PC Magazine security shares an in-depth analysis of the Spamhaus DDoS attack:
QUOTE: Distributed Denial of Service is the topic of the day, due to a recent massive DDoS attack by Dutch Web host CyberBunker against spam-fighting agency SpamHaus. Just how significant was the collateral damage to the rest of the Internet? CloudFlare, a Web security company directly involved in defending SpamHaus against the attack, likened it to a nuclear bomb, but Keynote Systems, a company that tracks website availability and response time, said it was no more than a blip.
How the attack worked — A Denial of Service attack simply overloads the victim’s servers by flooding them with data, more data than the servers can handle. This can disrupt the victim’s business, or knock its website offline. Launching such an attack from a single Web location is ineffective, as the victim can quickly block that traffic. Attackers often launch a Distributed Denial of Service attack via thousands of hapless computers controlled by a botnet.
What Can Be Done — Wouldn’t it be nice if someone would invent technology to foil such attacks? In truth, they already have, thirteen years ago. In May of 2000, the Internet Engineering Task Force released the Best Current Practices paper known as BCP38. BCP38 defines the problem and describes “a simple, effective, and straightforward method… to prohibit DoS attacks which use forged IP addresses.”
Lock It Down — “Your authoritative server should be available to anyone on the Internet, however, it should only respond to queries about your company’s domain.” In addition to the outward-facing authoritative DNS server, companies need an inward-facing recursive DNS server. “A recursive DNS server is intended to supply domain lookups to all your employees,” explained Nachreiner. “It should be able to reply to queries about all sites on the Internet, but it should only reply to people in your organization.”