12:13 PM

DDoS Attack Doesn't Spell Internet Doom: 7 Facts

Despite a record-setting DDoS attack against anti-spam group Spamhaus, the Internet remains alive and well. Let's break down the key facts.

Anonymous: 10 Things We Have Learned In 2013
Anonymous: 10 Things We Have Learned In 2013
(click image for larger view and for slideshow)
Did a spam feud between Spamhaus and the campaign spill over and slow down the Internet worldwide?

That headline-grabbing assertion surfaced Wednesday, following reports that for the past week, a DDoS attack of monster proportions -- three times as large as any previously seen -- had been directed at volunteer anti-spam service Spamhaus.

In the breathless words of multiple news reports, the DDoS campaign, which sported an attack volume that peaked at 300 Gbps, could have interrupted Web browsing for millions of people, slowing Internet exchanges across Europe.

[ Are some hackers exercising a constitutional right? Read Anonymous Says DDoS Attacks Like Free Speech. ]

But does the doom-and-gloom Internet slowdown scenario supposedly triggered by the spat between Spamhaus and Stophaus hold up to scrutiny? Here are seven related facts:

1. CloudFlare Cited The 300 Gbps Attack.

Crucially, reports that Internet users might be seeing slowdowns came not from service providers, but DDoS mitigation service CloudFlare, which said that it signed up Spamhaus as a customer last week. According to CloudFlare, over the past week, as ongoing DDoS attacks against Spamhaus' servers that peaked at 100 Gbps failed to crash its service, attackers set their sights on the providers from which CloudFlare purchases bandwidth.

"We, primarily, contract with what are known as Tier 2 providers for CloudFlare's paid bandwidth. These companies peer with other providers and also buy bandwidth from so-called Tier 1 providers," CloudFlare CEO Matthew Prince Wednesday said in a blog post titled "The DDoS That Almost Broke the Internet."

"Over the last few days, as these attacks have increased, we've seen congestion across several major Tier 1s, primarily in Europe where most of the attacks were concentrated, that would have affected hundreds of millions of people even as they surfed sites unrelated to Spamhaus or CloudFlare," he said. "If the Internet felt a bit more sluggish for you over the last few days in Europe, this may be part of the reason why."

2. Kaspersky Backs Disruption Theory.

The DDoS attack against Spamhaus might have slowed down the Internet for some users, as well as set DDoS attack volume records, agreed Kaspersky Lab.

"Based on the reported scale of the attack, which was evaluated at 300 Gigabits per second, we can confirm that this is one of the largest DDoS operations to date," said Kaspersky Lab's global research and analysis team in an email. "The data flow generated by such an attack may affect intermediate network nodes when it passes them, thus impeding operations of normal Web services that have no relation to Spamhaus or CyberBunker," it said, referring to Dutch hosting provider Cyberbunker, which has been a vocal proponent of the DDoS attacks being launched against Spamhaus.

"Therefore, such DDoS attack may affect regular users as well, with network slowdown or total unavailability of certain web resources being typical symptoms," said Kaspersky Lab. "There may be further disruptions on a larger scale as the attack escalates."

3. Service Providers Dispute Disruptions.

Multiple service providers and Internet watchers have now publicly stated that while the DDoS attacks against Spamhaus could theoretically have led to slowdowns, they've seen no evidence that this occurred for general Internet users.

At first, some were concerned about the effect that a 300-Gbps DDoS attack might have had. "The DDoS attack was focused at the infrastructure that hosts Spamhaus and their services," James Cowie, CTO of Internet monitoring firm Renesys, said via email. "For a time, that included attacks at the major European Internet exchanges; there was some concern that those exchanges would turn out to be points of failure and that there might be wider impacts on Internet connectivity. Those fears have proven unfounded -- in the grand scheme of things, the traffic rates in this attack were not really significant, compared to the volumes of traffic routinely exchanged at the exchanges, or between large networks." "While some local service may have may impacted, the Internet as a whole did not experience a widespread disruption," said Cowie. "We perform hundreds of millions of Internet measurements daily to measure the performance of the global Internet. Through our analysis we did not see any major shifts in Internet performance from this incident, or degradation of connectivity."

Likewise, a spokesman for Internet backbone operator NTT told Gizmodo Wednesday that while a 300 Gbps attack is "a massive amount of bandwidth to a single enterprise or service provider," global capacities remained well in the multi-terabyte range despite the supposed slowdowns. "I side with you questioning if it shook the global Internet," he said.

4. Undersea Cable Cuts Trumped Spamhaus Attack.

The real Internet outage story this week had nothing to do with Spamhaus, but rather Egypt's naval forces capturing three divers in the Mediterranean who were trying to sabotage an undersea Internet cable. "The recent series of subsea cable cuts is having a much more significant impact on the structure and performance of the Internet," Cowie said. "A large number of countries are affected by very serious network performance problems today as a result of those cuts -- but nothing to do with the DDoSes that have taken place."

1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
3/29/2013 | 2:21:45 PM
re: DDoS Attack Doesn't Spell Internet Doom: 7 Facts
I appreciate what Spamhaus attempts to do and its objectives, but I have also seen the effects of its methods on email exchanges for those businesses blocked by inclusion of entire address ranges. They've blocked entire subnets capturing both legitimate business with the suspect spam originators. So, I can grasp how a slowdown for those services (http or smtp) that utilize spamhaus as a filter would be seen. I find it a little more difficult to believe that the traffic would cause a general slowdown due to saturation with the possible exception of low capacity nodes where a high percentage of the DDoS traffic may be originated or routed toward Spamhaus. Perhaps watching the routing through a utility like Tor I have developed an exaggerated idea of the number of possible routes available through the internet. Then again, maybe CloudFlare just saw a possibility for a little public recognition?
Drew Conry-Murray
Drew Conry-Murray,
User Rank: Ninja
3/28/2013 | 9:31:21 PM
re: DDoS Attack Doesn't Spell Internet Doom: 7 Facts
A cyber-security story got hyped? By a security vendor? I'm shocked! Shocked, I tell you!

Drew Conry-Murray
Editor, Network Computing
8 Ways Hackers Monetize Stolen Data
Steve Zurier, Freelance Writer,  4/17/2018
Securing Social Media: National Safety, Privacy Concerns
Kelly Sheridan, Staff Editor, Dark Reading,  4/19/2018
Firms More Likely to Tempt Security Pros With Big Salaries than Invest in Training
Sara Peters, Senior Editor at Dark Reading,  4/19/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.