'Largest online attack' against Spamhaus may have used existing vectors with high magnification

News by Dan Raywood

The biggest attack in history was caused by magnification and reflective amplification, likely by using a botnet.

The biggest attack in history was caused by magnification and reflective amplification, likely by using a botnet.

Speaking to SC Magazine, Darren Anstee, solutions architect team manager for Arbor Networks, said that while attacks up to 100 or 200Gbps have previously been seen, the attack on Spamhaus of 300Gbps is "significantly larger" than anything previously seen.


Anstee said the attackers used "DNS reflective amplification" where the attacker leverages the infrastructure of the internet to magnify the size of the attack. He said: “When you visit a website you send a domain name server (DNS) query to the DNS server and this responds with the answer that resolves the domain name to the IP address, and the responses can be large.


“Here, the attacker is creating small DNS query packets and open DNS resolvers are responding with large responses.  The attackers have spoofed the source IP address used in the initial queries to be the intended target of the attack, and thus the DNS resolvers respond to the victim (Spamhaus) with the much larger response packets – magnifying the attack capability of the attacker.”


Anstee said that when you make a DNS query, the response back from the website you visit can be many times larger than the original query – especially if an ANY query type is used.


As an example, he said if a visitor goes to SC Magazine, the user's host machine needs the IP address for network communications. The domain name for SC Magazine is resolved to the relevant IP address using DNS.

“As DNS is a UDP protocol, the receiving DNS resolver simply trusts that the originator of the query has used their own valid IP address as the source of the request, and responds accordingly. DNS reflective amplification attacks, as these are known, leverage the fact that some operators do not filter traffic from their users – to ensure they are using the correct IP ranges – and the fact there are many open DNS resolvers out there which will respond to a query from anyone."


Asked if the 300Gbps was completely unexpected or unprecedented, Anstee said that this was achieved by a large multiplication factor and while Arbor Networks did not have any data on this attack at the time of speaking, he did say that the attackers may have used more resources than before.

He said: “One key issue with attacks of this magnitude is that their size can cause congestion along their path through the Internet, causing problems for multiple services not in any way related to the original target of the attack.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews