Henry Dalziel | Hacker Hotshots | October 23, 2013
We had an excellent Hacker Hotshot web show with Matthew Prince, co-founder of CloudFlare. The title of the presentation was “Lessons from Surviving a 300Gbps Denial of Service Attack” (40 minute video).
There is likely no one more knowledgeable on the subject of Denial of Service and we were very honoured to have Matthew on the show.
Concise Courses: I read on a black hat forum that hackers are selling DOS attacks for $10! Is that an indication of the future, i.e. hackers for hire?
There has been a rise of what are known as ‘booter’ or ‘stresser’ sites and these are relatively simple sites where you can enter payment information then buy Denial of Service attacks by the minute or by the hour. The troubling thing here is that as we have beaten spammers by beating their ability for email spam to be sent, all these bot nets that in the past were monetized by sending spam out. Unfortunately, now that that is not as successful a business model these bot nets are now acting like the ‘torpedo in the hunt for Red October’, it is searching and looking for some new target. One of the things that is a new way for bad guys to monetize these bot nets is by launching Denial of Service attacks by hire, and there is definitely a rise in that.
…now that [spamming] is not as successful a business model these bot nets are now acting like the ‘torpedo in the hunt for Red October’.
In this particular case [for reference watch the presentation] the young kid that was based in London that was launching the attack, he was actually being paid by the people that had this beef with Spamhaus, and there have been subsequent reports that he had been generating hundreds of thousands of dollars launching these types of attacks for a lot of people around the world.
I think it definitely is a sign of things to come and unfortunately it means that any disgruntled customer that you have, or any competitor that has a beef with you, anyone that wants to extort you, this is a new weapon and it is something that we see on a daily basis.
Concise Courses: Is the Low Orbit Ion Cannon still a threat?
A threat to whom I guess is the question. At the end of the day, a Denial of Service attack is when an attacker is trying to generate more traffic than you have resources to handle. Being on the ‘Today Show’ is a ‘threat’ from a Denial of Service Attack because there is a whole bunch of traffic that comes to your site. We used to talk about the ‘slashdot effect’, or the ‘digg effect’ or today it’s the ‘reddit effect’, where if you are up on that you get so much traffic.
Something like that the types of tools that have been popularized by Anonymous, again they can be as much as an attack threat as there are people that are able to use them at some given time. If you have a million people that you have upset and they are using a tool like that in order to launch an attack, they are going to be able to generate a significant amount of traffic. Most of these attacks [are] Layer 7 attacks, generate a large amount of traffic from a bunch of individuals that are contributing to some sort of cause, they frankly pale in comparison to some of the very large amplification style attacks. That doesn’t mean that they are not a threat to most organizations. Most organizations, if they see 10 Gigabyte of DDoS traffic, it would knock them offline. For us it is a ‘day in the life’, it takes about 100 Gigabyte per second before it starts to set off alarms on our systems.
Concise Courses: You spoke about DNS – are there any negatives with our organization having our traffic routed through OpenDNS?
OpenDNS is a great organization, David Ulevitch has been a friend for ten years, they do a lot to ensure that their network isn’t being abused, so when I talk about an Open DNS Resolver that is a ‘thing’ not the company.
OpenDNS is a great organization, they have a lot of additional features and protection that can sit on top of it, and they are quite the opposite of being something which is abused by attackers, they are something which does a lot to ensure that bad attacks are not being launched from a particular organization’s site.
We use OpenDNS in some parts of our organization, there are other DNS Resolvers that again have very proper rate limits in place, like Google and Level 3, that run fairly large Open DNS Resolvers but, if you are a company, and you are running an Open DNS Resolver, there is no reason that you should be running it in an open state, or setting it up to be promiscuous to anyone that sends a response. Google, and those types of organizations, know how to put proper rate limits in place. If you for some reason in your organization have to run a DNS Resolver, then make sure that is is locked down so that it only responds to requests coming from IP Addresses inside your own network, and that way it wont be abused by attacks.
Has your site been the victim of a Dos/ DDos style attack? We’d love to hear your mitigation and how you try to prevent such attacks and stay online.