Post-mortem: How the DDoS attack on AFACT misfired

By Brett Winterford on Sep 29, 2010 2:31 PM
Filed under Networking

Attackers given IP address of NetRegistry load balancer.

Web host NetRegistry has revealed how Anonymous' misdirected Distributed Denial of Service (DDoS) attack against anti-piracy lobby group AFACT caused performance degradation for many other Australian websites.

The attack, reported on iTnews yesterday, directed 60,000 active HTTP connections and 100 Mbps of additional bandwidth at a cluster of servers that hosted the AFACT website.

It followed an orchestrated series of attacks against other anti-piracy groups around the globe.

NetRegistry chief executive Larry Bloch today told iTnews how the hosting company mitigated the damage.

Attackers would be disappointed to know that their missiles did not down the AFACT site.

Bloch revealed that organisers of the attack had not given out the IP address of AFACT's site but rather of a load balancer that served a block of websites hosted by Netregistry - causing performance degradation across a number of other customers.

He told iTnews that NetRegistry engineers took the AFACT site offline to protect other customers on the shared cluster of servers.

"We took the site offline because it was the target of the attack," he said. "That was the quickest and easiest way to deal with it."

"None of these [other] websites fell over or went offline, there was just a degradation in performance due to processing the infrastructure had to do."

Bloch said the sheer volume of traffic hitting NetRegistry's routers made it difficult to sort legitimate traffic from requests served as part of the attack. The company found it difficult to inspect packets before they hit border routers.

Even so, NetRegistry engineers were able to identify IP blocks - chunks of traffic from a specific location - that were primarily responsible.

"We were able to notice that many connections were coming from Chile and Columbia - so we blocked traffic from both entire countries for a few hours," Bloch said.

"There is no perfect option when defending a network from this kind of attack. Network engineers simply have to make a series of decisions to minimise collateral damage. In this case, less than one percent of traffic comes from Chile and Columbia on any good day, so it is relatively safe to block that traffic for a limited time period."

Big Iron

Beyond these decisions, Bloch said the only defence against DDoS is "bigger iron" that is networked in a cloud-like fashion.

"There is no way a single machine could have coped with a tenth of that attack," he said. "Every single site on the box would fall over."

NetRegistry's shared hosting environment is a series of networked, virtualised clusters of servers. Load can be dynamically allocated among these clusters as traffic comes in, Bloch said.

"The only real way to reliably protect yourself against this level of attack is to have bigger iron than the attackers - with more network bandwidth, more raw processing power," he told iTnews.

"During a DDoS attack, you are up against multiple distributed computing resources. It is very difficult to manage unless you can match that scale. In our case we had a scalable cluster - a pool of available computing resource with sufficient headroom to cope with the load.

"We get attacks on infrastructure with a great degree of regularity. This is one of three incidents in ten years with an actual impact on performance. It needs to be an attack of massive proportions to degrade performance on our infrastructure."

While he had no insight into the motives of the attackers, Bloch doubted that the DDoS attack was a diversion from a hacking attempt, as was claimed by security vendor Imperva in relation to the Anonymous attack against UK legal firm ACS:Law.

"I don't think there is any information on AFACT's web site the attackers would be interested in," he said. "It is not a transactional site and doesn't hold confidential information."

Post-mortem: How the DDoS attack on AFACT misfired

11 comments in this discussion

"@wired420, @b7d - If you don't care who you take out on the way to your target, then sure, the operation could be considered a success. But if you think an attack that degrades the performance ..."

By BrettWinterford

Tags

afact, ddos, attack, security, netregistry, cloud, operation payback

Open DNS resolvers behind gigantic DDoS

Further security flaws found in Java Runtime Environment

VentraIP deploys DDoS mitigation after attacks

Largest Bitcoin exchange under fresh DoS attack

Breaking Stories

Mater CIO shows QLD Health 'how it's done'

QLD Transport to replace 'cumbersome' data search

Melbourne firies use drone to check dangling truck

DNS DDoS attacks skyrocket

Photos: Toshiba's 2013 laptops

Readers of this article also read...

