I wanted to send out a little blurb about the latest attack on Spamhaus this week and to enlighten you on just how something like this is done. Don’t we all love to learn new things!
As a lot of you have been hearing, Spamhaus was attacked this week by the group Anonymous with what is commonly known as a DNS Reflection attack. What is a DNS reflection attack you ask? Let’s me explain. DNS reflection AKA DNS Amplification is a process where an attacker makes requests to open DNS servers on the internet (18.104.22.168) using spoofed IP address as the address the request comes from. This in turn generates a set of packets back to the spoofed address (the victim) with the results of the DNS query. On the top this would look to be fairly harmless, the only thing really being done here is a fake requests that spawn a reply from the public DNS server back to the victim.
The attack come in the form of the “Amplification effect” that these queries have on your network. The “amplification” in DNS amplification attacks is generated by the size of those responses. While a DNS lookup request itself is fairly small, the resulting response of a recursive DNS lookup can be much larger. A relatively small number of attacking systems sending a trickle of forged UDP packets to open DNS servers can result in a firehose of data being blasted at the victim. A DNS query consisting of a 60 byte request can be answered with responses of over 4000 bytes, amplifying the response packet by a factor of 60 so you can quickly see that with a few systems under ones control you could drop a DDOS on any network that would cripple their router and take down their network access.
So now you know, enjoy the knowledge.