Post-mortem: How the DDoS attack on AFACT misfired
Attackers given IP address of NetRegistry load balancer.
Web host NetRegistry has revealed how Anonymous’ misdirected Distributed Denial of Service (DDoS) attack against anti-piracy lobby group AFACT caused performance degradation for many other Australian websites.
The attack, reported on iTnews yesterday, directed 60,000 active HTTP connections and 100 Mbps of additional bandwidth at a cluster of servers that hosted the AFACT website.
It followed an orchestrated series of attacks against other anti-piracy groups around the globe.
NetRegistry chief executive Larry Bloch today told iTnews how the hosting company mitigated the damage.
Attackers would be disappointed to know that their missiles did not down the AFACT site.
Bloch revealed that organisers of the attack had not given out the IP address of AFACT’s site but rather of a load balancer that served a block of websites hosted by Netregistry – causing performance degradation across a number of other customers.
He told iTnews that NetRegistry engineers took the AFACT site offline to protect other customers on the shared cluster of servers.
“We took the site offline because it was the target of the attack,” he said. ? “That was the quickest and easiest way to deal with it.”
“None of these [other] websites fell over or went offline, there was just a degradation in performance due to processing the infrastructure had to do.”
Bloch said the sheer volume of traffic hitting NetRegistry’s routers made it difficult to sort legitimate traffic from requests served as part of the attack. The company found it difficult to inspect packets before they hit border routers.
Even so, NetRegistry engineers were able to identify IP blocks – chunks of traffic from a specific location – that were primarily responsible.
“We were able to notice that many connections were coming from Chile and Columbia – so we blocked traffic from both entire countries for a few hours,” Bloch said.
“There is no perfect option when defending a network from this kind of attack. Network engineers simply have to make a series of decisions to minimise collateral damage. In this case, less than one percent of traffic comes from Chile and Columbia on any good day, so it is relatively safe to block that traffic for a limited time period.”
Beyond these decisions, Bloch said the only defence against DDoS is “bigger iron” that is networked in a cloud-like fashion.
“There is no way a single machine could have coped with a tenth of that attack,” he said. “Every single site on the box would fall over.”
NetRegistry’s shared hosting environment is a series of networked, virtualised clusters of servers. Load can be dynamically allocated among these clusters as traffic comes in, Bloch said.
“The only real way to reliably protect yourself against this level of attack is to have bigger iron than the attackers – with more network bandwidth, more raw processing power,” he told iTnews.
“During a DDoS attack, you are up against multiple distributed computing resources. It is very difficult to manage unless you can match that scale. In our case we had a scalable cluster – a pool of available computing resource with sufficient headroom to cope with the load.
“We get attacks on infrastructure with a great degree of regularity. This is one of three incidents in ten years with an actual impact on performance. It needs to be an attack of massive proportions to degrade performance on our infrastructure.”
While he had no insight into the motives of the attackers, Bloch doubted that the DDoS attack was a diversion from a hacking attempt, as was claimed by security vendor Imperva in relation to the Anonymous attack against UK legal firm ACS:Law.
“I don’t think there is any information on AFACT’s web site the attackers would be interested in,” he said. “It is not a transactional site and doesn’t hold confidential information.”
Copyright © iTnews.com.au . All rights reserved.