Subject of the last week, still echoing around, could not be other than the internet war between spam fighters Spamhaus and spam criminals, mainly hosted at CyberBunker. Huge loads of data being created and sent with one single objective: disrupt a company’s service.
They really made all the efforts to explain how they are able to defend clients using cloud-multi-routing-anycast concepts and how our connected lives have been in danger during all these days.
The Attack – according to CloudFlare
One thing is: they really managed to protect Spamhaus.
But, in the other hand, the “biggest attack of all internet history” only truly affected their client, not the Internet, not the Matrix, nor the City of Machines or all existence, as their blog announces.
Gizmodo published one of the first “hold your horses” statements with other side of the story, on Thursday.
We also had Bill Brenner saying pretty much the same thing, one day later.
Being able to browse internet using South and North American internet networks during all those days, and not feeling a single problem, I couldn’t agree more with them.
The Attack – according to the rest of internet
In the end, what I really enjoyed was the amount of thoughts, tips, documents, and incident response discussions at forums that took place.
I’ve been trying to get together all valuable stuff derived from these debates to post here as future reference.
My intention is to concentrate good information and guides I saw around, new or old, but relevant to this kind of attack, from monitoring to response, prevention, preparation and so on.
Details about DDoS attacks, if you never read anything about it.
The definition of IXP, where secondary waves took place.
CloudFlare explains DNS Amplification attacks.
Real-time info about problems:
- Akamai real-time monitoring center – http://www.akamai.com/html/technology/dataviz1.html
- Internet Health Reports – http://www.internethealthreport.com/Main.aspx?Period=RH24
Protection tools and configurations:
BCP38 against some DDoS attacks using Spoofing techniques
- IETF’s Preventing Use of Recursive Nameservers in Reflector Attacks
- Protecting DNS Servers from dangerous BINDs
- Cloudshield quick tips to limit DNS exposure
Incident Response preparation guides:
- Societe Generale’s CSIRT Cheat Sheet
- D/DoS Incident Response Plan/Runbook (docx format)
- Radware ‘survival’ ‘handbook’ – Ok, you can’t use that to survive, but it has good historical information and a sample of an IT admin diary during his first experience with a similar problem. Too bad he ends that experience suddenly.
This is a work in progress! If you have good reading on this subject to suggest, send me a comment!