The largest distributed denial-of-service (DDoS) assault in history began on 18 March, and initially hit the Spamhaus website and CloudFlare, the networking biz hired by the spammer-tracking outfit to keep its systems online, at 90Gbps. After failing to knock the organisation offline, the attackers targeted CloudFlare's upstream ISPs as well as portions of the networks at internet traffic exchanges in London and Amsterdam.
The volume of this second-wave attack, which began on on 22 March, hit 300Gbps, an unnamed tier-1 service provider apparently told CloudFlare.
By far the largest source of attack traffic against Spamhaus came from DNS reflection, which exploits well-meaning, public-facing DNS servers to flood a selected target with network traffic — this is opposed to the usual tactic of using a huge botnet army of compromised computers.
DNS reflection attacks involve sending a request for a large DNS zone file to a DNS server; the request is crafted to appear as though it originated from the IP addresses of the victim. The server then responds to the request but sends the wad of data to the victim. The attackers' requests are only a fraction of the size of the responses, meaning the attacker can effectively amplify his or her attack by a factor of 100 from the volume of bandwidth they control.
CloudFlare reckons there were 30,000 DNS servers involved in the attack against Spamhaus, which might have been launched from only a small botnet or cluster of virtual servers. The attack against Spamhaus and CloudFlare proved there is a serious design flaw in the underpinnings of the internet, one that security experts such as Team Cymru and others have been warning about for years — although the use of DNS servers in DDoS attacks is rare, Rob Horton from NCC Group told El Reg."