Recent slow down on the European internet explained

News on 28 Mar 2013

The knowledgeable technology publication ZDNet is carrying an interesting story explaining a recent slowdown in European internet performance, citing the biggest Distributed Denial of Services assault yet as the cause.

The article details the events surrounding the 300 Gbps attack, which tested the resilience of the Internet but failed to break it, due to mitigation efforts by CloudFare after it was engaged by Spamhaus following a massive DDoS attack.

Switching over to CloudFlare’s network on March 19, the attack began with a 10Gbps flood of traffic, ramping up in excess of 100Gbps later that night. It initially took Spamhaus’ website down, with the outage independently observed by the Internet Storm Center at the time.

According to CloudFlare, the majority of the attack was traffic sent using a technique called DNS (domain name system) reflection. Under normal circumstances, DNS resolvers wait for a user request, such as a lookup for the IP address for a domain name, then respond accordingly.

The issue with this system is that the source address of such requests can easily be forged, and in the absence of any checking or authentication, the DNS resolver simply replies to the source IP address. While this is a simple way of “bouncing” a request off a different server, it also has the added benefit of amplifying the damage that an attacker can do, as the response sent from the DNS resolver is often many times larger than the request.

CloudFlare says the attackers used multiple DNS resolvers to spread the load across many targets, stop any throttling from occurring, and fly under the radar of any security measures. According to the company, it initially recorded over 30,000 DNS resolvers that were tricked into participating in the attack.

CloudFlare’s strategy to respond to such distributed attacks is similar. DDoS attacks are typically successful, as a single target is unable to cope with the combined effects of multiple incoming traffic streams, so CloudFlare’s response is to create more “targets”, each capable of handling a smaller chunk of the traffic. It took the traffic and spread it across 23 of its own datacentres, while also dumping any requests it knew to be bogus.

Realising their attack wasn’t working, the attackers changed tactics, circumventing CloudFlare entirely by moving the attack upstream to CloudFlare’s suppliers, which in turn pushed the traffic further up to even larger networks – in simplistic terms, those that service the connections to and from major ISPs that allow countries to talk to each other.

The attack on these networks was in excess of 300Gbps, and further attacks “risk overwhelming the systems that link together the internet itself”.

Read the full story here: http://www.zdnet.com/the-largest-ddos-attack-didnt-break-the-internet-but-it-did-try-7000013225/

Related and similar