Attacks/Breaches
3/28/2013
12:13 PM
50%
50%

DDoS Attack Doesn't Spell Internet Doom: 7 Facts

Despite a record-setting DDoS attack against anti-spam group Spamhaus, the Internet remains alive and well. Let's break down the key facts.

Anonymous: 10 Things We Have Learned In 2013
Anonymous: 10 Things We Have Learned In 2013
(click image for larger view and for slideshow)
Did a spam feud between Spamhaus and the Stophaus.com campaign spill over and slow down the Internet worldwide?

That headline-grabbing assertion surfaced Wednesday, following reports that for the past week, a DDoS attack of monster proportions -- three times as large as any previously seen -- had been directed at volunteer anti-spam service Spamhaus.

In the breathless words of multiple news reports, the DDoS campaign, which sported an attack volume that peaked at 300 Gbps, could have interrupted Web browsing for millions of people, slowing Internet exchanges across Europe.

[ Are some hackers exercising a constitutional right? Read Anonymous Says DDoS Attacks Like Free Speech. ]

But does the doom-and-gloom Internet slowdown scenario supposedly triggered by the spat between Spamhaus and Stophaus hold up to scrutiny? Here are seven related facts:

1. CloudFlare Cited The 300 Gbps Attack.

Crucially, reports that Internet users might be seeing slowdowns came not from service providers, but DDoS mitigation service CloudFlare, which said that it signed up Spamhaus as a customer last week. According to CloudFlare, over the past week, as ongoing DDoS attacks against Spamhaus' servers that peaked at 100 Gbps failed to crash its service, attackers set their sights on the providers from which CloudFlare purchases bandwidth.

"We, primarily, contract with what are known as Tier 2 providers for CloudFlare's paid bandwidth. These companies peer with other providers and also buy bandwidth from so-called Tier 1 providers," CloudFlare CEO Matthew Prince Wednesday said in a blog post titled "The DDoS That Almost Broke the Internet."

"Over the last few days, as these attacks have increased, we've seen congestion across several major Tier 1s, primarily in Europe where most of the attacks were concentrated, that would have affected hundreds of millions of people even as they surfed sites unrelated to Spamhaus or CloudFlare," he said. "If the Internet felt a bit more sluggish for you over the last few days in Europe, this may be part of the reason why."

2. Kaspersky Backs Disruption Theory.

The DDoS attack against Spamhaus might have slowed down the Internet for some users, as well as set DDoS attack volume records, agreed Kaspersky Lab.

"Based on the reported scale of the attack, which was evaluated at 300 Gigabits per second, we can confirm that this is one of the largest DDoS operations to date," said Kaspersky Lab's global research and analysis team in an email. "The data flow generated by such an attack may affect intermediate network nodes when it passes them, thus impeding operations of normal Web services that have no relation to Spamhaus or CyberBunker," it said, referring to Dutch hosting provider Cyberbunker, which has been a vocal proponent of the DDoS attacks being launched against Spamhaus.

"Therefore, such DDoS attack may affect regular users as well, with network slowdown or total unavailability of certain web resources being typical symptoms," said Kaspersky Lab. "There may be further disruptions on a larger scale as the attack escalates."

3. Service Providers Dispute Disruptions.

Multiple service providers and Internet watchers have now publicly stated that while the DDoS attacks against Spamhaus could theoretically have led to slowdowns, they've seen no evidence that this occurred for general Internet users.

At first, some were concerned about the effect that a 300-Gbps DDoS attack might have had. "The DDoS attack was focused at the infrastructure that hosts Spamhaus and their services," James Cowie, CTO of Internet monitoring firm Renesys, said via email. "For a time, that included attacks at the major European Internet exchanges; there was some concern that those exchanges would turn out to be points of failure and that there might be wider impacts on Internet connectivity. Those fears have proven unfounded -- in the grand scheme of things, the traffic rates in this attack were not really significant, compared to the volumes of traffic routinely exchanged at the exchanges, or between large networks." "While some local service may have may impacted, the Internet as a whole did not experience a widespread disruption," said Cowie. "We perform hundreds of millions of Internet measurements daily to measure the performance of the global Internet. Through our analysis we did not see any major shifts in Internet performance from this incident, or degradation of connectivity."

Likewise, a spokesman for Internet backbone operator NTT told Gizmodo Wednesday that while a 300 Gbps attack is "a massive amount of bandwidth to a single enterprise or service provider," global capacities remained well in the multi-terabyte range despite the supposed slowdowns. "I side with you questioning if it shook the global Internet," he said.

4. Undersea Cable Cuts Trumped Spamhaus Attack.

The real Internet outage story this week had nothing to do with Spamhaus, but rather Egypt's naval forces capturing three divers in the Mediterranean who were trying to sabotage an undersea Internet cable. "The recent series of subsea cable cuts is having a much more significant impact on the structure and performance of the Internet," Cowie said. "A large number of countries are affected by very serious network performance problems today as a result of those cuts -- but nothing to do with the DDoSes that have taken place."

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MyW0r1d
50%
50%
MyW0r1d,
User Rank: Apprentice
3/29/2013 | 2:21:45 PM
re: DDoS Attack Doesn't Spell Internet Doom: 7 Facts
I appreciate what Spamhaus attempts to do and its objectives, but I have also seen the effects of its methods on email exchanges for those businesses blocked by inclusion of entire address ranges. They've blocked entire subnets capturing both legitimate business with the suspect spam originators. So, I can grasp how a slowdown for those services (http or smtp) that utilize spamhaus as a filter would be seen. I find it a little more difficult to believe that the traffic would cause a general slowdown due to saturation with the possible exception of low capacity nodes where a high percentage of the DDoS traffic may be originated or routed toward Spamhaus. Perhaps watching the routing through a utility like Tor I have developed an exaggerated idea of the number of possible routes available through the internet. Then again, maybe CloudFlare just saw a possibility for a little public recognition?
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
3/28/2013 | 9:31:21 PM
re: DDoS Attack Doesn't Spell Internet Doom: 7 Facts
A cyber-security story got hyped? By a security vendor? I'm shocked! Shocked, I tell you!

Drew Conry-Murray
Editor, Network Computing
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2208
Published: 2014-12-28
CRLF injection vulnerability in the LightProcess protocol implementation in hphp/util/light-process.cpp in Facebook HipHop Virtual Machine (HHVM) before 2.4.2 allows remote attackers to execute arbitrary commands by entering a \n (newline) character before the end of a string.

CVE-2014-2209
Published: 2014-12-28
Facebook HipHop Virtual Machine (HHVM) before 3.1.0 does not drop supplemental group memberships within hphp/util/capability.cpp and hphp/util/light-process.cpp, which allows remote attackers to bypass intended access restrictions by leveraging group permissions for a file or directory.

CVE-2014-5386
Published: 2014-12-28
The mcrypt_create_iv function in hphp/runtime/ext/mcrypt/ext_mcrypt.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 does not seed the random number generator, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging the use of a single initial...

CVE-2014-6228
Published: 2014-12-28
Integer overflow in the string_chunk_split function in hphp/runtime/base/zend-string.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted arguments to the chunk_split ...

CVE-2014-6229
Published: 2014-12-28
The HashContext class in hphp/runtime/ext/ext_hash.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 incorrectly expects that a certain key string uses '\0' for termination, which allows remote attackers to obtain sensitive information by leveraging read access beyond the end of the string,...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.