Despite a record-setting DDoS attack against anti-spam group Spamhaus, the Internet remains alive and well. Let's break down the key facts.

Mathew J. Schwartz, Contributor

March 28, 2013

7 Min Read

Anonymous: 10 Things We Have Learned In 2013

Anonymous: 10 Things We Have Learned In 2013


Anonymous: 10 Things We Have Learned In 2013(click image for larger view and for slideshow)

Did a spam feud between Spamhaus and the Stophaus.com campaign spill over and slow down the Internet worldwide?

That headline-grabbing assertion surfaced Wednesday, following reports that for the past week, a DDoS attack of monster proportions -- three times as large as any previously seen -- had been directed at volunteer anti-spam service Spamhaus.

In the breathless words of multiple news reports, the DDoS campaign, which sported an attack volume that peaked at 300 Gbps, could have interrupted Web browsing for millions of people, slowing Internet exchanges across Europe.

[ Are some hackers exercising a constitutional right? Read Anonymous Says DDoS Attacks Like Free Speech. ]

But does the doom-and-gloom Internet slowdown scenario supposedly triggered by the spat between Spamhaus and Stophaus hold up to scrutiny? Here are seven related facts:

1. CloudFlare Cited The 300 Gbps Attack.

Crucially, reports that Internet users might be seeing slowdowns came not from service providers, but DDoS mitigation service CloudFlare, which said that it signed up Spamhaus as a customer last week. According to CloudFlare, over the past week, as ongoing DDoS attacks against Spamhaus' servers that peaked at 100 Gbps failed to crash its service, attackers set their sights on the providers from which CloudFlare purchases bandwidth.

"We, primarily, contract with what are known as Tier 2 providers for CloudFlare's paid bandwidth. These companies peer with other providers and also buy bandwidth from so-called Tier 1 providers," CloudFlare CEO Matthew Prince Wednesday said in a blog post titled "The DDoS That Almost Broke the Internet."

"Over the last few days, as these attacks have increased, we've seen congestion across several major Tier 1s, primarily in Europe where most of the attacks were concentrated, that would have affected hundreds of millions of people even as they surfed sites unrelated to Spamhaus or CloudFlare," he said. "If the Internet felt a bit more sluggish for you over the last few days in Europe, this may be part of the reason why."

2. Kaspersky Backs Disruption Theory.

The DDoS attack against Spamhaus might have slowed down the Internet for some users, as well as set DDoS attack volume records, agreed Kaspersky Lab.

"Based on the reported scale of the attack, which was evaluated at 300 Gigabits per second, we can confirm that this is one of the largest DDoS operations to date," said Kaspersky Lab's global research and analysis team in an email. "The data flow generated by such an attack may affect intermediate network nodes when it passes them, thus impeding operations of normal Web services that have no relation to Spamhaus or CyberBunker," it said, referring to Dutch hosting provider Cyberbunker, which has been a vocal proponent of the DDoS attacks being launched against Spamhaus.

"Therefore, such DDoS attack may affect regular users as well, with network slowdown or total unavailability of certain web resources being typical symptoms," said Kaspersky Lab. "There may be further disruptions on a larger scale as the attack escalates."

3. Service Providers Dispute Disruptions.

Multiple service providers and Internet watchers have now publicly stated that while the DDoS attacks against Spamhaus could theoretically have led to slowdowns, they've seen no evidence that this occurred for general Internet users.

At first, some were concerned about the effect that a 300-Gbps DDoS attack might have had. "The DDoS attack was focused at the infrastructure that hosts Spamhaus and their services," James Cowie, CTO of Internet monitoring firm Renesys, said via email. "For a time, that included attacks at the major European Internet exchanges; there was some concern that those exchanges would turn out to be points of failure and that there might be wider impacts on Internet connectivity. Those fears have proven unfounded -- in the grand scheme of things, the traffic rates in this attack were not really significant, compared to the volumes of traffic routinely exchanged at the exchanges, or between large networks." "While some local service may have may impacted, the Internet as a whole did not experience a widespread disruption," said Cowie. "We perform hundreds of millions of Internet measurements daily to measure the performance of the global Internet. Through our analysis we did not see any major shifts in Internet performance from this incident, or degradation of connectivity."

