[AusNOG] Global internet slows after 'biggest attack in history'

Michael Andreas Schipp MSchipp at a10networks.com
Thu Mar 28 16:49:57 EST 2013


The number was from here I believe http://openresolverproject.org/
"We have collected a list of 27 million resolvers that respond to queries in some fashion. 25 million of these pose a significant threat (as of 24-MAR-2013)."
Thank you,

Michael A Schipp
Regional SE Manager ANZ
A10 Networks

Direct: 0402 907 928
Email: mschipp at a10networks.com<mailto:mschipp at a10networks.com>
WEB:     www.a10networks.com<http://www.a10networks.com/>
Twitter: @maschipp
Skype:   michael_schipp


From: ausnog-bounces at lists.ausnog.net [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Joshua D'Alton
Sent: Thursday, 28 March 2013 4:46 PM
To: Tom Paseka
Cc: AusNOG
Subject: Re: [AusNOG] Global internet slows after 'biggest attack in history'

Hey Tom, are you sure those numbers for open resolvers is correct?

Based on the list on http://dns.measurement-factory.com/surveys/openresolvers/ASN-reports/latest.html  I don't count anywhere near a million let alone 21.7? I count 108418 on that list.


On Thu, Mar 28, 2013 at 2:13 PM, Tom Paseka <tom at cloudflare.com<mailto:tom at cloudflare.com>> wrote:
Sure, 300Gbps isn't that much in the scheme of things. But 300Gbps new traffic without any notice is a big deal for anyone. Even the Tier-1s.

Australia's international capacity is much higher than 300Gbps - yes, but not in lit and untilised capacity. You're also right in that these attacks were in 4-5 hours.  In the past, we've seen sustained 75Gbps for 3 weeks.

Mitigations are not always possible, especially when the attacks are pointed at critical infrastructure, or infrastructure that can't be changed easily (as has been the case here).

So while its not a physical cut, like the death of a telephone exchange, it'd cause a lot of headaches for the ISPs getting attacked.


On Wed, Mar 27, 2013 at 7:50 PM, Damian Guppy <the.damo at gmail.com<mailto:the.damo at gmail.com>> wrote:
You need to keep in mind that the worse that Cloudflare makes this attack seem, the better it makes them look for being able to mitigate it. 300gbps is actually not that much on the scale of global backbone traffic (the actualy amount of traffic hitting cloudflare only reached 120Gbps anyway), Australia has much higher international capacity than that. Also DDOS attacks are rearly sustained over more than a few hours, in the case of the cloudflare attack it was more like waves of attacks lasting 4-5 hours each, some big some small.

If some one pointed that kind of botnet attack at Australia the impact might be degraded internet speeds on some ISP's for a few hours until either the attack started to subside or for the ISP's NOC (and their upstream providers - they dont want to carry the traffic any more than the ISP does) to implement mitigations. You certainly would not be without total internet access for weeks and weeks on end like what happens if a critical exchange burns to the ground.

--Damian

On Thu, Mar 28, 2013 at 8:52 AM, Tom Paseka <tom at cloudflare.com<mailto:tom at cloudflare.com>> wrote:
Definitely. Some ISPs may have enough capacity to soak up this traffic internationally, but not to carry it to Australia.

On Wed, Mar 27, 2013 at 5:18 PM, Joshua D'Alton <joshua at railgun.com.au<mailto:joshua at railgun.com.au>> wrote:
Nice writeup.

It seems they are focusing alot on the open resolver issue, but that is only half or 1/3rd of the coin. The other problem is people being able to send all these forged packets in the first place, and beyond that, have so many tcp connections.

There are only a few ISPs globally outside of the tier1 and some tier2 that could handle such an attack, I think telstra (and subsequently all AU isps) would crumble easily under such an attack, and I might be wrong, please someone tell me I am, but we could be hit at any moment and with ramifications far above that of the Warnambool fire?

On Thu, Mar 28, 2013 at 7:44 AM, Peter Adkins <peter.adkins at kernelpicnic.net<mailto:peter.adkins at kernelpicnic.net>> wrote:
There's an interesting write up on the matter on the CloudFlare blog at the moment - http://blog.cloudflare.com/the-ddos-that-almost-broke-the-internet

(The Massive Attack picture is a nice touch).


On Thu, Mar 28, 2013 at 1:29 AM, ComKal Networks <admin at comkal.com.au<mailto:admin at comkal.com.au>> wrote:
<http://www.bbc.co.uk/news/technology-21954636>

<QUOTE>
The internet around the world has been slowed down in what security experts are describing as the biggest cyber-attack of its kind in history.
</QUOTE>


Cheers
Ian Manners
ComKal Networks Australia

_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net<mailto:AusNOG at lists.ausnog.net>
http://lists.ausnog.net/mailman/listinfo/ausnog


_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net<mailto:AusNOG at lists.ausnog.net>
http://lists.ausnog.net/mailman/listinfo/ausnog


_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net<mailto:AusNOG at lists.ausnog.net>
http://lists.ausnog.net/mailman/listinfo/ausnog


_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net<mailto:AusNOG at lists.ausnog.net>
http://lists.ausnog.net/mailman/listinfo/ausnog


_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net<mailto:AusNOG at lists.ausnog.net>
http://lists.ausnog.net/mailman/listinfo/ausnog


_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net<mailto:AusNOG at lists.ausnog.net>
http://lists.ausnog.net/mailman/listinfo/ausnog

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20130328/824b234c/attachment.html>


More information about the AusNOG mailing list