Hi, I am Rafay Baloch, a security researcher, author and a public speaker.

Anotomy of The Largest DDOS Attack That Almost Took Down The Internet




Recently, the largest DDOS attack in the history of the internet has been noticed, According to the reports from various websites; the attack was of more than 300GB/second. It all started when Spamhaus(NON PROFIT ORGAZNIATION) that manages the spam filters for various websites blacklisted a Dutch based webhosting company CyberbunkerCyberbunker allows a user to host everything else than Child pornography and stuff related to terrorism. This allows an attacker to host any malicious software such as botnet. A botnet can be used for variety of purposes ranging from stealing credit card information, infecting PC's to even denial of service attacks.
In a interview with bbc, Spamhaus blamed the Cyberbunker for the ongoing attacks, they said that Cyberbunkers have joined hands with attackers to perform DDOS attacks in order to compromise the availability.


The attack was a Denial of service attacks, which is often used by attackers to compromise the availability of the website by flooding the website with huge number of packets (In most cases), The DDOS attack was aimed at the DNS servers of Spamhaus, A DNS server is responsible for the translation of an IP address to domain name, In simple words, When we are accessing any website on the internet, on the back end we are actually accessing the IP address, DNS simplifies the process.

The experts call the attack as the biggest DDOS attack in the history of the internet, Normally, when we talk about a massive DDOS attack against huge infrastructures, It ranges from
30 to 50 GB per second of traffic, however this attack was more than 300gbps per traffic. The company moved to Cloudfare (A web performance and security company) in order to protect their services from been taken down, Initially they were receiving 10GBPS of traffic, but it got even the worse the attack and the highest peak noted was around 300GBPS. However, instead of going after Spamhaus the attackers targeted Cloudfare itself, the attackers failed to knock Cloudfare servers, even after a 100GIGS of traffic, after that they targeted the bandwidth providers of Cloudfare known as "Tier2", who itself buy bandwidth from Tier1 provider. The major traffic load was carried out by Tier1, which reported more than 300GBPS of traffic, making it the largest DDOS attack ever.

Now, one might think that, how is it slowing down the internet?, it's because, this is how the internet works as internet is simply a collection of networks, Let's say, when we are connecting to google.com from Pakistan, our browser sends a http requests, the browser sends/receives a packets which are hopped across lots of routers/networks in between until they reach the Google servers. As mentioned previously Tier2 buys bandwidth from Tier1, Tier1 connects to other Tier1 providers to ensure that all the networks are connected with each other.Tier1 providers are the core of the internet, the Tier1 provider ended up suffering all the traffic. It is reported by Cloudfare that Tier1 providers for Europe were affected, as a reason of which, internet slowdown was noticed for people surfing the internet in those areas. However, In Pakistan, the severity was very low, therefore major slow down was not noticed.

Lots of Pakistani websites are hosted abroad, the following is the list of them:

www.pakistan.gov.pk (Main Pakistan Government Portal)
www.infopak.gov.pk (Ministry of Information and Broadcasting)
www.interior.gov.pk (Ministry of Interior)
www.e-government.gov.pk (E Government Directorate)
www.pta.gov.pk (Pakistan Telecom Authority)
www.pc.gov.pk (Planning Commission)
www.sindh.gov.pk (Government of Sindh)

As as result of the outage they are suffering the outage and lots of Pakistani users are not able to access the websites, If we host these servers in Pakistan, Initially the attack would be mitigated, however it would raise a lot of security concerns, Since Pakistani servers would be more easy for attackers to compromise and knock them off, due to poor security and patch management. Also, I don't see any of the protection against DOS attacks; perhaps if they could acquire Cloudfare protection services, the DOS attacks would be mitigated easily.
© 2023 All Rights Reserved by RHA Info Sec. Top

Contact Form

Name

Email *

Message *

Powered by Blogger.