Wednesday, 31 July 2013

CloudFlare at Black Hat: Don't Be an Unwilling DDoS Participant

CloudFlare
This past spring, spam-watchdog Spamhaus got hit with a distributed denial of sevice (DDoS) attack that took their servers offline and caused temporary regional Internet disrupstions. CloudFlare, a Web performance and security company, helped Spamhaus recover. At the Black Hat conference in Las Vegas, Matthew Prince, the co-founder and CEO of CloudFlare, reported on just what was learned.
"The neat thing about Spamhaus is that they're a really open organization," said Prince. "Most of our customers don't like us talking about attacks, but the Spamhaus guys said hey, tell the story."
Prince reviewed the stages of the attack, which went through a few days of low-level DDoS that didn't cause problems, but eventually ramped up to a hitherto-unprecedented 309 Gbps (gigabits per second). While media reported that the attack came from a bunker in the Netherlands, Prince pointed out this wasn't the actual mastermind. "Hey, he talked to the New York Times!" quipped Prince. It turns out the brains behind the attack belonged to a 15-year-old London boy, now in custody.
What resourced did this kid need? "You don't need a botnet," said Prince, "and you don't need a lot of people, like Anonymous." He went on to say that the attack didn't need a lot of technical expertise. "It's like a caveman beating up your network." He went on to display a very simple line of network instructions that would demonstrate the kind of attack used.
Black Hat 2013 Bug
All you need for this kind of attack is a list of open DNS resolvers and access to some servers that allow source IP spoofing. "Those are the ingredients," said Prince. "If you have those two things, even a tiny number, you can launch large attacks. And nothing has changed since the Spamhaus attack."
Prince exhorted attendees to clean up their own networks, making sure they're not part of the problem. "Check your own IP space at OpenResolver.com," said Prince, "and fix any misconfigured devices. You may be surprised to find that you do have a problem." "A simple flag in your edge routers will prevent IP spoofing," he continued. "There's no excuse for not doing this." He finished with a number of more technical recommendations for network hygiene.
Alas, the Internet as a whole is not taking this advice. Since the Spamhaus attack the number of known open DNS resolvers has grown from 21 million to 28 million. Prince pointed out a very simple change that could have made multiplied the traffic in the Spamhaus attack by ten, or even 100. Let's hope the good guys can stay ahead of the game.

No comments:

Post a Comment