Zimbabweans Hit By Cyber Attacks During Election 63
judgecorp writes "During last week's Zimbabwean election, some huge denial of service attacks took down sites including several reporting on human rights issues and potential irregularities in the election. Those affected suspect government involvement. ... GreenNet is only just recovering today, with some customer websites still down, having reported the strike on Thursday morning, the day after Zimbabweans headed to the polls. It appeared to be a powerful attack – TechWeek understands it was at the 100Gbps level – aimed at GreenNet’s co-location data centre provider Level 3, which subsequently did not let GreenNet move workloads within that facility. ... The DDoS that hit GreenNet was not a crude attack using a botnet to fire traffic straight at a target port, but a DNS reflection attack using UDP packets, which can generate considerable power. DNS reflection sees the attacker spoof their IP address to pretend to be the target, send lines of attack code to a DNS server, which then sends back large amounts of traffic to the victim."
They seem pretty adept at it, actually (Score:4, Informative)
I shared the same belief as you, until I did some random digging... and wow.
Apparently the Zim government has LOTS of experience with cyber warfare [concerneda...holars.org] .
That article, mind you, was written in 2008. Imagine how much more they would have picked up in the last 4 years.
Re:We should pause and step back a moment... (Score:5, Informative)
It's not as simple as that. Blacklisting badly behaving mail servers is one thing. That's pretty much an application level fix. You just don't accept the mail from the mailserver.
DNS reflection is more insidious. If I spoof an IP address and send a query to a DNS server that's authoritative for the domain, it's going to send a response back to the IP address in the source of the packet. Now I do that with a shitload of domains and a shitload of DNS servers, and they all start sending responses to the spoofed IP. A good DNS reflection attack will hit so many sources that it's impractical to filter them all, you'll spend a crapload of time just trying to keep the access-lists updated, and it's exponentially worse the bigger your border is. The only thing you can do is null-route the spoofed IP at your border to prevent the responses from getting into your network and bringing down your entire infrastructure.......... assuming you have border routers that won't die under the flood in the first place. The second you do that, the attacker has won.
If they're sending queries to authoritative name servers what are you going to do? Blacklist them? The authoritatives are doing what they're supposed to.
The only real way to stop DNS reflection is to convince every operator to do proper border filtering. If the source address in the packet didn't come from their allocation, they should drop it. Convincing network operators to do so is incredibly difficult.
The one I was on the end of, they did it smart. They started at 5am on Christmas day, which is pretty much about the best time to ensure that any response is sluggish at best. It went on for two weeks and didn't cease until 4 different providers had operators willing to pool their Netflow data in order to track back where the shit was actually coming from, and we found the CnC nodes buried in TWC's network. TWC was kind enough to terminate those nodes with extreme prejudice.
Didn't help though, we still lost the customer.