Likewise, a spokesman for Internet backbone operator NTT told Gizmodo Wednesday that while a 300 Gbps attack is "a massive amount of bandwidth to a single enterprise or service provider," global capacities remained well in the multi-terabyte range despite the supposed slowdowns. "I side with you questioning if it shook the global Internet," he said.

4. Undersea Cable Cuts Trumped Spamhaus Attack.

The real Internet outage story this week had nothing to do with Spamhaus, but rather Egypt's naval forces capturing three divers in the Mediterranean who were trying to sabotage an undersea Internet cable. "The recent series of subsea cable cuts is having a much more significant impact on the structure and performance of the Internet," Cowie said. "A large number of countries are affected by very serious network performance problems today as a result of those cuts -- but nothing to do with the DDoSes that have taken place." 5. Why DDoS Size Doesn't Always Matter.

Still, the DDoS attacks launched against Spamhaus suggest that with a bit of effort, attack volumes -- which on average have remained stagnant in recent years, or even decreased -- can be increased in size. "Arbor has been monitoring DDoS for more than a dozen years and we've seen attack size peaking at around 100 Gbps in recent years," said Dan Holden, director of Arbor Network's security engineering and response team, in an email.

But DDoS attack size need not matter, because DDoS attackers -- supported by free attack toolkits -- have found effective ways to disrupt websites that don't require launching massive quantities of packets. Instead, they can simply target choke points, for example by launching application-layer attacks.

Such attacks can be just as effective as high-volume attacks. For example, the largest DDoS attack in 2012 peaked at just 60 Gbps, in a year that was filled with DDoS disruptions.

6. At Whatever Volume, DDoS Attacks Are Hard To Stop.

The end result, of course, is still website disruptions. "The attack on Spamhaus, and their upstream security and Internet providers, is yet another example of how DDoS has become the de facto weapon of choice for cyber-activists, cyber-criminals, business competitors and others," said Marty Meyer, president of Corero Network Security, in an email. "Unfortunately, the shared infrastructure that is the Internet can be vulnerable to this type of attack on the DNS system. It illustrates the collateral damage that can be felt by individuals trying to access sites and businesses like Netflix" -- which reportedly saw its service slow down as a result of the Spamhaus DDoS attacks -- "for whom the Web is the cornerstone of their business," he said.

The DDoS attack against Spamhaus also brought predictable dystopian hand-wringing from security vendors envisioning the potential evolution in online threats. "It also raises a worrying red flag that if an organization like CyberBunker could allegedly unleash this much damage, could a cyber-terrorist or state sponsored attacker use similar tactics to disrupt the communication and business channels of its enemies that rely on the Internet?" said Meyer.

7. Easy DDoS Attacks Support Online Grudges.

Case in point: the group calling itself the al-Qassam Cyber Fighters, which has been waging six-month-long DDoS attack campaign against U.S. banking websites under the banner of "Operation Ababil." Although the group claims to be a cross-border band of Muslim hacktivists incensed over the July 2012 posting to YouTube of a film that mocks the founder of Islam, multiple U.S. government officials have accused it of being an Iranian government front.

Regardless, the group continues to prove itself adept at preventing customers from reaching U.S. banking websites, either by disrupting targeted websites, or leading targeted websites to employ defenses that block some legitimate traffic from reaching their sites. No 300-Gbps attack volume required.

Attend Interop Las Vegas, May 6-10, and learn the emerging trends in information risk management and security. Use Priority Code MPIWK by April 29 to save an additional $200 off All Access and Conference Passes. Join us in Las Vegas for access to 125+ workshops and conference classes, 300+ exhibiting companies, and the latest technology. Register for Interop today!

About the Author(s)

Mathew J. Schwartz

Contributor

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights