GitHub Survived the Biggest DDoS Attack Ever Recorded (wired.com) 144
A 1.35 terabit-per-second DDoS attack hit GitHub all at once last Wednesday. "It was the most powerful distributed denial of service attack recorded to date -- and it used an increasingly popular DDoS method, no botnet required," reports Wired. From the report: GitHub briefly struggled with intermittent outages as a digital system assessed the situation. Within 10 minutes it had automatically called for help from its DDoS mitigation service, Akamai Prolexic. Prolexic took over as an intermediary, routing all the traffic coming into and out of GitHub, and sent the data through its scrubbing centers to weed out and block malicious packets. After eight minutes, attackers relented and the assault dropped off. "We modeled our capacity based on fives times the biggest attack that the internet has ever seen," Josh Shaul, vice president of web security at Akamai told WIRED hours after the GitHub attack ended. "So I would have been certain that we could handle 1.3 Tbps, but at the same time we never had a terabit and a half come in all at once. It's one thing to have the confidence. It's another thing to see it actually play out how you'd hope."
Akamai defended against the attack in a number of ways. In addition to Prolexic's general DDoS defense infrastructure, the firm had also recently implemented specific mitigations for a type of DDoS attack stemming from so-called memcached servers. These database caching systems work to speed networks and websites, but they aren't meant to be exposed on the public internet; anyone can query them, and they'll likewise respond to anyone. About 100,000 memcached servers, mostly owned by businesses and other institutions, currently sit exposed online with no authentication protection, meaning an attacker can access them, and send them a special command packet that the server will respond to with a much larger reply.
Akamai defended against the attack in a number of ways. In addition to Prolexic's general DDoS defense infrastructure, the firm had also recently implemented specific mitigations for a type of DDoS attack stemming from so-called memcached servers. These database caching systems work to speed networks and websites, but they aren't meant to be exposed on the public internet; anyone can query them, and they'll likewise respond to anyone. About 100,000 memcached servers, mostly owned by businesses and other institutions, currently sit exposed online with no authentication protection, meaning an attacker can access them, and send them a special command packet that the server will respond to with a much larger reply.
No botnet? (Score:2)
TFA doesn't give any detail around this. How does one generate that much traffic without the need of a botnet?
Re: (Score:3, Informative)
TFS does give this link: https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/
So the answer is, vulnerable memcached servers amplify the packets for anyone who can IP spoof. The attacker doesn't need a botnet, because one accidentally exists already.
Re: (Score:2)
How does one generate that much traffic without the need of a botnet?
Maybe it's one of those "unstoppable" weapons that Putin has been bragging about . . . ?
If so, you won't be able to find any information about it . . . unless you hire Russian Hackers to dig it up . . .
Re: (Score:3)
TFA doesn't give any detail around this. How does one generate that much traffic without the need of a botnet?
It depends on what you mean by "botnet". The attacker sent spoofed memcached [wikipedia.org] requests to UDP servers, which were then replicated and forwarded to the victim. I some sense, these UDP servers are acting as a "botnet" even though they are not running any malware controlled by the hacker. More info here [cloudflare.com].
A bigger question is: Cui bono? Why is someone attacking Github?
Re: (Score:2)
I some sense, these UDP servers are acting as a "botnet" even though they are not running any malware controlled by the hacker.
Well, if an external actor can force these machines to do their bidding at a time of their choosing - in what sense are they NOT part of a botnet?
Re: (Score:2)
I think the "not a botnet" comes from the fact that there is no malware involved and the servers are not under the control of the attacker.
Well, see, I am basically arguing that the second part of your statement is incorrect. The attacker can get these machines to do exactly what he wants, exactly when he wants it to happen.
Re: (Score:2)
And your argument is flawed. By definition, a botnet requires malware to be running on the systems involved. This is a reflection/amplification attack where a vulnerability in the unsecured target causes it to respond with many times the amount of data sent, and due to the spoofed packet, it responds to the intended target.
Just because a node is tricked into responding, does not mean there's a botnet involved.
Re: No botnet? (Score:2)
The attacker can get these machines to do exactly what he wants, exactly when he wants it to happen.
No, the attacker can get these machines to do one specific thing he wants, exactly when he wants it to happen. If that's your definition of a botnet then every HTTP server is part of a botnet, since I can get any of them to send me a webpage whenever I want one.
