Inside the Biggest Cyberattack in History

A cyberattack originally targeting a single company is now being described by experts as one of the biggest Distributed Denial of Service (DDoS) attacks in Internet history. The assault, which recently began impacting elements of the Internet's physical infrastructure, has been dragging down Internet speeds in Europe — but what makes this type of attack different from all other attacks?

First, some background: The attacks originally targeted a European anti-spam company called Spamhaus, which blacklists what it considers sources of email spam and sells those blacklists to Internet Service Providers. The attack began early last week as waves of large but typical DDoS assaults shortly after Spamhaus blacklisted Cyberbunker, a controversial web hosting company. Cyberbunker has not directly taken responsibility for the attacks against Spamhaus.

In a common DDoS attack, hackers use thousands of computers to send bogus traffic at a particular server in the hopes of overloading it. The computers involved in DDoS attacks have often been previously infected with malware that gave a hacker control of the machine without the legitimate owner's knowledge. Hackers use malware (often sent via email spam) to amass large networks of infected computers, called "botnets," for DDoS operations and other purposes.

Spamhaus contracted with security firm CloudFlare to help mitigate the attacks soon after they began. CloudFlare has been defending Spamhaus by spreading the attacks across multiple data centers, a technique that can keep a website online even if it's hit by the maximum amount of traffic a typical DDoS can generate.

"Usually these DDoS attacks have kind of a natural cap in their size, which is around 100 gigabits per second," CloudFlare CEO Matthew Prince told Mashable before explaining the limitation in typical DDoS attack size is due to routing hardware limitations.

These attacks, however, have evolved into a complex and ferocious beast, pointing up to 300 gigabits per second at an expanding list of targets. How?

After the hackers realized they couldn't knock Spamhaus offline while it was protected by CloudFlare, they chose a different tactic: targeting CloudFlare's own network providers by exploiting a known fault in the Domain Name System (DNS), a key piece of Internet infrastructure.

"The interesting thing is they stopped going after us directly and they started going after all of the steps upstream from us," said Prince.

"The interesting thing is they stopped going after us directly and they started going after all of the steps upstream from us," said Prince. "Going after our immediate transit providers, then going after their transit providers."

DNS essentially turns what humans type into an address bar ("www.mashable.com") to the desired website's IP address and helps to deliver the desired Internet content to a user's computer. An essential element of the DNS system are DNS resolvers — 21.7 million of which are open and able to be found and manipulated by hackers.

"The attack works by the attacker spoofing the victim's IP address, sending a request to an open resolver and that resolver reflecting back a much larger response [to the victim], which then amplifies the attack," said Prince. A detailed technical explanation is available on CloudFlare's blog.

Because DNS resolvers are connected to large pipes with plenty of bandwidth to point at a target, hackers can manipulate them to amplify standard DDoS attacks from a maximum of about 100 gigabits per second to the neighborhood of 300 gigabits per second.

Prince told Mashable these attacks have been "certainly the largest attacks we've seen."

Prince told Mashable these attacks have been "certainly the largest attacks we've seen."

"And we've seen what we thought were some big attacks," he added. Kaspersky Labs, a leading security research group, called it "one of the largest DDoS operations to date."

Internet speeds around the world can be impacted by such large-scale DNS amplified DDoS attacks because the Internet relies on DNS to work — major interference with DNS can have consequences for services not necessarily being directly targeted by such an attack.

What can be done about preventing these specialized DDoS attacks? First, said Prince, Internet Service Providers should implement technologies that prevent hackers from spoofing victims' IP addresses. Second, network administrators need to close any and all open DNS resolvers running on their network.

"Anyone that's running a network needs to go to openresolverproject.org, type in the IP addresses of their network and see if they're running an open resolver on their network," said Prince. "Because if they are, they're being used by criminals in order to launch attacks online. And it's incumbent on anyone running a network to make sure they are not wittingly aiding in the destruction of the Internet."

If there's a silver lining to these continued attacks, it's that they have likely motivated the security industry, which has been talking about, but taken apparently insufficient action on, the open DNS issue for some time. Prince, however, warns DNS-amplified DDoS attacks won't be going away any time soon.

"The good news about an attack like this is that it's really woken up a lot of the networking industry and these things that have been talked about for quite some time are now being implemented," said Prince.

"There was some progress on shutting down open resolvers before," he added later. "I think that's going to be a constant process — this is a problem that we're going to have to live with for the next several years."

Image via iStockphoto, Vertigo3d

Source: mashable.com