Global internet slowdown triggered by largest reported DDoS attack

27 Mar 2013

What started as a dispute between spam blockers and a hosting service has resulted in the largest ever distributed denial-of-service (DDos) attack reported, which could have serious repercussions for internet traffic worldwide.

The attacks began on 19 March following the blacklisting of Dutch web hosting firm Cyberbunker by volunteer-based spam fighters Spamhaus.

Based in London and Geneva, Spamhaus is said to be responsible for filtering about 80pc of the world’s daily spam emails. It does so by keeping a database of servers known to be originators of spam, and servers maintained by Cyberbunker were recently added to its blocklists.

Spamhaus uses the Domain Name System (DNS) to distribute its blocklists. This system, which translates the words you type into an address bar (such as into the correct numerical IP address understood by internet protocols, is key to the everyday functionality of the internet.

A number of organisations – Google included – volunteer themselves to mirror Spamhaus’s infrastructure in order to strengthen it against cyber attacks, which are all too common when you’re dealing with disgruntled spammers.

Which is exactly why Spamhaus believes that the recently blacklisted Cyberbunker is responsible for the DDoS attacks it has suffered this week. These attacks flood servers with false traffic, effectively clogging up access so legitimate users fail to reach a website. The attackers are using the DNS to amplify their attack, too, so much so that it has reached proportions heretofore unknown in an attack of this type.

Mildly successful mitigation

Spamhaus recruited the help of web performance and security experts CloudFlare when its website cracked under the strain of the DDoS attacks on Monday. An attack sending 50Gb/s is enough to take down a major bank, while CloudFlare reported on Tuesday that attacks on Spamhaus were reaching 75Gb/s. It has since been reported that this has grown even further to a monstrous 300Gb/s.

This huge figure has invoked the anxieties of internet security experts, who believe that attacks of this size could cripple the core infrastructure of the internet. The New York Times reports that Netflix users are experiencing slow streams and there is genuine concern that the slowdown could begin to effect banking and email services worldwide.

The cause of the large-scale attack is DNS amplification. To flood the Spamhaus website with traffic, attackers are sending queries that give the appearance of coming from Spamhaus to the DNS, which are then amplified, resulting in a deluge of data from all over the world being sent back to Spamhaus.

CloudFare mitigated the attacks using a routing technique called Anycast that allowed them to analyse the requests pouring into Spamhaus and forward on only the legitimate queries. But the attacks have continued and the problem is that DNS servers can’t be shut down without causing major disruptions to the internet, which makes cutting off the attacks extremely difficult.

According to BBC News, the cybersecurity arms of five national police forces are investigating the matter, and it seems the only way to stop these attacks is to arrest the people behind them. However, if Cyberbunker is responsible, it will not be easy to apprehend the culprits seeing as the business is literally housed in a former NATO bunker and claims to have avoided the Dutch authorities before thanks to its unique office space.

ISPs leaving floodgates open

The reason DNS amplification works is because ISPs allow open DNS servers to run on networks instead of limiting them just to paying customers. This is a flaw that has been exploited for years by attackers and can multiply DDoS traffic by 100 times.

If ISPs restricted data leaving their networks to only the IP addresses that belong to their customers, these attacks would not be possible. “Open DNS resolvers are the scourge of the Internet and these attacks will become more common and large until service providers take serious efforts to close them,” said CloudFlare CEO Matthew Prince. “If you’re running a network, take a second to make sure you’ve closed any open resolvers before DDoS explodes into an even worse problem than it already is.”

Elaine Burke is the host of For Tech’s Sake, a co-production from Silicon Republic and The HeadStuff Podcast Network. She was previously the editor of Silicon Republic.