Largest DDoS In History Reaches 300 Billion Bits Per Second

An anonymous reader writes "The NYT is reporting that the Largest DDoS in history reached 300 Gbps. The dispute started when the spam-fighting group Spamhaus added the Dutch company Cyberbunker to its blacklist, which is used by e-mail providers to weed out spam. Millions of ordinary Internet users have experienced delays in services like Netflix or could not reach a particular Web site for a short time. Dutch authorities and the police have made several attempts to enter the bunker by force but failed to do so. The attacks were first mentioned publicly last week by Cloudflare, an Internet security firm in Silicon Valley that was trying to defend against the attacks and as a result became a target."

Watch your clauses, people!

[Looker_Device]

The dispute started when the spam-fighting group, called Spamhaus, added the Dutch company Cyberbunker to its blacklist, which is used by e-mail providers to weed out spam.

I think what they meant to say here was: "The dispute started when the spam-fighting group Spamhaus, which maintains a blacklist used by e-mail providers to weed out spam, added the Dutch company Cyberbunker to its blacklist."

Re:Watch your clauses, people!

[Anonymous Coward]

I came here to say this, and was all prepared to lambaste the summary, when I took the time to discover that the sentence is straight from TFA!

Great jorb, New York Times. And they wonder why newspapers are dying.

Old is new again

[Papa Legba]

I find it very interesting that they are using a variation on the Old Smurf attacks for this. Sending a message to other places that work as an amplifier. You would think that after 10 years we would have learned that blind, unchecked, forwarding is not a good thing.

Re:Bunker

[Psyborgue]

It is a bunker. And it's not so simple, as this swat team [cyberbunker.com] discovered.

Alleged attempts to enter the bunker by force.

[Gorath99]

From the summary:

Dutch authorities and the police have made several attempts to enter the bunker by force but failed to do so.

From TFA:

Cyberbunker brags on its Web site that it has been a frequent target of law enforcement because of its “many controversial customers.” The company claims that at one point it fended off a Dutch SWAT team. “Dutch authorities and the police have made several attempts to enter the bunker by force,” the site said. “None of these attempts were successful.”

In other words: Cyberbunker is not currently under assault by police, and we have only their word that they ever have been. I suspect that at one time they were successful in having visiting cops think nobody was home by being real quiet and quickly turning off all the lights.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Watch your clauses, people!

[PartyBoy!911]

Me neither, Netflix isn't even available for Dutch people.

Re:Bunker

[JaredOfEuropa]

That is not a SWAT team, those guys would be better armed and a little more bullet proof. This is just Dutch police in riot gear, of which these woven bamboo shields are a standard component. According to an ME (riot police) buddy, the bamboo shields are pretty good, lighter than the more common plastic shields, and more flexible, meaning they are better at deflecting thrown objects. The only disadvantage is that they do not stand up well to stab weapons, which has not really been an issue until a group of squatters defended themselves with iron pipes with large spikes capable of puncturing these shields.

better articld

[WGFCrafty]

http://bbc.co.uk/news/technology-21954636 [bbc.co.uk]

No b/s subscription paywall nonsense

Re:And the perpetrator(s) are...

[WGFCrafty]

More likely some mafiosi that controls malware and spambots, and their "clients" don't like a bunch of amateurs blocking their messages.

DING DING DING

From the BBC article [bbc.co.uk]:

Spamhaus has alleged that Cyberbunker, in cooperation with "criminal gangs" from Eastern Europe and Russia, is behind the attack.

Re:Alleged attempts to enter the bunker by force.

[1u3hr]

You realize Cyberbunker is situated in a bunker designed to survive a nuclear war.

You don't have to kill them. Just unplugging their Internet connection would be enough, Then padlock the door and wait till they knock on it and ask to be let out. How long could that be? A week at the outside?

I don't believe the bullshit about then fending off SWAT teams anyway. That's what they say on their own website. No government really cares about spam enough to send in a SWAT team. It's all "protected commercial speech", and plenty of assholes in government are happy to let them do it. If they gave a shit, they know who is DDOSing and exactly where they are. They could arrest them. Freeze their bank accounts. Turn off their electricity, water. But they do nothing.

Re:It is bullshit

[Anonymous Coward]

What this is really a case off is an asswipe getting away in civilized society with being an asswipe because the rest of us aren't asswipes.

Yeah, but enough about Spamhaus. Seriously, this crap couldn't have happened to a better group of passive-aggressive assholes. I'm glad that they're finally getting a taste of their own medicine, even if it is coming from an equally disreputable group.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Bunker

[LordLimecat]

What materials exactly are they that are going to resist 4500 C cutting tools? You realize that a lot of bunkers are largely concrete, and that a thermal lance will go right through that, right? And that no bunker would completely withstand a nuclear blast-- it would take some damage, there is just sufficient material and the blast is sufficiently spread out that the bunker stands.

Once you start focusing with a lance on a bunker door, or break out a bunker-buster bomb designed to penetrate before exploding (rather than the mid-air explosion of a nuclear bomb), the bunker will fall.

Spamhaus reports, _users_ block

[Onymous Coward]

The different lists published by Spamhaus distinguish whether the IPs are directly responsible or are organizationally related. There is no abuse of power here — customers subscribe to the lists that they want, and use those lists to block as they see fit. Spamhaus isn't forcing anyone to use the lists, nor is it misrepresenting what's in the lists.

Re:Watch your clauses, people!

[HappyPsycho]

Yes, its called Reverse path forwarding http://en.wikipedia.org/wiki/Reverse_path_forwarding [wikipedia.org] for this specific case you would want the unicast version (uRPF).

The concept boils down to a simple question,

"I just got a packet from A.B.C.D on interface ethX, if I had to send a packet to A.B.C.D would I use ethX?"

If the answer is yes, then the packet goes along its merry way. If the answer is no, then the packet is most likely spoofed and is dropped.

The performance impact is negligible as such lookups for the destination are already fully optimized by ASICs (hence a cisco 7600 with a measly 300Mhz processor can still route gigabit at wire speed), multi-path is a non-issue (assuming a non-brain dead implementation) as if multiple paths exist the answer to the question would still be yes as long as it came from one of the valid paths.

There might be valid reasons for asymmetric traffic which may prevent this from being universally deployed (say some satellite providers which only send download via satellite and upload is over something else) but for the vast majority of ISPs its safe to deploy.

At the ASN level each ISP is assigned a block of ips, if you are not a transit its a simple matter of just filtering to ensure nothing leaving your network is saying otherwise. Once you hit transit links both this scheme and RPF lose their power as depending on the failure almost any transit link can be a valid path. For such a scheme to work it has to be implemented as close to the end point as possible (which is the general structure of the Internet, intelligence sits near the edge where traffic volumes are reasonable, core is dedicated to just high speed movement of traffic).