Comments: 11

wolfpac Sep 29, 2010 5:03 PM	i think that when companys like afact starts telling ips WHAT do do and other companys like afact around the world is at fault for this attact cause when something comes out free and the company that is with afact STEALS the free and makes it a legal copy right then they have to expect to have hacker and other people attacting them for THIS reason if something was made free IT stays free no matter what people that steels the free stuff and makes it copyright is NOT right and people like me give the BIG thumbs up to the ANTI-afact people for keeping things free by attacting groups that STEAL free stuff and make it copyright. GOOD on ya anti-afact groups:D
wolfpac Sep 29, 2010 5:09 PM	what DDos don't understand is there WAS no misfire from the way of things lol it shut down the web site for a few hours yes? any cyber attack is meant to BRING down website for a short or long time. Don't you Dumas in the IT groups know that yet hell man i lived in Canada and even i know that.. any cyber attack is MEANT to bring down web sites no matter what length
Bazwalt Sep 29, 2010 5:22 PM	I guess what wolfpac is trying to say is that, regardless of HOW the site went down...the end result was the same. Even if they didn't directly take the site down...it still resulted in the Engineers being left with no choice but to shutdown the site and block IP blocks. Therefore Anonymous won. Pure and Simple.
ilikelamb Sep 29, 2010 6:06 PM	'While he had no insight into the motives of the attackers'.....lol..... what kind of shop is he running over there...does his staff not talk to him....or are they that uniformed that all they care about are $$$$ and not clients....lol ' Bloch doubted that the DDoS attack was a diversion from a hacking attempt, as was claimed by security vendor Imperva in relation to the Anonymous attack against UK legal firm ACS:Law.' the lies and spin that people spew......the reasons for these attacks and the targets have been reported all over the net with leed in time for all concerned to take measures...oh well..... best to play $afe
deteego Sep 29, 2010 6:21 PM	Wow, they thought someone was trying to hack them. Can't get more oblivious then that
Ace Sep 30, 2010 11:00 AM	I think what wolfpac is trying to say is, 'we don't care who gets hurt, as long as we get what we want'. My 2 year old is the same.
deteego Sep 30, 2010 11:12 AM	Ace wrote: I think what wolfpac is trying to say is, 'we don't care who gets hurt, as long as we get what we want'. My 2 year old is the same. Actually he was saying that the point of DDoS attacks like these is to bring down websites for an amount of time to disrupt (their) business and create media attention
wired420 Sep 30, 2010 11:12 AM	Ok. Whats the purpose of a load balancer. To send traffic to different servers. If the load balancer isn't there. No traffic gets sent anywhere. Resulting in no one getting to the server. Even responding to an article like this blowing them off is just asking for it happen again, and if your so called "IT" guys don't know that without the load balancer the general public can't access the site. You probably need to get some new "IT" guys. No wonder Australia's internet is so crappy.
b7d Sep 30, 2010 11:16 AM	This article reeks of ignorance. Way to make a fool out of yourself, Brett Winterford.
Ace Sep 30, 2010 11:34 AM	@wired, I think it might be you who needs to go back to IT school. Directing traffic via another load balancer is pretty simple, and it leaves the attackers pounding away at a router that is out of commission anyway. Ie: the sites behind the affected load balancer can come back on line very quickly if so desired. The problem is not the load balancer, it is the quantity of traffic on the network, which can only be diverted upstream. The script kiddies operating this attack simply don't care who they affect with this behaviour. The fact is, while they say they were targeting AFACT, they were in fact targeting the ISP, which hosts all kinds of completely innocent businesses operating on the internet. The approach was similar to dropping an atomic bomb on Baghdad just to kill Saddam Hussein. Even GWB wasn't stupid enough to do that. Hopefully they find a few of these kiddies and take away their pocket money & iPods for a few weeks. That'll teach 'em.
BrettWinterford Sep 30, 2010 4:54 PM	@wired420, @b7d - If you don't care who you take out on the way to your target, then sure, the operation could be considered a success. But if you think an attack that degrades the performance of thousands of unrelated businesses is going to win friends and influence people and enlighten them about your argument, that's a better definition of ignorance.