[AusNOG] Global internet slows after 'biggest attack in history'

Joshua D'Alton joshua at railgun.com.au
Thu Mar 28 16:45:35 EST 2013


Hey Tom, are you sure those numbers for open resolvers is correct?

Based on the list on
http://dns.measurement-factory.com/surveys/openresolvers/ASN-reports/latest.html
I don't count anywhere near a million let alone 21.7? I count 108418
on
that list.



On Thu, Mar 28, 2013 at 2:13 PM, Tom Paseka <tom at cloudflare.com> wrote:

> Sure, 300Gbps isn't that much in the scheme of things. But 300Gbps new
> traffic without any notice is a big deal for anyone. Even the Tier-1s.
>
> Australia's international capacity is much higher than 300Gbps - yes, but
> not in lit and untilised capacity. You're also right in that these attacks
> were in 4-5 hours.  In the past, we've seen sustained 75Gbps for 3 weeks.
>
> Mitigations are not always possible, especially when the attacks are
> pointed at critical infrastructure, or infrastructure that can't be changed
> easily (as has been the case here).
>
> So while its not a physical cut, like the death of a telephone exchange,
> it'd cause a lot of headaches for the ISPs getting attacked.
>
>
> On Wed, Mar 27, 2013 at 7:50 PM, Damian Guppy <the.damo at gmail.com> wrote:
>
>> You need to keep in mind that the worse that Cloudflare makes this attack
>> seem, the better it makes them look for being able to mitigate it. 300gbps
>> is actually not that much on the scale of global backbone traffic (the
>> actualy amount of traffic hitting cloudflare only reached 120Gbps anyway),
>> Australia has much higher international capacity than that. Also DDOS
>> attacks are rearly sustained over more than a few hours, in the case of the
>> cloudflare attack it was more like waves of attacks lasting 4-5 hours each,
>> some big some small.
>>
>> If some one pointed that kind of botnet attack at Australia the impact
>> might be degraded internet speeds on some ISP's for a few hours until
>> either the attack started to subside or for the ISP's NOC (and their
>> upstream providers - they dont want to carry the traffic any more than the
>> ISP does) to implement mitigations. You certainly would not be without
>> total internet access for weeks and weeks on end like what happens if a
>> critical exchange burns to the ground.
>>
>> --Damian
>>
>>
>> On Thu, Mar 28, 2013 at 8:52 AM, Tom Paseka <tom at cloudflare.com> wrote:
>>
>>> Definitely. Some ISPs may have enough capacity to soak up this traffic
>>> internationally, but not to carry it to Australia.
>>>
>>> On Wed, Mar 27, 2013 at 5:18 PM, Joshua D'Alton <joshua at railgun.com.au>wrote:
>>>
>>>> Nice writeup.
>>>>
>>>> It seems they are focusing alot on the open resolver issue, but that is
>>>> only half or 1/3rd of the coin. The other problem is people being able to
>>>> send all these forged packets in the first place, and beyond that, have so
>>>> many tcp connections.
>>>>
>>>> There are only a few ISPs globally outside of the tier1 and some tier2
>>>> that could handle such an attack, I think telstra (and subsequently all AU
>>>> isps) would crumble easily under such an attack, and I might be wrong,
>>>> please someone tell me I am, but we could be hit at any moment and with
>>>> ramifications far above that of the Warnambool fire?
>>>>
>>>>
>>>> On Thu, Mar 28, 2013 at 7:44 AM, Peter Adkins <
>>>> peter.adkins at kernelpicnic.net> wrote:
>>>>
>>>>> There's an interesting write up on the matter on the CloudFlare blog
>>>>> at the moment -
>>>>> http://blog.cloudflare.com/the-ddos-that-almost-broke-the-internet
>>>>>
>>>>> (The Massive Attack picture is a nice touch).
>>>>>
>>>>>
>>>>>
>>>>> On Thu, Mar 28, 2013 at 1:29 AM, ComKal Networks <admin at comkal.com.au>wrote:
>>>>>
>>>>>> <http://www.bbc.co.uk/news/technology-21954636>
>>>>>>
>>>>>> <QUOTE>
>>>>>> The internet around the world has been slowed down in what security
>>>>>> experts are describing as the biggest cyber-attack of its kind in history.
>>>>>> </QUOTE>
>>>>>>
>>>>>>
>>>>>> Cheers
>>>>>> Ian Manners
>>>>>> ComKal Networks Australia
>>>>>>
>>>>>> _______________________________________________
>>>>>> AusNOG mailing list
>>>>>> AusNOG at lists.ausnog.net
>>>>>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> AusNOG mailing list
>>>>> AusNOG at lists.ausnog.net
>>>>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> AusNOG mailing list
>>>> AusNOG at lists.ausnog.net
>>>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>>>
>>>>
>>>
>>> _______________________________________________
>>> AusNOG mailing list
>>> AusNOG at lists.ausnog.net
>>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>>
>>>
>>
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net
>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>
>>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20130328/87bddc25/attachment.html>


More information about the AusNOG mailing list