Spamhous DDoS mechanism: How did they spoof thousands of IP addresses?

The Linux/Unix "sockets" and MSWindows "winsock" network APIs permit suitably privileged programs to open/create a "raw" network connection. In this sort of connection, the application program is responsible for constructing the entire network message, including the various protocol headers.

Such a program would build a DNS query prefixed with a (program constructed) UDP header, prefixed with (program constructed) IP header. In these program-constructed protocol headers, the program would populate the "source" IP address with whatever value it feels appropriate, and the "target" IP address with the real target address (presumably, the address of a DNS server).

It would then send this completed datagram (IP + UDP + DNS query) out on to the wire, and go on to construct another, with a suitably faked-up IP source address. And so on.

The DNS server would try to reply to the query, but it's reply would "go astray", directed not at the originator, but at the faked-up "source" address taken from the manufactured datagram. Since the reply would not be expected by the receiver (the faked up source address), it would be discarded, and the receiver wouldn't notice anything amiss (other than an elevated datagram reject count in it's network statistics).

UDP packets are connectionless, so they stand on their own. Craft a packet that looks exactly like a UDP packet but set the source address to that of one of Spamhaus's DNS servers. Packet arrives at intended destination. Server looks at reply address embedded in the packet and returns a single UDP packet to that address. (A UDP packet can, IIRC, be up to 8KB, so it might take several ethernet frames to carry.)

Chris

On Thursday 28 March 2013 11:02, in alt.os.linux, snipped-for-privacy@roaima.co.uk wrote: [snip]

Bigger: 64Kb-1 (65565) bytes long, with a user data payload maximum of 65507 bytes (65565 - 20byte IP header - 8 byte UDP header) The IP length field is 16bits long, and treated as an unsigned integer, the UDP length field is also 16bits long, and also treated as an unsigned integer.

Very likely the UDP datagram will go through some sort of fragmentation, especially at the ethernet level.

Or any open DNS server. It doesn't have to be the DNS server that Spamhaus uses.

Most of the articles talk about "DNS amplification", meaning for every byte (query) submitted to a DNS server there is more than one byte coming out. I haven't looked at the size of a typical DNS response, though.

Correcting my post, I should have said that the forged DNS request can go to any open DNS server *and the source IP spoofed to be a Spamhaus IP. Thus, the DNS response will go to Spamhaus, in spite of the fact that the request didn't come from there.

It's not just typical sizes that matter though, it's the edge cases. The attacker can find queries that return very large sets of results, right up to the DNS UDP limit, and perform those queries.

Even if they don't find the right query themselves, they can register a domain and create one (Although this might leave fingerprints, but this scale of an organization probably won't mind "borrowing" a credit card).

Each DNS server that participates in the amplification will need to perform the DNS query once, but after that, it will helpfully serve the query from it's cache for the lifetime of the TTL (and the attacker controls the TTL), so if they go the route of hosting their own DNS servers, the load on the underlying DNS service won't be trivial, but it won't be out of the realm of possibility either.

Thanks. For some reason I had 8K in my head, and couldn't be bothered to verify it.

Chris

True. This is what I thought I had conveyed in my original posting. Chris

No, it was all mangled, but no problem.