wider piece I have been thinking about is what the political-cyber category looks like when the threshold for substantial DDoS is this low. Cyberbunker is a small organisation — single-figure staff, mid-six-figure revenue — and yet it has been able to direct an attack of unprecedented scale against a major internet-infrastructure operator. The "asymmetric warfare" framing that has been used about cyber capability for years has been mostly rhetoric; this is the first demonstration of it being operationally true at the volumetric-DDoS level. If a small operator can do 300 gigabits per second, then most of the previous defensive economics — "we are too small to be worth attacking at scale" — no longer hold for any of the engagement clients I work with. The threat model widens.
The next post is likely the continued APT1 reactions, the Mandiant follow-on work that several practitioners have been working on, or whatever else breaks first.