\'Largest online attack\' against Spamhaus may have used existing vectors with high magnification

The biggest attack in history was caused by magnification and reflective amplification, likely by using a botnet.

Speaking to SC Magazine, Darren Anstee, solutions architect team manager for Arbor Networks, said that while attacks up to 100 or 200Gbps have previously been seen, the attack on Spamhaus of 300Gbps is "significantly larger" than anything previously seen.

Anstee said the attackers used "DNS reflective amplification" where the attacker leverages the infrastructure of the internet to magnify the size of the attack. He said: “When you visit a website you send a domain name server (DNS) query to the DNS server and this responds with the answer that resolves the domain name to the IP address, and the requests can be large.

“Here, the attacker is creating small packets and the websites are responding with large requests as the attackers have spoofed false addresses of the IP address of the victim so that a lot of queries pretend to be from the victim (Spamhaus) and this creates a large amount of traffic.”

Anstee said that when you make a DNS query, the response back from the website you visit can be three times larger than what is originally sent.

As an example, he said if a visitor goes to SC Magazine, the browser needs the IP address to make a DNS query. “The recipient IP address is reliant on the honesty of the sending IP address, so if the sender comes from a different IP address or uses another, the data is sent back - so if there is a lot of these it leverages the two biggest holes in internet security: ISPs that do not implement spoofed address filtering; and no egress filtering at the network edge,” he said.

“Here, this may be a botnet which is being used and all hosts are sending to the victim's DNS as the source address is the target, so when the DNS server responds they send to Spamhaus as a magnification of the response.”

Asked if the 300Gbps was completely unexpected or unprecedented, Anstee said that this was achieved by a large multiplication factor and while Arbor Networks did not have any data on this attack at the time of speaking, he did say that the attackers may have used more resources than before.

He said: “It could be where the traffic is big and here is focused on Spamhaus, but if it goes to places with large capacity, then it causes congestion.”