The DDoS That Knocked Spamhaus Offline (And How We Mitigated It)

CloudFlare, a company that deals with large-scale Distributed Denial of Service (DDoS) attacks daily, shares the story of how they mitigated a 75Gbps attack against Spamhaus, an anti-spam organization. The attack was primarily carried out through DNS reflection, where the attacker sends requests for a large DNS zone file with the source IP address spoofed to be the intended victim to numerous open DNS resolvers. These resolvers then respond to the request, sending the large DNS zone answer to the intended victim. The attackers' requests themselves are only a fraction of the size of the responses, effectively amplifying their attack. To mitigate such an attack, CloudFlare uses Anycast, which announces the same IP address from every one of its worldwide data centers. This dilutes the attack by spreading it across facilities and ensures no single point on the network acts as a bottleneck. Once diluted, the attack becomes relatively easy to stop at each data center. The article also highlights the need for service providers to take serious efforts in closing open DNS resolvers, which are becoming the scourge of the Internet and leading to larger DDoS attacks.