How the DDoS Attack on Spamhaus Could Have Been Prevented

DDoSing a Web server has become the de facto way to exact revenge on someone, or some company. Not a week, or sometimes even a day, will go by when you can't read about some ongoing DDoS attack. We've seen them spawned by Internet goofs to professional criminals. DDoSing is easy, and it's effective. That's why it's so heavily-used.

Usually, though, DDoS effects are not quite like what we saw with Spamhaus earlier this week. As mentioned in that post, a record-setting 300Gbit/s was shot at Spamhaus and its host, CloudFlare, crippling a portion of the Internet to much of the UK and other regions in Europe. The first thing that might come to mind when a DDoS attack strikes is, "What could have been done to prevent it?"

The folks over at CNET have asked the same question, and have produced a simple answer: "Adopt BCP38". What is BCP38, you ask? It's "Best Current Practice #38", a proposed network filtering feature that, at the highest-level, prevents IP address spoofing - the leading reason that DDoSers can do what they do. It might surprise you to know that this proposal was published in May of... 2000. Yes, a full 13-years-ago, and we're still dealing with DDoSing today.

Essentially, BCP38 would allow servers, routers and other Internet connectivity devices to refuse connections from a spoofed IP address - that is, a fake IP address. This is easy to do, and because of how the open recursive resolvers work on domain name servers, DDoSers can amplify traffic from one connection to produce 30x the workload. Easy on their end, very rough on the receiver's end.

The problem is, the fix would require networking equipment of all flavors to implement uRPF (Unicast Reverse Path Forwarding) or access control lists - the latter of which seems impossible given its sheer potential size.

There are of course many other possible solutions to defeating DDoS attacks, but none of them are going to be without some major caveats. But sooner or later, a solution will need to be implemented, because as it stands, DDoS attacks are way too easy to pull off, and their effect is crippling.