Nexusguard Advises Security Officers Not to be Big-Number-Myopic When it Comes to DDoS Mitigation Strategy

Share Article

Nexusguard takes a closer look at the Spamhaus incident and finds that the bandwidth flooding was the least of their problems.

News Image
Nexusguard researcher Frank Tse emphasizes that while big numbers like "300 Gbps" seem scary, they only represent the highest level of flood traffic recorded, and that they are not maintained throughout the entire attack.

In March, non-profit anti-spam organization Spamhaus was the victim of a DDoS attack, which grew to have more than 300 Gbps flood traffic sent to their servers. The attack was widely reported in international media as the largest attack in the history of the Internet. However, the real focus should not be the scale of the attack, but rather the techniques used and vulnerabilities exploited.

Industry-leading anti-DDoS service provider Nexusguard analyzed the incident and concluded that the real culprit is not merely the massive amount of flood traffic, but rather an exploitation of weaknesses in Internet protocols. Organizations should understand that defending against such attacks requires more than simply buying bandwidth.

According to the following characteristics, Nexusguard's research classifies the attack as a DNS reflection attack:

1. Vulnerabilities in Internet protocols: Since the Internet was built around convenience and efficiency, security features are not inherently built into protocols like lCMP, UDP, SNMP, NTP and DNS. They do not verify traffic source, which make them vulnerable to spoofing.

2. DNS amplification attacks: The new DNS protocol allows server responses to be larger than 512 bytes. DNS servers can respond to multiple requests until the packet is full, making it much more efficient than its predecessor. However, this also means that attackers can generate large amounts of responses with a small number of requests.

The attack on Spamhaus cleverly exploits these two vulnerabilities to create the largest Internet traffic flood ever.

Nexusguard researcher Frank Tse emphasizes that while big numbers like "300 Gbps" seem scary, they only represent the highest level of flood traffic recorded, and that they are not maintained throughout the entire attack. Reflection attacks are a relatively basic form of traffic flooding and do not use more sophisticated techniques—not only are they easy to spot, their effects go away quickly once the attacks are responded to effectively.

Nexusguard proposes the following recommendations in response to the Spamhaus attack:

1. Patch vulnerabilities in Internet protocols as soon as possible.

2. Choose an ISP that provides anti-spoofing services to mitigate attacks at the source.

3. Have spare bandwidth available for emergencies. Organizations can consider subscribing to IAAS or MSSP services, which allow occasional bursts and are much more inexpensive than buying additional bandwidth.

4. Choose an Internet security service provider that has a comprehensive understanding of DDoS attacks.

Tse believes that the potency of DDoS flooding attacks will decrease as Internet protocols incorporate source validation mechanisms, and that these vulnerabilities will eventually be addressed as Internet security gains awareness.

However, Tse also says that more sophisticated attacks have now shifted to application layer attacks, which require much less bandwidth and are harder to detect. Organizations should focus on the actual techniques used in attacks rather than on big scary numbers. Furthermore, organizations should secure their networks by working with anti-DDoS service providers that can analyze attacks and keep up with new techniques.

About Nexusguard
Nexusguard was established in 2008 to provide industry-leading end-to-end, cloud-based Internet security solutions. By protecting clients against the ever-increasing and evolving multitude of Internet threats, Nexusguard's cloud-based security solutions empower clients around the globe with uninterrupted services.
Backed with years of experience mitigating thousands of attacks per month, Nexusguard is the leading anti-DDoS provider in the APAC region. With its own scrubbing centers, a highly experience team of security experts and localized support, Nexusguard responds to DDoS attacks quickly and effectively. For more information, please visit

Press Contact :
Stanley Liu - Senior Marketing Executive, Hong Kong

Ivy Wu - Marketing & PR Executive, Taiwan

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Ivy Wu
Follow us on
Visit website