Internet Reality 2013: 300Gbps DDoS Attack based on DNS

Posted on April 15, 2013 by


The DDoS attack on Spamhaus last month got a lot of attention not least because a) of the record-breaking traffic volume involved (300 Gbps) and b) because of the method used to generate the traffic: DNS reflection

The attacks were able to flood the victim servers with 300 Gbps of traffic – DNS traffic (!).
The idea behind the DNS reflection method (as the name suggests) is as simple as effective: the attacker is sending a DNS look-up query to a (open to the public)  Internet DNS server using a forged (the victims) source address – making the query  to  apear as if they came from the victim IP address. The DNS server is doing its job – sending it’s response to the given source address – to the victim.

So far, so good, so simple. If you happen to have access to a botnet, this traffic can be multiplied on a scale of tens or hundreds of thousands – involving a huge number of DNS servers sending DNS look-up response packets to the victim – in the case of Spamhaus resulting in 300 Gbps traffic volume.

To make this an even more effective DDoS, the DNS look-up queries are crafted in a manner resulting in particular large responses by the DNS server.

However, Size alone does not matter

In the case of Spamhaus, it was volume and the specific type of traffic eating server resources to the point of denial of service.

Hence, when planning for DDoS safeguards and proactive countermeasures (including DDoS mitigation service offers from 3rd parties) one is well advised to plan for more than just the volume based attacks.  As a matter of fact, application flood DoS attacks require not much traffic to be as effective (if not more effective) as network flood attacks. I recommend this reading to start  diving deeper into that subject:

Posted in: Observation