Some hosting providers, running some versions of hosting panels had recursive DNS servers turned on by default. They may have /24's or larger, just using said hosting panel, all running open recursors.<div><br></div><div>
I've even seen consumer modems running as DNS recursors (and participating in attacks).<br><div><br><div class="gmail_quote">On Wed, Mar 27, 2013 at 10:49 PM, Joshua D'Alton <span dir="ltr"><<a href="mailto:joshua@railgun.com.au" target="_blank">joshua@railgun.com.au</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Never mind, if they are subnets then 108k x 200 = 21 mil, but that does still seem high. That would imply the majority of those subnets are running open resolvers on the majority of the IPs in those subnets. Seems unlikely, but can't argue with the facts if that is the case. But some explanation might be useful :)<div class="HOEnZb">
<div class="h5"><br>
<br><div class="gmail_quote">On Thu, Mar 28, 2013 at 4:45 PM, Joshua D'Alton <span dir="ltr"><<a href="mailto:joshua@railgun.com.au" target="_blank">joshua@railgun.com.au</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hey Tom, are you sure those numbers for open resolvers is correct?<div><br></div><div>Based on the list on <a href="http://dns.measurement-factory.com/surveys/openresolvers/ASN-reports/latest.html" target="_blank">http://dns.measurement-factory.com/surveys/openresolvers/ASN-reports/latest.html</a> I don't count anywhere near a million let alone 21.7? I count 108418 on that list.</div>
<div><div>
<div><br></div><div><br><br><div class="gmail_quote">On Thu, Mar 28, 2013 at 2:13 PM, Tom Paseka <span dir="ltr"><<a href="mailto:tom@cloudflare.com" target="_blank">tom@cloudflare.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Sure, 300Gbps isn't that much in the scheme of things. But 300Gbps new traffic without any notice is a big deal for anyone. Even the Tier-1s.<div><br></div><div>Australia's international capacity is much higher than 300Gbps - yes, but not in lit and untilised capacity. You're also right in that these attacks were in 4-5 hours. In the past, we've seen sustained 75Gbps for 3 weeks. </div>
<div><br></div><div>Mitigations are not always possible, especially when the attacks are pointed at critical infrastructure, or infrastructure that can't be changed easily (as has been the case here). </div><div><br>
</div>
<div>So while its not a physical cut, like the death of a telephone exchange, it'd cause a lot of headaches for the ISPs getting attacked. <div><div><br><div><br><div class="gmail_quote">On Wed, Mar 27, 2013 at 7:50 PM, Damian Guppy <span dir="ltr"><<a href="mailto:the.damo@gmail.com" target="_blank">the.damo@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">You need to keep in mind that the worse that Cloudflare makes this attack seem, the better it makes them look for being able to mitigate it. 300gbps is actually not that much on the scale of global backbone traffic (the actualy amount of traffic hitting cloudflare only reached 120Gbps anyway), Australia has much higher international capacity than that. Also DDOS attacks are rearly sustained over more than a few hours, in the case of the cloudflare attack it was more like waves of attacks lasting 4-5 hours each, some big some small. <div>
<br></div><div>If some one pointed that kind of botnet attack at Australia the impact might be degraded internet speeds on some ISP's for a few hours until either the attack started to subside or for the ISP's NOC (and their upstream providers - they dont want to carry the traffic any more than the ISP does) to implement mitigations. You certainly would not be without total internet access for weeks and weeks on end like what happens if a critical exchange burns to the ground.</div>
<span><font color="#888888">
<div><br></div><div>--Damian</div></font></span></div><div><div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Mar 28, 2013 at 8:52 AM, Tom Paseka <span dir="ltr"><<a href="mailto:tom@cloudflare.com" target="_blank">tom@cloudflare.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Definitely. Some ISPs may have enough capacity to soak up this traffic internationally, but not to carry it to Australia. <div>
<div><div><br><div class="gmail_quote">On Wed, Mar 27, 2013 at 5:18 PM, Joshua D'Alton <span dir="ltr"><<a href="mailto:joshua@railgun.com.au" target="_blank">joshua@railgun.com.au</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Nice writeup.<div><br></div><div>It seems they are focusing alot on the open resolver issue, but that is only half or 1/3rd of the coin. The other problem is people being able to send all these forged packets in the first place, and beyond that, have so many tcp connections.</div>
<div><br></div><div>There are only a few ISPs globally outside of the tier1 and some tier2 that could handle such an attack, I think telstra (and subsequently all AU isps) would crumble easily under such an attack, and I might be wrong, please someone tell me I am, but we could be hit at any moment and with ramifications far above that of the Warnambool fire?<div>
<div><br>
<br><div class="gmail_quote">On Thu, Mar 28, 2013 at 7:44 AM, Peter Adkins <span dir="ltr"><<a href="mailto:peter.adkins@kernelpicnic.net" target="_blank">peter.adkins@kernelpicnic.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
There's an interesting write up on the matter on the CloudFlare blog at the moment - <a href="http://blog.cloudflare.com/the-ddos-that-almost-broke-the-internet" target="_blank">http://blog.cloudflare.com/the-ddos-that-almost-broke-the-internet</a><br>
<br>(The Massive Attack picture is a nice touch).<div><div><br><br><br><div class="gmail_quote">On Thu, Mar 28, 2013 at 1:29 AM, ComKal Networks <span dir="ltr"><<a href="mailto:admin@comkal.com.au" target="_blank">admin@comkal.com.au</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><<a href="http://www.bbc.co.uk/news/technology-21954636" target="_blank">http://www.bbc.co.uk/news/technology-21954636</a>><br>
<br>
<QUOTE><br>
The internet around the world has been slowed down in what security experts are describing as the biggest cyber-attack of its kind in history.<br>
</QUOTE><br>
<br>
<br>
Cheers<br>
Ian Manners<br>
ComKal Networks Australia<br>
<br>
_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
</blockquote></div><br>
</div></div><br>_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
<br></blockquote></div><br></div></div></div>
<br>_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
<br></blockquote></div><br></div>
</div></div><br>_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
<br></blockquote></div><br></div>
</div></div><br>_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
<br></blockquote></div><br></div></div></div></div>
<br>_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
<br></blockquote></div><br></div>
</div></div></blockquote></div><br>
</div></div></blockquote></div><br></div></div>