Re: (Score:2)
By my thinking, a botnet holding a fig leaf is still a botnet.
Re: (Score:2)
Re: (Score:3)
Because too many network admins don't bother to read and implement BCP 38 [ietf.org] on top of too many network admins leaving memcached servers publicly accessible.
Re: (Score:3)
So clearly a penalty should be applied. Whilst they were tricked into the attack, they were committing the attack. So time for the courts to step in, those who committed the actual attack, should be hauled before the courts to prove they did not do the attack willingly and if they can not, pay the criminal penalty for the attack. Ignorance is not excuse, that is their chosen profession, that is their source of income, they have professional liability and should be held to account.
Should not countries suppl
Comment removed (Score:5, Funny)
Re: (Score:2)
The memcached traffic amplification factor is around 15000x, so to get 1.3Tbps of attack traffic requires fewer than 90 hosts with gigabit Internet access.
Re: (Score:2)
Re: (Score:1)
" An IP-spoofing capable attacker sends forged requests to a vulnerable UDP server. The UDP server, not knowing the request is forged, politely prepares the response. "
why these memcache servers aren't blocking udp from external networks is a question
why the network allows spoofed ip source addresses to be routed to the memcache server is also a question
I think they are saying that the attacker knows there are a lot of open memcache servers around the net. They also know the address of github's network or e
Why? (Score:1)
Re: (Score:1)
These kids of attacks are often used to mask another attack against the systems. I would want to be extra vigilant on the integrity of accounts and the projects if I were involved with this. Although, the fact that nerd rage is the best and worst kind of rage continues to hold, so it might just be a single retaliatory personality at large.
Re: (Score:3, Interesting)
It happened for the same reason it happened in 2015:
https://www.theverge.com/2015/... [theverge.com]
In short, activists inside and outside of China are using GitHub to write and share code for software to circumvent the government's "Great Firewall" in one way or another...they did not succeed in taking GitHub offline, so they decided to show their technical prowess and their sheer (if amplified) bandwidth abuse potential by conducting a second attack. They're still trying to take GitHub offline, badly, people need to be
Re: (Score:2)
It happened for the same reason it happened in 2015:
https://www.theverge.com/2015/... [theverge.com]
In short, activists inside and outside of China are using GitHub to write and share code for software to circumvent the government's "Great Firewall" in one way or another...they did not succeed in taking GitHub offline, so they decided to show their technical prowess and their sheer (if amplified) bandwidth abuse potential by conducting a second attack. They're still trying to take GitHub offline, badly, people need to be made more aware this is happening...the last time was only three years ago and it was a shocking attempt at China to try and impose censorship of the Internet, as they see fit, inside the firewall AND out. This isn't a conspiracy theory or conjecture, China are very definitely waging an online "war" of sorts and this is more or less a demonstration of their capabilities.
This doesn't shock me in the least because 90% of brute force attempts on my tiny VPS that hosts my blog come from Chinese IP addresses. It's gotten so bad that I just block the whole country. I download the zone file from http://www.ipdeny.com/ [ipdeny.com]
Re: Why? (Score:2)
This doesn't shock me in the least because 90% of brute force attempts on my tiny VPS that hosts my blog come from Chinese IP addresses.
That doesn't mean much. Back in the early 2000's ... someone I know used to have a botnet of tens of thousands of computers, 90% of which were in China. I'm not sure what the situation is these days, but back then Chinese boxes were by far the easiest to "hack", so they were a popular choice. Any scans or attacks being done by this individual would have appeared to be coming from his Chinese botnet, despite the fact that he himself resided in a western nation.
tl;dr the fact that you're seeing attacks fro
Re: (Score:2)
Should be a daily thing.
--
Sometimes I look up, sometimes I look down.
why would someone attack Github? (Score:1)
Re: (Score:2)
A test.
They went after the largest of the large. Github learned they can handle that much traffic. The bot net operators learned their capacity.
What happens when the bot net turns itself towards an entire small country, government site, or any small company that doesn't pay the ransom.
Re: (Score:2)
Well they better hurry because those memcached servers are going to get patched one way or another.
Re: (Score:1)
Attacks don't have to be successful in order to be informative. Now, thanks to the VP of Akamai, it is better known what Prolexic can ostensibly handle. This doesn't mean that GitHub is about to get hit by a 6Tb/s DDoS to check as there's no need, plus if it was successful Akamai would just up the capacity to some greater unknown number.
