The amplified DDoS attack by Web hosting provider CyberBunker against antispam outfit SpamHaus Project is big news. The New York Times weighed in, as did the BBC. Internet protection agency CloudFlare reported that the attack escalated up to Tier 1 bandwidth providers, and that a 300 Gbps DDoS attack slowed connections for many Internet users. But wait a minute. Did you experience a slowdown? Neither did I. In fact, quite a few experts now report that even this biggest-ever DDoS attack didn’t appreciably affect the Internet overall.
Just a Blip?
Keynote Systems constantly monitors the response time of 40 “important US-based business Web sites,” connecting with them from a number of key locations around the world. The average response time varies, but tends to stay roughly in the same range. And the Keynote Performance Index shows only a mild “blip” during the attack.
Keynote expert Aaron Rudger said, “The numbers don’t lie—and that’s a fact.” Referencing a graph of performance over the past four weeks, he noted that “the European agents report back pretty consistent and normal performance throughout … the DDoS event. However, there is a little blip that shows up.”
“We do see,” said Rudger, “that the European agents were experiencing slower response times—up to 40% slower than average—between 8:30am and 2:30pm (PST) on March 26. It is possible that the Spamhaus attack could be related to this slowdown but we can’t be sure.” Rudger noted that thousands of people streaming the big soccer match that occurred at the same time could account for the slowdown.” He rejects the claim that the attack caused days of disruption, saying, “We simply do not see [that] from our data.”
Just Hype?
In an extensive blog post, Gizmodo’s Sam Biddle goes a step farther, accusing CloudFlare of overstating the problem for their own benefit. CloudFlare, says Biddle, is “responsible for the sky-falling internet weather report, the party that stands to profit directly from you being worried that the Internet as we know it is under siege.”
Biddle’s article displays graphs from independent sources (similar to Keynote) showing no spikes in traffic or dips in response time. A report from Amazon on Netflix’s hosting showed zero outages during the week. A spokesperson for NTT, “one of the backbone operators of the Internet,” stated that while a 300 Gbps attack is massive, most regions have capacities in the Tbps range, concluding “I side with you questioning if it shook the global internet.”
Biddle concludes that CloudFlare was “trying to scare the internet’s residents thinking they’re the residents of Dresden in order to drum up business.” “If your product is worth a damn,” said Biddle, “you shouldn’t have to lie to the internet to sell it.” Strong words indeed.
Shedding Light on the Problem
Adam Wosotowsky, Messaging Data Architect at McAfee Labs, feels like cutting CloudFlare some slack. Even if they did overhype the situation, “there is no harm in it.” He points out that drawing attention to the problem can help “less prepared sites out there which are not ready for this type of situation simply because they aren’t poking at hornet’s nests all day.” Getting the word out means those companies “might benefit from knowing that their problem is not unique and that there are actually companies that specialize in helping them avert the attacks.”
As for the reported slowdown, Wosotowsky confirmed that McAfee found some websites “significantly affected.” He noted that due to the size of the attack it could well affect “tangential services that are at some point in their path using the same bandwidth.”
“The fact that a colossal freak-out is not warranted,” said Wosotowsky, “doesn’t reduce the importance of the analysis… From the perspective of rooting out safe-havens for malware authors and botmasters the story is indeed worthy.”
Money and Power
Kaspersky Lab’s Global Research & Analysis Team didn’t express any doubts as to the severity of the attack, noting that “the data flow generated by such an attack may affect intermediate network nodes when it passes them, thus impeding operations of normal Web services that have no relation to Spamhaus or Cyberbunker.” They went on to observe that “DDoS attacks of this type are growing in terms of quantity as well as scale.”
Why this increase? The team noted two major (and sometimes overlapping) motivations. “Cybercriminals conduct DDoS attacks to disrupt corporations in an effort to extort money from them,” said the team. They may also “[use] DDoS attacks as a weapon to disrupt organizations or companies in pursuit of their own ideological, political or personal interests.” Either way, massive DDoS attacks like this can disrupt service for more than just the attack’s target.
Pay Attention!
The CyberBunker attack used DNS reflection, a technique that lets them send a tiny data packet that in turn causes a DNS server to spew a much larger packet at the target. In effect, it amplifies the attack a hundredfold. Yes, there are other ways to implement a DDoS attack, but this is the BFG9000 of the bunch. Making DNS reflection impossible would be a good thing.
The Open DNS Resolver Project lists over 25 million servers that their tests show “pose a significant threat.” IT guys, pay attention! Are your company’s DNS servers on that list? Do a little research and secure them against attacks like IP address spoofing. We’ll all thank you.
It’s actually a cool and helpful piece of info. I’m glad that you simply shared this helpful information with us. Please stay us informed like this. Thanks for sharing.
Comments are closed.