What you need to know about the world’s biggest DDoS attack

The last week has seen probably the largest distributed denial-of-service (DDoS) attack ever. It’s being reported in fairly dramatic terms, with the New York Times and BBC talking about the internet getting jammed or slowed down.

So what’s actually going on? Here’s a rundown of some key points:

A what attack?

DDoS attacks, as the “distributed” part suggests, involve large numbers of computers bombarding a target system with traffic, with the idea being to stop that system from functioning. A bunch of South Korean banks and broadcasters got temporarily crippled by such an attack a week ago, for example.

Who got hit this time?

The intended target appears to be Spamhaus, a European organization that maintains a blacklist of ISPs that supposedly host “spam gangs” and refuse to stop serving them as customers. Spamhaus is pretty resilient, as its own network is distributed across many countries, but the attack was still enough to knock its site offline on March 18.

The reason was the attack’s sheer volume. At the time, it looked to be around 75Gbps of traffic — which is a lot — hammering Spamhaus’s servers. Cloudflare, the security firm that Spamhaus called for help, subsequently published a good explainer of what happened:

“The largest source of attack traffic against Spamhaus came from DNS reflection… [This method has] become the source of the largest Layer 3 DDoS attacks we see (sometimes well exceeding 100Gbps). Open DNS resolvers are quickly becoming the scourge of the Internet and the size of these attacks will only continue to rise until all providers make a concerted effort to close them…

“The basic technique of a DNS reflection attack is to send a request for a large DNS zone file with the source IP address spoofed to be the intended victim to a large number of open DNS resolvers. The resolvers then respond to the request, sending the large DNS zone answer to the intended victim. The attackers’ requests themselves are only a fraction of the size of the responses, meaning the attacker can effectively amplify their attack to many times the size of the bandwidth resources they themselves control.”

Whodunnit?

Spamhaus has no shortage of enemies, given its line of business. Spammers are a nasty lot, although there are in fact some serious arguments to be had around the weight carried by blacklists of this kind, and who controls them.

However, all eyes seem to be on CyberBunker, a Dutch host that prides itself on hosting anything except terrorist material and child pornography (Wikileaks was a client). Spamhaus lists CyberBunker (or CB3ROB, as it is also known) as the world’s number-one offender when it comes to hosting spam gangs, and around 18 months ago it blacklisted the host’s ISP, A2B Internet. A2B responded by reporting Spamhaus to the Dutch police as DoS offenders – if you want to delve deeper into that nasty dispute, here are accounts of what happened from CyberBunker, A2B and Spamhaus.

After this latest attack hit, the NYT got hold of one Sven Olaf Kamphuis, who claimed to represent the attackers. Kamphuis claimed CyberBunker was retaliating against Spamhaus in concert with Eastern European and Russian gangs, saying: “Nobody ever deputized Spamhaus to determine what goes and does not go on the internet… They worked themselves into that position by pretending to fight spam.”

Spamhaus itself is reticent about naming CyberBunker as the culprit. I’ve approached CyberBunker for comment, and will add it in if and when I get it.

What about this “slowing down the internet” stuff?

Remember that 75Gbps number? Well, that was then and this is now. The BBC quoted Spamhaus CEO Steve Linford on Wednesday as saying the attack had peaked at 300Gbps. That would make it the biggest DDoS in history – or at least the biggest publicly disclosed DDoS.

Professor Alan Woodward of the University of Surrey, one of the UK’s premier computer security experts, told me that the attack “seems to be orders of magnitude larger than anything seen before”:

“In some places it’s been mounted, it has had some collateral damage, for example Netflix, although these are transient effects… The thing that got people talking is that it’s a DNS amplification attack. The point is, if you’re targeting something and [the target has] a 10Gbps switch, you only have to throw 11Gbps at it and you’ve pole-axed the system. If it is at 300Gbps, then potentially some of the main infrastructure is being affected, though I’m not sure how much it’s really affecting it.”

Woodward used the analogy of a highway. Such an attack could briefly take out the highway ramps, he said, but the “main backbone of it is unlikely to be affected for any length of time”.

The thing is, in terms of figuring out whether this attack really has slowed down chunks of the internet, there are other factors to consider. For example, in the last week we’ve also seen a yet another submarine cable cut off Egypt, slowing down internet access in that region. Together, these factors could have a cumulative impact.

“I don’t think there’s any immediate effect on the internet, but it is a wake-up call,” Woodward said. “If it was done really seriously in a wider attack, then it could affect [many users]. Trying to take down the whole internet is impractical, but you could start to decapitate sections of it.”

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

  • Web startups: How to guard against security breaches
  • It’s time for cloud security and big data to come together
  • SOPA, OPEN and the fight for the Internet


GigaOM