What it does mean is that a likely amount to DDoS anyone, even when they are protected by Prolexic, can be used as a baseline. As most won't have that high level of protecti
Re: (Score:1)
I've pointed this out elsewhere, but to give you an answer that's probably closer to the truth than people would like to admit, it's almost certainly a repeat of an attack from 2015:
https://www.theverge.com/2015/... [theverge.com]
GitHub has apparently hosted at times (it may still, I don't know) projects and software, plus the source obviously, to circumvent the "Great Firewall" that's used to censor the Internet in China...and they aren't happy about it, as you can probably guess by the whole terabit of bandwidth directe
Re: (Score:2)
BotNet? (Score:2)
The memcache servers ARE a ready made botnet.
Imagine if they had made a beowolf cluster of mem.... oh, wait.....
Sad waste of resources (Score:3)
Such a shame there are nefarious people who do these DDOS. What a huge waste of time and resources by their target entities to defeat the attacks.
Re: (Score:2)
Such a shame there are nefarious people who do these DDOS. What a huge waste of time and resources by their target entities to defeat the attacks.
On the bright side, what survives is strong. Around the turn of the century /. was infamous for having its own DDoS [wikipedia.org] effect, these days it takes huge malicious effort to bring down a site. There's a war on but it's rare that the bad guys win...
Re: (Score:2)
There are always people that have been left out, can't get in, or are disenfranchised in some way or another. Or more simply, these folks can make money, wreak havoc and feel powerful, and have lots of time on their hands. Most importantly, they're k-rad now in their circle. These tools are at their disposal, the internet being open, allows it, until the free market does something, ie: DDos protection.
This is why security isn't and has never been free.
--
'I aint coming down' - Eddie Vedder, cover
I also love this resource (Score:1)
Digital! (Score:4, Funny)
(...) as a digital system assessed the situation (...)
Who knew those analog steam powered ddos protection engines would go of fashion this fast.
Re: (Score:2)
Those system are the steam powered version! Newer systems are obviously AI based.
View pictures of such digital systems here:
http://asiaprint.kz/index.php?... [asiaprint.kz]
I check github several times a day (Score:2)
Re: (Score:1)
Re: (Score:2)
Slashdot, on the other hand...
Re: (Score:2)
https://twitter.com/githubstat... [twitter.com]
Re: (Score:2)
Not the worst scenario (Score:2)
[Akamai] sent the data through its scrubbing centers to weed out and block malicious packets.
There was the challenge to handle the load, but identifying packets to drop was quite easy this time: they all came from same UDP port for memcached.
Re: (Score:2)
Exactly, it shouldn't be too hard to patch this even if this isn't done at the server level.
Given the size of the hole, I like to think that sysadmins and network admins should get sufficient pressure to patch this relatively quickly.
Infrastructure note: UDP doesn't get dropped (Score:2)
Back in the day UDP was considered unreliable because it could be dropped by the network at any time for any reason.
It should be noted that UDP is apparently just as reliable as TCP at the network level, in that equipment in general does -not- drop UDP at all. Behaviorally speaking the network attempts to guarantee delivery of everything, which is interesting and possibly unnecessary.
Re: (Score:2)
The network doesn't normally care if the packet is TCP or UDP, it just tries it's best to deliver it. Sometimes it cannot be delivered, usually because of congestion but sometimes because of corruption.
The difference between TCP and UDP is that when your UDP packet does get dropped the network stack on the client/server doesn't care, the application data is simply lost. With TCP the network stack will re-send your data and reduce the transmission rate to try to prevent further packet loss (the assumption be
Re: (Score:2)
Wrong. UDP is considered unreliable because UDP does not guarantee delivery. If you get a UDP packet, the only thing you know
DDOS? (Score:2)
I feel one kind of pain for someone who buys old hardware/software and does their best. I have a whole nuther level of pain for anyone targeted by salivating short-cortexed idiots who for whatever twisted reason decide to target people doing their best (or sitting around in lounge chairs drinking Coronas, long as they aren't hurting anyone).
Costs of subscribing to Akamai Prolexic? (Score:1)
So what kind of costs does Github have from Akamai Prolexic? Do they charge on a per problem basis or an annual subscription?
