Maybe the sky is only falling a little bit

There was quite a bit of breathless reporting last week about the DoS against Spamhaus and how it was large enough to break the Internet. As the postmortem has gone on, a few things are becoming clear.

  1. There was a lot of traffic, enough to swamp some major transit points.
  2. Most people, particularly in the US, saw no problems.
  3. Network engineers had more than a few sleepless nights trying to route around the DoS.
  4. Open DNS resolvers are evil and should be closed.

The Open DNS resolvers are, I think, a big issue. These are machines working as intended (ie, not infected with any software) that can be used to amplify traffic and maliciously attack other machines. It’s not the first time standard configurations of machines facilitated abuse (see smurf attack or open relay as examples). In those cases, though, there was considerable response by the Internet and security community to prevent abuse from those machines. Large providers instituted ingress filtering to stop their networks (and their customer networks) from participating in smurf attacks. List of open relays were published and prevented from mailing to large networks.
Overall, neither the number of smurf amplifiers nor the number of open relays have been brought to zero, their numbers have been reduced sufficiently so they are no longer major attack vectors.
I expect to see the  number of open resolvers decrease in the future as well. And if open resolvers aren’t closed, they may be isolated so they can’t hurt the rest of us. This may cause network problems for folks using open resolvers. But I can’t feel too sorry for them, when closing a resolver is simple and the price of leaving it open is so high for the rest of us.

Related Posts

Spamhaus answers about the recent DoS attack

Answers about recent DDoS attack on Spamhaus

Read More

More on the attack against Spamhaus and how you can help

While much of the attack against Spamhaus has been mitigated and their services and websites are currently up, the attack is still ongoing.  This is the biggest denial of service attack in history, with as much as 300 gigabits per second hitting Spamhaus servers and their upstream links.
This traffic is so massive, that it’s actually affecting the Internet and web surfers in some parts of the world are seeing network slowdown because of this.
While I know that some of you may be cheering at the idea that Spamhaus is “paying” for their actions, this does not put you on the side of the good. Spamhaus’ actions are legal. The actions of the attackers are clearly illegal. Not only is the attack itself illegal, but many of the sites hosted by the purported source of the attacks provide criminal services.
By cheering for and supporting the attackers, you are supporting criminals.
Anyone who thinks that an appropriate response to a Spamhaus listing is an attack on the very structure of the Internet is one of the bad guys.
You can help, though. This attack is due to open DNS resolvers which are reflecting and amplifying traffic from the attackers. Talk to your IT group. Make sure your resolvers aren’t open and if they are, get them closed. The Open Resolver Project published its list of open resolvers in an effort to shut them down.
Here are some resources for the technical folks.
Open Resolver Project
Closing your resolver by Team Cymru
BCP 38 from the IETF
Ratelimiting DNS
News Articles (some linked above, some coming out after I posted this)
NY Times
BBC News
Cloudflare update
Spamhaus dDOS grows to Internet Threatening Size
Cyber-attack on Spamhaus slows down the internet
Cyberattack on anti-spam group Spamhaus has ripple effects
Biggest DDoS Attack Ever Hits Internet
Spamhaus accuses Cyberbunker of massive cyberattack

Read More

MAAWG presents the first J.D. Falk award

Last week at MAAWG went much like all MAAWG conferences go: too much to do, too many interesting panels to attend, too many people to connect and work with, a plethora of very interesting keynote speakers and a total lack of sleep. Most of what happens at MAAWG is not public, but some of the events are.
One of the things that I can talk about is the J.D. Falk award. This award was established by MAAWG, Return Path and J.D.’s family to recognize people who work, usually behind the scenes and without fanfare, to enhance the Internet and protect end users. I sat on the award committee and we had a number of nominations for very worthy work. But the nomination that stood out was the one for Tom Grasso. Tom was the driving force behind the creation of the DNS Changer Working group. He was responsible for connecting experts from throughout the Internet industry, including ISPs, anti-virus vendors, and the broader security community to prevent the Internet for going dark for  hundreds of thousands of infected individuals.
I am very proud of the decision the committee made. The bar has been set high for future recipients. Tom did an amazing job convincing lots of players to work together. His involvement definitely made the internet better for everyone, not just those infected by Rove Digital’s malware. What he did is a model for private / public partnerships in the future.
I don’t think I could say it better than the MAAWG press release, so I’ll just end with that.

Read More