[AusNOG] Global internet slows after 'biggest attack in history'

Tom Paseka tom at cloudflare.com
Thu Mar 28 16:51:19 EST 2013 

Some hosting providers, running some versions of hosting panels had
recursive DNS servers turned on by default. They may have /24's or larger,
just using said hosting panel, all running open recursors.

I've even seen consumer modems running as DNS recursors
(and participating in attacks).

On Wed, Mar 27, 2013 at 10:49 PM, Joshua D'Alton <joshua at railgun.com.au>wrote:

> Never mind, if they are subnets then 108k x 200 = 21 mil, but that does
> still seem high. That would imply the majority of those subnets are running
> open resolvers on the majority of the IPs in those subnets. Seems unlikely,
> but can't argue with the facts if that is the case. But some explanation
> might be useful :)
>
>
> On Thu, Mar 28, 2013 at 4:45 PM, Joshua D'Alton <joshua at railgun.com.au>wrote:
>
>> Hey Tom, are you sure those numbers for open resolvers is correct?
>>
>> Based on the list on
>> http://dns.measurement-factory.com/surveys/openresolvers/ASN-reports/latest.html I don't count anywhere near a million let alone 21.7? I count 108418 on
>> that list.
>>
>>
>>
>> On Thu, Mar 28, 2013 at 2:13 PM, Tom Paseka <tom at cloudflare.com> wrote:
>>
>>> Sure, 300Gbps isn't that much in the scheme of things. But 300Gbps new
>>> traffic without any notice is a big deal for anyone. Even the Tier-1s.
>>>
>>> Australia's international capacity is much higher than 300Gbps - yes,
>>> but not in lit and untilised capacity. You're also right in that these
>>> attacks were in 4-5 hours.  In the past, we've seen sustained 75Gbps for 3
>>> weeks.
>>>
>>> Mitigations are not always possible, especially when the attacks are
>>> pointed at critical infrastructure, or infrastructure that can't be changed
>>> easily (as has been the case here).
>>>
>>>  So while its not a physical cut, like the death of a telephone
>>> exchange, it'd cause a lot of headaches for the ISPs getting attacked.
>>>
>>>
>>> On Wed, Mar 27, 2013 at 7:50 PM, Damian Guppy <the.damo at gmail.com>wrote:
>>>
>>>> You need to keep in mind that the worse that Cloudflare makes this
>>>> attack seem, the better it makes them look for being able to mitigate it.
>>>> 300gbps is actually not that much on the scale of global backbone traffic
>>>> (the actualy amount of traffic hitting cloudflare only reached 120Gbps
>>>> anyway), Australia has much higher international capacity than that. Also
>>>> DDOS attacks are rearly sustained over more than a few hours, in the case
>>>> of the cloudflare attack it was more like waves of attacks lasting 4-5
>>>> hours each, some big some small.
>>>>
>>>> If some one pointed that kind of botnet attack at Australia the impact
>>>> might be degraded internet speeds on some ISP's for a few hours until
>>>> either the attack started to subside or for the ISP's NOC (and their
>>>> upstream providers - they dont want to carry the traffic any more than the
>>>> ISP does) to implement mitigations. You certainly would not be without
>>>> total internet access for weeks and weeks on end like what happens if a
>>>> critical exchange burns to the ground.
>>>>
>>>> --Damian
>>>>
>>>>
>>>> On Thu, Mar 28, 2013 at 8:52 AM, Tom Paseka <tom at cloudflare.com> wrote:
>>>>
>>>>> Definitely. Some ISPs may have enough capacity to soak up this traffic
>>>>> internationally, but not to carry it to Australia.
>>>>>
>>>>> On Wed, Mar 27, 2013 at 5:18 PM, Joshua D'Alton <joshua at railgun.com.au
>>>>> > wrote:
>>>>>
>>>>>> Nice writeup.
>>>>>>
>>>>>> It seems they are focusing alot on the open resolver issue, but that
>>>>>> is only half or 1/3rd of the coin. The other problem is people being able
>>>>>> to send all these forged packets in the first place, and beyond that, have
>>>>>> so many tcp connections.
>>>>>>
>>>>>> There are only a few ISPs globally outside of the tier1 and some
>>>>>> tier2 that could handle such an attack, I think telstra (and subsequently
>>>>>> all AU isps) would crumble easily under such an attack, and I might be
>>>>>> wrong, please someone tell me I am, but we could be hit at any moment and
>>>>>> with ramifications far above that of the Warnambool fire?
>>>>>>
>>>>>>
>>>>>> On Thu, Mar 28, 2013 at 7:44 AM, Peter Adkins <
>>>>>> peter.adkins at kernelpicnic.net> wrote:
>>>>>>
>>>>>>> There's an interesting write up on the matter on the CloudFlare blog
>>>>>>> at the moment -
>>>>>>> http://blog.cloudflare.com/the-ddos-that-almost-broke-the-internet
>>>>>>>
>>>>>>> (The Massive Attack picture is a nice touch).
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Thu, Mar 28, 2013 at 1:29 AM, ComKal Networks <
>>>>>>> admin at comkal.com.au> wrote:
>>>>>>>
>>>>>>>> <http://www.bbc.co.uk/news/technology-21954636>
>>>>>>>>
>>>>>>>> <QUOTE>
>>>>>>>> The internet around the world has been slowed down in what security
>>>>>>>> experts are describing as the biggest cyber-attack of its kind in history.
>>>>>>>> </QUOTE>
>>>>>>>>
>>>>>>>>
>>>>>>>> Cheers
>>>>>>>> Ian Manners
>>>>>>>> ComKal Networks Australia
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> AusNOG mailing list
>>>>>>>> AusNOG at lists.ausnog.net
>>>>>>>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> AusNOG mailing list
>>>>>>> AusNOG at lists.ausnog.net
>>>>>>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> AusNOG mailing list
>>>>>> AusNOG at lists.ausnog.net
>>>>>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>>>>>
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> AusNOG mailing list
>>>>> AusNOG at lists.ausnog.net
>>>>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> AusNOG mailing list
>>>> AusNOG at lists.ausnog.net
>>>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>>>
>>>>
>>>
>>> _______________________________________________
>>> AusNOG mailing list
>>> AusNOG at lists.ausnog.net
>>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20130327/e9766db9/attachment.html>

More information about the AusNOG mailing list