Here is some info on the firm:
https://en.wikipedia.org/wiki/... [wikipedia.org]
Why does memcached not require authentication? (Score:2)
Forgive me for sounding naive, since I've also been told to deploy memcached in this fashion, knowing that this is insecure, while asking why is memcached deployed without requiring authenticated BY DEFAULT?
I feel naive because this is a so-simple-it's-obvious solution.
What am I missing?
Re: (Score:1)
Forgive me for sounding naive, since I've also been told to deploy memcached in this fashion, knowing that this is insecure, while asking why is memcached deployed without requiring authenticated BY DEFAULT?
It's the same reason that your homes bedroom door and frame isn't by default built to withstand failing after one good strong kick.
Unlike the exterior doors that are, an internal door does not typically require defenses against attacks that won't be made on them.
Most of us also would not be interested in paying the higher cost of using exterior doors everywhere inside our homes. I know for myself this is true, despite the fact some idiot out there is likely to use an internal door in place of their front d
Re: (Score:2)
It depends on where it's exposed.
If memcached is running somewhere on your backend, that's fine. E.g., a user hits a web page, so your web frontend talks to database and application servers over your intranet to generate a page for that user. Those servers are perfectly fine with unauthenticated memcached on a private LAN. It's not ideal from a security standpoint, but it's enough to prevent this type of attack.
Something is terribly wrong if memcached is responding directly to requests from internet clients
Piece-a-cake? (Score:2)
"Prolexic took over as an intermediary, routing all the traffic coming into and out of GitHub, and sent the data through its scrubbing centers to weed out and block malicious packets."
So, they probably just filtered all UDP packets with a source port of 11211. Looks like it was not only the biggest DDOS but also the easiest to defeat...
Re: (Score:1)
Still hilarious that slashdot can't fix the unicode bug. Go ahead and find me another site with that problem. I'll wait.
Re: Too bad slashdot used to cause these (Score:2, Insightful)
What problem?
Unicode support is just a troll. Nobody would use it for anything except trolling.
What's next? You kids want emojis on /.? Should we just go full 4chan and have images?
Re: (Score:1)
Anyone using OSX can't use an apostrophe.
Re: (Score:1)
Sounds like an OSX problem. Why can't they send the appropriate code? It's not like it's some strange and wonderful new character.
Re: (Score:3)
Because macOS / OS X sends a proper apostrophe character, not a prime character. It's an informal standard that's evolved since the 70's that a Prime character is used as an ppostrophe, but the prime character (which is a vertical or near vertical tick) is not an apostrophe, not is it a single quotation mark (ask smart quotes, or unicode characters) - although from a typographical perspective, using a single quotation mark as an apostrophe is a lot closer (or even identical, depending on the font) than usin
Re: (Score:2, Insightful)
Oh, the old we're going to be pedantic wankers because we can.
Who gives a flying rats right ring if it is not "technically the correct character", that's the most pedantic stupid shit I've ever heard.
This would be valid if using "a prime character" was confusing in a typical context.
You know what? It's not. Never have I been reading something and had that: "What the fuck is a prime character doing in that word, I'm confused, I'm not sure I can read and understand this."
Never, happened. True story.
Re: (Score:2)
Dang I wish I could mod you up.
Re: (Score:3)
What's even funnier is how completely false it is. I love a good pedanticism, but this one falls on its face.
The term "prime symbol" or "prime character" only even dates to the 1960s or so. And typewriters already existed, and often had apostrophe and quotation symbols. Any other symbols are typographical or related to accounting. The idea that they would have a special key on a typewriter for writing distances, which is the work ' is doing when it is denoting "prime" (meaning only first, " being being seco
Re: (Score:2)
Re: (Score:2)
What's wrong with using a regular unicode apostrophe?
https://www.fileformat.info/in... [fileformat.info]
What unicode char is OS X using? If it was using apostrophe, it would be perfectly fine.
Here it is again: '
Re: (Score:3)
What's wrong with using a regular unicode apostrophe?
https://www.fileformat.info/in... [fileformat.info]
What unicode char is OS X using? If it was using apostrophe, it would be perfectly fine.
