12:13 PM

DDoS Attack Doesn't Spell Internet Doom: 7 Facts

Despite a record-setting DDoS attack against anti-spam group Spamhaus, the Internet remains alive and well. Let's break down the key facts.

Anonymous: 10 Things We Have Learned In 2013
Anonymous: 10 Things We Have Learned In 2013
(click image for larger view and for slideshow)
Did a spam feud between Spamhaus and the campaign spill over and slow down the Internet worldwide?

That headline-grabbing assertion surfaced Wednesday, following reports that for the past week, a DDoS attack of monster proportions -- three times as large as any previously seen -- had been directed at volunteer anti-spam service Spamhaus.

In the breathless words of multiple news reports, the DDoS campaign, which sported an attack volume that peaked at 300 Gbps, could have interrupted Web browsing for millions of people, slowing Internet exchanges across Europe.

[ Are some hackers exercising a constitutional right? Read Anonymous Says DDoS Attacks Like Free Speech. ]

But does the doom-and-gloom Internet slowdown scenario supposedly triggered by the spat between Spamhaus and Stophaus hold up to scrutiny? Here are seven related facts:

1. CloudFlare Cited The 300 Gbps Attack.

Crucially, reports that Internet users might be seeing slowdowns came not from service providers, but DDoS mitigation service CloudFlare, which said that it signed up Spamhaus as a customer last week. According to CloudFlare, over the past week, as ongoing DDoS attacks against Spamhaus' servers that peaked at 100 Gbps failed to crash its service, attackers set their sights on the providers from which CloudFlare purchases bandwidth.

"We, primarily, contract with what are known as Tier 2 providers for CloudFlare's paid bandwidth. These companies peer with other providers and also buy bandwidth from so-called Tier 1 providers," CloudFlare CEO Matthew Prince Wednesday said in a blog post titled "The DDoS That Almost Broke the Internet."

"Over the last few days, as these attacks have increased, we've seen congestion across several major Tier 1s, primarily in Europe where most of the attacks were concentrated, that would have affected hundreds of millions of people even as they surfed sites unrelated to Spamhaus or CloudFlare," he said. "If the Internet felt a bit more sluggish for you over the last few days in Europe, this may be part of the reason why."

2. Kaspersky Backs Disruption Theory.

The DDoS attack against Spamhaus might have slowed down the Internet for some users, as well as set DDoS attack volume records, agreed Kaspersky Lab.

"Based on the reported scale of the attack, which was evaluated at 300 Gigabits per second, we can confirm that this is one of the largest DDoS operations to date," said Kaspersky Lab's global research and analysis team in an email. "The data flow generated by such an attack may affect intermediate network nodes when it passes them, thus impeding operations of normal Web services that have no relation to Spamhaus or CyberBunker," it said, referring to Dutch hosting provider Cyberbunker, which has been a vocal proponent of the DDoS attacks being launched against Spamhaus.

"Therefore, such DDoS attack may affect regular users as well, with network slowdown or total unavailability of certain web resources being typical symptoms," said Kaspersky Lab. "There may be further disruptions on a larger scale as the attack escalates."

3. Service Providers Dispute Disruptions.

Multiple service providers and Internet watchers have now publicly stated that while the DDoS attacks against Spamhaus could theoretically have led to slowdowns, they've seen no evidence that this occurred for general Internet users.

At first, some were concerned about the effect that a 300-Gbps DDoS attack might have had. "The DDoS attack was focused at the infrastructure that hosts Spamhaus and their services," James Cowie, CTO of Internet monitoring firm Renesys, said via email. "For a time, that included attacks at the major European Internet exchanges; there was some concern that those exchanges would turn out to be points of failure and that there might be wider impacts on Internet connectivity. Those fears have proven unfounded -- in the grand scheme of things, the traffic rates in this attack were not really significant, compared to the volumes of traffic routinely exchanged at the exchanges, or between large networks." "While some local service may have may impacted, the Internet as a whole did not experience a widespread disruption," said Cowie. "We perform hundreds of millions of Internet measurements daily to measure the performance of the global Internet. Through our analysis we did not see any major shifts in Internet performance from this incident, or degradation of connectivity."

Likewise, a spokesman for Internet backbone operator NTT told Gizmodo Wednesday that while a 300 Gbps attack is "a massive amount of bandwidth to a single enterprise or service provider," global capacities remained well in the multi-terabyte range despite the supposed slowdowns. "I side with you questioning if it shook the global Internet," he said.

4. Undersea Cable Cuts Trumped Spamhaus Attack.

The real Internet outage story this week had nothing to do with Spamhaus, but rather Egypt's naval forces capturing three divers in the Mediterranean who were trying to sabotage an undersea Internet cable. "The recent series of subsea cable cuts is having a much more significant impact on the structure and performance of the Internet," Cowie said. "A large number of countries are affected by very serious network performance problems today as a result of those cuts -- but nothing to do with the DDoSes that have taken place."

1 of 2
Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
Drew Conry-Murray
Drew Conry-Murray,
User Rank: Ninja
3/28/2013 | 9:31:21 PM
re: DDoS Attack Doesn't Spell Internet Doom: 7 Facts
A cyber-security story got hyped? By a security vendor? I'm shocked! Shocked, I tell you!

Drew Conry-Murray
Editor, Network Computing
User Rank: Apprentice
3/29/2013 | 2:21:45 PM
re: DDoS Attack Doesn't Spell Internet Doom: 7 Facts
I appreciate what Spamhaus attempts to do and its objectives, but I have also seen the effects of its methods on email exchanges for those businesses blocked by inclusion of entire address ranges. They've blocked entire subnets capturing both legitimate business with the suspect spam originators. So, I can grasp how a slowdown for those services (http or smtp) that utilize spamhaus as a filter would be seen. I find it a little more difficult to believe that the traffic would cause a general slowdown due to saturation with the possible exception of low capacity nodes where a high percentage of the DDoS traffic may be originated or routed toward Spamhaus. Perhaps watching the routing through a utility like Tor I have developed an exaggerated idea of the number of possible routes available through the internet. Then again, maybe CloudFlare just saw a possibility for a little public recognition?
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.