<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
h2
{mso-style-priority:9;
mso-style-link:"Heading 2 Char";
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:18.0pt;
font-family:"Times New Roman","serif";
font-weight:bold;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.Heading2Char
{mso-style-name:"Heading 2 Char";
mso-style-priority:9;
mso-style-link:"Heading 2";
font-family:"Times New Roman","serif";
mso-fareast-language:EN-AU;
font-weight:bold;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-AU" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US">The number was from here I believe
<a href="http://openresolverproject.org/">http://openresolverproject.org/</a> <o:p>
</o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span style="font-size:10.5pt;font-family:"Arial","sans-serif";color:black">“We have collected a list of 27 million resolvers that respond to queries in some fashion. 25 million of these pose a significant threat (as of 24-MAR-2013).”<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:black">Thank you,<br>
<b> <br>
</b>Michael A Schipp<b><br>
</b></span><span style="color:black">Regional SE Manager ANZ<o:p></o:p></span></p>
<p class="MsoNormal"><b><span lang="EN-US" style="color:black">A10 Networks</span></b><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:black"><br>
Direct: 0402 907 928<br>
Email: </span><a href="mailto:mschipp@a10networks.com">mschipp@a10networks.com</a><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:black">WEB: </span><a href="http://www.a10networks.com/"><span lang="EN-US">www.a10networks.com</span></a><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">Twitter: @maschipp<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">Skype: michael_schipp<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><a name="_MailEndCompose"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></a></p>
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif"">From:</span></b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif""> ausnog-bounces@lists.ausnog.net [mailto:ausnog-bounces@lists.ausnog.net]
<b>On Behalf Of </b>Joshua D'Alton<br>
<b>Sent:</b> Thursday, 28 March 2013 4:46 PM<br>
<b>To:</b> Tom Paseka<br>
<b>Cc:</b> AusNOG<br>
<b>Subject:</b> Re: [AusNOG] Global internet slows after 'biggest attack in history'<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Hey Tom, are you sure those numbers for open resolvers is correct?<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Based on the list on <a href="http://dns.measurement-factory.com/surveys/openresolvers/ASN-reports/latest.html">http://dns.measurement-factory.com/surveys/openresolvers/ASN-reports/latest.html</a> I don't count anywhere near a million
let alone 21.7? I count 108418 on that list.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Thu, Mar 28, 2013 at 2:13 PM, Tom Paseka <<a href="mailto:tom@cloudflare.com" target="_blank">tom@cloudflare.com</a>> wrote:<o:p></o:p></p>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm">
<p class="MsoNormal">Sure, 300Gbps isn't that much in the scheme of things. But 300Gbps new traffic without any notice is a big deal for anyone. Even the Tier-1s.<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Australia's international capacity is much higher than 300Gbps - yes, but not in lit and untilised capacity. You're also right in that these attacks were in 4-5 hours. In the past, we've seen sustained 75Gbps for 3 weeks. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Mitigations are not always possible, especially when the attacks are pointed at critical infrastructure, or infrastructure that can't be changed easily (as has been the case here). <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">So while its not a physical cut, like the death of a telephone exchange, it'd cause a lot of headaches for the ISPs getting attacked. <o:p></o:p></p>
<div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Wed, Mar 27, 2013 at 7:50 PM, Damian Guppy <<a href="mailto:the.damo@gmail.com" target="_blank">the.damo@gmail.com</a>> wrote:<o:p></o:p></p>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm">
<div>
<p class="MsoNormal">You need to keep in mind that the worse that Cloudflare makes this attack seem, the better it makes them look for being able to mitigate it. 300gbps is actually not that much on the scale of global backbone traffic (the actualy amount of
traffic hitting cloudflare only reached 120Gbps anyway), Australia has much higher international capacity than that. Also DDOS attacks are rearly sustained over more than a few hours, in the case of the cloudflare attack it was more like waves of attacks lasting
4-5 hours each, some big some small. <o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">If some one pointed that kind of botnet attack at Australia the impact might be degraded internet speeds on some ISP's for a few hours until either the attack started to subside or for the ISP's NOC (and their upstream providers - they
dont want to carry the traffic any more than the ISP does) to implement mitigations. You certainly would not be without total internet access for weeks and weeks on end like what happens if a critical exchange burns to the ground.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="color:#888888"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:#888888">--Damian<o:p></o:p></span></p>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Thu, Mar 28, 2013 at 8:52 AM, Tom Paseka <<a href="mailto:tom@cloudflare.com" target="_blank">tom@cloudflare.com</a>> wrote:<o:p></o:p></p>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm">
<p class="MsoNormal">Definitely. Some ISPs may have enough capacity to soak up this traffic internationally, but not to carry it to Australia. <o:p></o:p></p>
<div>
<div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Wed, Mar 27, 2013 at 5:18 PM, Joshua D'Alton <<a href="mailto:joshua@railgun.com.au" target="_blank">joshua@railgun.com.au</a>> wrote:<o:p></o:p></p>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm">
<p class="MsoNormal">Nice writeup.<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">It seems they are focusing alot on the open resolver issue, but that is only half or 1/3rd of the coin. The other problem is people being able to send all these forged packets in the first place, and beyond that, have so many tcp connections.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">There are only a few ISPs globally outside of the tier1 and some tier2 that could handle such an attack, I think telstra (and subsequently all AU isps) would crumble easily under such an attack, and I might be wrong, please someone tell
me I am, but we could be hit at any moment and with ramifications far above that of the Warnambool fire?<o:p></o:p></p>
<div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Thu, Mar 28, 2013 at 7:44 AM, Peter Adkins <<a href="mailto:peter.adkins@kernelpicnic.net" target="_blank">peter.adkins@kernelpicnic.net</a>> wrote:<o:p></o:p></p>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm">
<p class="MsoNormal">There's an interesting write up on the matter on the CloudFlare blog at the moment -
<a href="http://blog.cloudflare.com/the-ddos-that-almost-broke-the-internet" target="_blank">
http://blog.cloudflare.com/the-ddos-that-almost-broke-the-internet</a><br>
<br>
(The Massive Attack picture is a nice touch).<o:p></o:p></p>
<div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
<br>
<o:p></o:p></p>
<div>
<p class="MsoNormal">On Thu, Mar 28, 2013 at 1:29 AM, ComKal Networks <<a href="mailto:admin@comkal.com.au" target="_blank">admin@comkal.com.au</a>> wrote:<o:p></o:p></p>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm">
<p class="MsoNormal"><<a href="http://www.bbc.co.uk/news/technology-21954636" target="_blank">http://www.bbc.co.uk/news/technology-21954636</a>><br>
<br>
<QUOTE><br>
The internet around the world has been slowed down in what security experts are describing as the biggest cyber-attack of its kind in history.<br>
</QUOTE><br>
<br>
<br>
Cheers<br>
Ian Manners<br>
ComKal Networks Australia<br>
<br>
_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><o:p></o:p></p>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><o:p></o:p></p>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><o:p></o:p></p>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><o:p></o:p></p>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><o:p></o:p></p>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><o:p></o:p></p>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</body>
</html>