Here it is again: '
That's a prime character you've used (and that I've used in this sentence too)
The apostrophe character is when you have text substitutions turned on, or something like that. It uses the key on the keyboard which has the single and double quotes on it. The curly apostrophe (smart quotes or typographical quotes) is Opt + ] for the opening single quote and Shift + Opt + ] for the closing single quote, or curly apostrophe: ’
“Here’s the curly apostrophe used in a sentence enclosed in typographi
Re: (Score:2)
Well, I’ll be fucked - that seems to work. I haven’t tested typographical quotes on /. for years as “everyone” knows that they don’t work. Quite clearly they do.
Re: (Score:2)
Re: (Score:2)
No, that character I used is the unicode apostrophe character.
Unicode prime is 0x2032
I was going to paste in a unicode prime char alongside an apostrophe, but when I preview the post slashdot strips out the prime char.
What you've used in "Here’s" is the unicode right-single-quotation-mark char. https://www.fileformat.info/in... [fileformat.info]
Code x2019
I'm sorry but you're completely wrong.
Re: (Score:2)
Whatever - the fact is that typographical quotes do work on /. so how come some posts are rendered as per the parent post of this long and useless thread - “Now itâ(TM)s just causes”?
Re: (Score:2)
Because they're posted by people like that on purpose? aka: trolling
Re: (Score:3)
That's a prime character you've used
If you're going to be a pedant on the internet, best do your homework [fileformat.info] first.
Re: (Score:2)
The apostrophe has been around a lot longer than computer and typewriter keyboards. The character called an apostrophe by ASCII is named that for (recent) historical reasons and it is not a typographically correct apostrophe. The Unicode consortium recommend using U+2019 - the Right Single Quotation Mark as an apostrophe however U+0027 is the character that exists on most keyboards.
From: http://www.unicode.org/version... [unicode.org]
Apostrophes
U+0027 apostrophe is the most commonly used character for apostrophe. For historical reasons, U+0027 is a particularly overloaded character. In ASCII, it is used to represent a punctuation mark (such as right single quotation mark, left single quotation mark, apos- trophe punctuation, vertical line, or prime) or a modifier letter (such as apostrophe modi- fier or acute accent). Punctuation marks generally break words; modifier letters generally are considered part of a word.
When text is set, U+2019 right single quotation mark is preferred as apostrophe, but only U+0027 is present on most keyboards. Software commonly offers a facility for auto- matically converting the U+0027 apostrophe to a contextually selected curly quotation glyph. In these systems, a U+0027 in the data stream is always represented as a straight ver- tical line and can never represent a curly apostrophe or a right quotation mark.
Re: (Score:2)
Re: (Score:2)
The character that ASCII (and therefore Unicode) has called an Apostrophe is rarely, if ever, drawn correctly as an apostrophe in fonts.
When an apostrophe has been typeset correctly, it looks like the top image on the Wikipedia page:
https://en.wikipedia.org/wiki/... [wikipedia.org]
With the invention of the typewriter, a "neutral" quotation mark form ( ' ) was created to economize on the keyboard, by using a single key to represent: the apostrophe, both opening and closing single quotation marks, single primes, and on some typewriters the exclamation point by overprinting with a period. This is known as the typewriter apostrophe or vertical apostrophe. The same convention was adopted for quotation marks.
Both simplifications carried over to computer keyboards and the ASCII character set. However, although these are widely used due to their ubiquity and convenience, they are deprecated in contexts where proper typography is important.
Re: (Score:2)
Re: (Score:2)
The vertical tick used as an apostrophe was a temporary measure put in place to simplify keyboards and to simplify the character set when every bit and byte was counted. Even the Unicode consortium recommend that a curly apostrophe be used for printed materials.
http://www.unicode.org/version... [unicode.org]
Encoding Characters with Multiple Semantic Values. Some of the punctuation characters in the ASCII range (U+0020..U+007F) have multiple uses, either through ambiguity in the original standards or through accumulated reinterpretations of a limited code set. For example, 2716 is defined in ANSI X3.4 as apostrophe (closing single quotation mark; acute accent), and 2D16 is defined as hyphen-minus. In general, the Unicode Standard provides the same interpretation for the equivalent code points, without adding to or subtracting from their semantics. The Unicode Standard supplies unambiguous codes elsewhere for the most useful particular interpretations of these ASCII values; the corresponding unambigu- ous characters are cross-referenced in the character names list for this block.
