DNS Amplification DDoS Attack Explained: How Spamhaus Was Targeted

DNS Amplification DDoS Attack Explained: How Spamhaus Was Targeted

Spamhaus, a renowned anti-spamming service provider, recently experienced a massive Distributed Denial of Service (DDoS) attack. This attack employed various techniques, with DNS amplification being particularly destructive.

What is a DNS Amplification Attack?

In a DNS amplification attack, attackers exploit third-party DNS servers to flood a target server with overwhelming traffic. Here's how it works:

1. Identifying Vulnerable DNS Servers: Attackers find publicly available DNS servers that respond to any DNS query.2. Spoofed DNS Queries: Numerous DNS queries are sent to these servers, but with a crucial detail: the source IP address in each query is forged to be the target's IP address (in this case, Spamhaus's web server).3. Amplified Response: The attackers craft these queries to elicit large responses from the DNS servers. This amplifies the amount of traffic directed towards the target.4. Target Overwhelmed: Spamhaus's web server, bombarded with amplified traffic from multiple DNS servers, becomes overwhelmed and unable to handle legitimate requests.

Analyzing the Packets

Let's examine the IP header fields of the packets received by Spamhaus's web server during this attack:

• Source Address: Different. Each packet will have a different spoofed source address, all pointing to Spamhaus's web server.* Destination Address: Same. All packets will have Spamhaus's web server as the intended destination. * Source Port: Different. Each DNS query from the attacker will originate from a different source port.* Destination Port: Same. All packets will target port 53, the standard port for DNS queries (both TCP and UDP).

Impact and Mitigation

DNS amplification attacks can cripple online services by flooding them with massive traffic. Mitigating these attacks requires a multi-faceted approach, including securing DNS servers, implementing traffic filtering at the network level, and collaborating with internet service providers (ISPs) to block malicious traffic.