Attacks/Breaches
3/28/2013
12:13 PM
Connect Directly
RSS
E-Mail
50%
50%

DDoS Attack Doesn't Spell Internet Doom: 7 Facts

Despite a record-setting DDoS attack against anti-spam group Spamhaus, the Internet remains alive and well. Let's break down the key facts.

Anonymous: 10 Things We Have Learned In 2013
Anonymous: 10 Things We Have Learned In 2013
(click image for larger view and for slideshow)
Did a spam feud between Spamhaus and the Stophaus.com campaign spill over and slow down the Internet worldwide?

That headline-grabbing assertion surfaced Wednesday, following reports that for the past week, a DDoS attack of monster proportions -- three times as large as any previously seen -- had been directed at volunteer anti-spam service Spamhaus.

In the breathless words of multiple news reports, the DDoS campaign, which sported an attack volume that peaked at 300 Gbps, could have interrupted Web browsing for millions of people, slowing Internet exchanges across Europe.

[ Are some hackers exercising a constitutional right? Read Anonymous Says DDoS Attacks Like Free Speech. ]

But does the doom-and-gloom Internet slowdown scenario supposedly triggered by the spat between Spamhaus and Stophaus hold up to scrutiny? Here are seven related facts:

1. CloudFlare Cited The 300 Gbps Attack.

Crucially, reports that Internet users might be seeing slowdowns came not from service providers, but DDoS mitigation service CloudFlare, which said that it signed up Spamhaus as a customer last week. According to CloudFlare, over the past week, as ongoing DDoS attacks against Spamhaus' servers that peaked at 100 Gbps failed to crash its service, attackers set their sights on the providers from which CloudFlare purchases bandwidth.

"We, primarily, contract with what are known as Tier 2 providers for CloudFlare's paid bandwidth. These companies peer with other providers and also buy bandwidth from so-called Tier 1 providers," CloudFlare CEO Matthew Prince Wednesday said in a blog post titled "The DDoS That Almost Broke the Internet."

"Over the last few days, as these attacks have increased, we've seen congestion across several major Tier 1s, primarily in Europe where most of the attacks were concentrated, that would have affected hundreds of millions of people even as they surfed sites unrelated to Spamhaus or CloudFlare," he said. "If the Internet felt a bit more sluggish for you over the last few days in Europe, this may be part of the reason why."

2. Kaspersky Backs Disruption Theory.

The DDoS attack against Spamhaus might have slowed down the Internet for some users, as well as set DDoS attack volume records, agreed Kaspersky Lab.

"Based on the reported scale of the attack, which was evaluated at 300 Gigabits per second, we can confirm that this is one of the largest DDoS operations to date," said Kaspersky Lab's global research and analysis team in an email. "The data flow generated by such an attack may affect intermediate network nodes when it passes them, thus impeding operations of normal Web services that have no relation to Spamhaus or CyberBunker," it said, referring to Dutch hosting provider Cyberbunker, which has been a vocal proponent of the DDoS attacks being launched against Spamhaus.

"Therefore, such DDoS attack may affect regular users as well, with network slowdown or total unavailability of certain web resources being typical symptoms," said Kaspersky Lab. "There may be further disruptions on a larger scale as the attack escalates."

3. Service Providers Dispute Disruptions.

Multiple service providers and Internet watchers have now publicly stated that while the DDoS attacks against Spamhaus could theoretically have led to slowdowns, they've seen no evidence that this occurred for general Internet users.

At first, some were concerned about the effect that a 300-Gbps DDoS attack might have had. "The DDoS attack was focused at the infrastructure that hosts Spamhaus and their services," James Cowie, CTO of Internet monitoring firm Renesys, said via email. "For a time, that included attacks at the major European Internet exchanges; there was some concern that those exchanges would turn out to be points of failure and that there might be wider impacts on Internet connectivity. Those fears have proven unfounded -- in the grand scheme of things, the traffic rates in this attack were not really significant, compared to the volumes of traffic routinely exchanged at the exchanges, or between large networks." "While some local service may have may impacted, the Internet as a whole did not experience a widespread disruption," said Cowie. "We perform hundreds of millions of Internet measurements daily to measure the performance of the global Internet. Through our analysis we did not see any major shifts in Internet performance from this incident, or degradation of connectivity."

Likewise, a spokesman for Internet backbone operator NTT told Gizmodo Wednesday that while a 300 Gbps attack is "a massive amount of bandwidth to a single enterprise or service provider," global capacities remained well in the multi-terabyte range despite the supposed slowdowns. "I side with you questioning if it shook the global Internet," he said.

4. Undersea Cable Cuts Trumped Spamhaus Attack.

The real Internet outage story this week had nothing to do with Spamhaus, but rather Egypt's naval forces capturing three divers in the Mediterranean who were trying to sabotage an undersea Internet cable. "The recent series of subsea cable cuts is having a much more significant impact on the structure and performance of the Internet," Cowie said. "A large number of countries are affected by very serious network performance problems today as a result of those cuts -- but nothing to do with the DDoSes that have taken place."

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MyW0r1d
50%
50%
MyW0r1d,
User Rank: Apprentice
3/29/2013 | 2:21:45 PM
re: DDoS Attack Doesn't Spell Internet Doom: 7 Facts
I appreciate what Spamhaus attempts to do and its objectives, but I have also seen the effects of its methods on email exchanges for those businesses blocked by inclusion of entire address ranges. They've blocked entire subnets capturing both legitimate business with the suspect spam originators. So, I can grasp how a slowdown for those services (http or smtp) that utilize spamhaus as a filter would be seen. I find it a little more difficult to believe that the traffic would cause a general slowdown due to saturation with the possible exception of low capacity nodes where a high percentage of the DDoS traffic may be originated or routed toward Spamhaus. Perhaps watching the routing through a utility like Tor I have developed an exaggerated idea of the number of possible routes available through the internet. Then again, maybe CloudFlare just saw a possibility for a little public recognition?
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
3/28/2013 | 9:31:21 PM
re: DDoS Attack Doesn't Spell Internet Doom: 7 Facts
A cyber-security story got hyped? By a security vendor? I'm shocked! Shocked, I tell you!

Drew Conry-Murray
Editor, Network Computing
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4262
Published: 2014-07-28
svnwcsub.py in Subversion 1.8.0 before 1.8.3, when using the --pidfile option and running in foreground mode, allows local users to gain privileges via a symlink attack on the pid file. NOTE: this issue was SPLIT due to different affected versions (ADT3). The irkerbridge.py issue is covered by CVE-...

CVE-2013-4840
Published: 2014-07-28
Unspecified vulnerability in HP and H3C VPN Firewall Module products SECPATH1000FE before 5.20.R3177 and SECBLADEFW before 5.20.R3177 allows remote attackers to cause a denial of service via unknown vectors.

CVE-2013-7393
Published: 2014-07-28
The daemonize.py module in Subversion 1.8.0 before 1.8.2 allows local users to gain privileges via a symlink attack on the pid file created for (1) svnwcsub.py or (2) irkerbridge.py when the --pidfile option is used. NOTE: this issue was SPLIT from CVE-2013-4262 based on different affected versions...

CVE-2014-2974
Published: 2014-07-28
Cross-site request forgery (CSRF) vulnerability in php/user_account.php in Silver Peak VX through 6.2.4 allows remote attackers to hijack the authentication of administrators for requests that create administrative accounts.

CVE-2014-2975
Published: 2014-07-28
Cross-site scripting (XSS) vulnerability in php/user_account.php in Silver Peak VX before 6.2.4 allows remote attackers to inject arbitrary web script or HTML via the user_id parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.