Apostrophes
U+0027 apostrophe is the most commonly used character for apostrophe. For historical reasons, U+0027 is a particularly overloaded character. In ASCII, it is used to represent a punctuation mark (such as right single quotation mark, left single quotation mark, apostrophe punctuation, vertical line, or prime) or a modifier letter (such as apostrophe modifier or acute accent). Punctuation marks generally break words; modifier letters generally are considered part of a word.
When text is set, U+2019 right single quotation mark is preferred as apostrophe, but only U+0027 is present on most keyboards. Software commonly offers a facility for automatically converting the U+0027 apostrophe to a contextually selected curly quotation glyph. In these systems, a U+0027 in the data stream is always represented as a straight vertical line and can never represent a curly apostrophe or a right quotation mark.
Punctuation Apostrophe. U+2019 right single quotation mark is preferred where the character is to represent a punctuation mark, as for contractions: “We’ve been here before.” In this latter case, U+2019 is also referred to as a punctuation apostrophe.
As you said, language evolves and we've reached the stage where the systems we use have evolved beyond their original constraints that dictated a single character be used for apostrophe, single right quotation marks,
Re: (Score:2)
If you send an aposthrophe for a particular character set you better damn well conform to the right character set. The problem is with assuming that a field is UTF-8 when it clearly is unspecified. Yet I am quite able to make use of these characters in a non-broken browser.
' prime
' apostrophe
" plain quotes
“ ” proper left/right double quotes.
Re: (Score:2)
Nope this is seriously the only site on the entire internet with the problem.
Re: (Score:1)
Re: (Score:3)
Please explain why it's not OSX's fault it's not able to speak ASCII?
We're hear to listen.
Re: (Score:2)
There are many websights that don't support ASCII...
Re: Too bad slashdot used to cause these (Score:2, Informative)
You can configure osx and ios to send regular ascii quotes and not "smart quotes".
(Sent from a mac)
Re: Too bad slashdot used to cause these (Score:2)
Whaddya have against âoesmart quotesâ?
They're stupid.
Re: (Score:1)
I'll bet you're a fan of imperial weights and measures too.
Re: (Score:2)
Re: (Score:2)
Thanks for the details!
Makes sense.
Re: Too bad slashdot used to cause these (Score:2)
out of principle
It's "on principle."
Re: (Score:2)
It is widely believe that Telugu character is an ageing past his prime actor name Nakarjuna.
Re: (Score:2)
Posted from an iMac running High Sierra.
Re: (Score:2)
The rest of the world will get along just fine without OSX apostrophes.
Re: (Score:2)
So that is where those damn things are coming from!
I will always consider Unicode broken until all the other single and double quote characters are removed from the standard and replaced with the real quotes (0x27 / 0x22)
Re: (Score:1)
Re: (Score:1)
The world has survived millions of years without Unicode support. Just why in the hell do you need it here?
Re: (Score:3)
How am I going to post in Klingon w/o Unicode support?
Re: (Score:2)
With a bat'leth.
Re: (Score:2)
Re: Too bad slashdot used to cause these (Score:1)
"dumbass websites that don't just use plain ASCII characters."
Every other website except Slashdot.
"dumbass people who don't edit what they post and fix the characters that don't copy/paste properly."
So I copy and paste
âoetrade wars are good, and easy to winâ
or forget that Slashdot can't cope with this Android key £ and of course there's no preview on my phone because Slashdot is 'special'.
dumbass
Re: (Score:1)
"dumbass websites that don't just use plain ASCII characters."
Every other website except Slashdot.
Just because everyone is doing something doesn't mean they are right. They could all be dumbasses. And sometimes that is the simpler explaination.
Re: (Score:2)
>/dev/null
--
"And then there was one" - The Voice
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Because for some completely unknown reason, IP spoofing is still a thing, and most routers still pass packets that claim to come from an IP that couldn't possibly be on the interface it connected from.
I can't even fathom why this is still a thing (or even why it was a thing in the first place) but unfortunately it is, and there doesn't seem to be any way to get these things actually fixed.
This is honestly one of the absolute biggest threats on the internet. Not because it enables this particular attack, but
Re: (Score:2)
The problem isn't that the server sent a response, it's that it sent a response to the wrong person. This was accomplished by spoofing an IP. If the spoofing couldn't happen, then the attacker would only be able to DOS themselves.