"Global internet slows after 'biggest attack in history'"

Forums › Off topic › "Global internet slows after 'biggest attack in history'"

StevieT

702 posts

Ultimate Geek

#115507 28-Mar-2013 07:29

Not sure if this is the right place to post this article I have just come across: http://www.bbc.co.uk/news/technology-21954636

freitasm

BDFL - Memuneh
79250 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#788387 28-Mar-2013 08:51

The BBC is about ten days late with this story. The whole thing started on the 18th March.

Also, it appears that Spamhaus moved to Cloudflare and this absorbed the attack, this on the 22nd.

This article comes almost after the event and I can bet people using other providers barely noticed anything anyway.

Reading the article it sounds to me like some DDoS mitigation technology companies wanted to have their voices heard - and ride the wave of marketing.

xpd

Geek @ Coastguard NZ
13765 posts

Uber Geek

Retired Mod

ID Verified

Trusted

Lifetime subscriber

#788403 28-Mar-2013 09:21

From Ars Technica...

"When the attack started, on March 18, it measured around 10 Gb/s. On March 19, it hit 90 Gb/s, on March 22 it reached 120 Gb/s. This still wasn't enough to knock CloudFlare or Spamhaus offline. So the attackers escalated.Today, CloudFlare wrote that one of the Internet's big bandwidth providers is seeing 300 gigabits per second of traffic related to this attack, making it one of the largest ever reported."

Gavin / xpd / FastRaccoon / Geek of Coastguard New Zealand

LinkTree

c3rn

291 posts

Ultimate Geek

#788425 28-Mar-2013 09:49

Must be running pretty powerful systems or have a massive botnet to launch such attacks?

timmmay

20574 posts

Uber Geek

Trusted

Lifetime subscriber

#788428 28-Mar-2013 09:52

The blog post by Cloudflare says it would take only a small amazon cluster to generate the traffic due to the multiplication of request/reply size.

freitasm

BDFL - Memuneh
79250 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#788434 28-Mar-2013 10:05

c3rn: Must be running pretty powerful systems or have a massive botnet to launch such attacks?

It's a DNS amplification type attack. A good number of machines sending out DNS requests with the return IP pointing to the victims servers. Open DNS servers around the world reply to the response going back to the victimis.

Zeon

3916 posts

Uber Geek

Trusted

#788449 28-Mar-2013 10:23

Another reason to check your DNS servers to make sure they aren't open relays!

Speedtest 2019-10-14

freitasm

BDFL - Memuneh
79250 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#788456 28-Mar-2013 10:26

There are enough stupid people that run their own DNS at home (and some businesses) on the DMZ or not bound to LAN only...

Equinox IT

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

freitasm

BDFL - Memuneh
79250 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#788520 28-Mar-2013 12:29

More evidence this seems to be a Europe only kind of attack...

freitasm

BDFL - Memuneh
79250 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#789123 29-Mar-2013 10:10

Let me put this another way after looking at how things worked...

There's an interesting book called Trust Me, I'm Lying.

The guy works in marketing and explains how companies can "amplify" their marketing efforts by using blogs and mainstream media.

In one example someone posts a blog entry about a product. He sends the tips up to a bigger blog, and then after a few days the story shows up on The New York Time or Washing Post. From there the marketing folks can easily add that information to Wikipedia for example because even though a blog is not a "source" for some articles on Wikipedia, those other newspapers are - and the marketing folks got the "credible source" now to make their story/product page on Wikipedia.

If you look at the Cloudflare blog, they link to The New York Times, which is a story about themselves saving Spamhaus.

They can clearly say in their blog that TNYT is a credible source. They aren't saying the attack was the largest in the world. TNYT is saying it. They aren't saying they saved the Internet, TNYT is saying it. And we all trust mainstream journalism.

But what if someome in the inside sent a tip to TNYT and the journalist wasn't very thorough at investigating?

Have you personally felt affected by this "massive attack" that "almost broke the Internet"? No, me neither.

As found on Gizmodo (which is another non-reliable blog sometimes, but at least here we have credible sources).

This is from NTT:

I'm afraid that we don't have anything we can share that substantiates global effects. I'm sure you read the same 300gbps figure that I did, and while that's a massive amount of bandwidth to a single enterprise or service provider, data on global capacities from sources like TeleGeography show lit capacities in the tbps range in most all regions of the world. I side with you questioning if it shook the global internet.

This is from Renesys:

We believe that the DDOS attack potentially had severe impacts on the websites it was directed at, however, according to our data, the Internet as a whole did not experience a wide spread disruption.

Just to put it in perspective the traffic estimates for the DDOS attack were as high as 300 Gbps at the target. That would easily overwhelm the average hosting center, but not a core component of the Internet. For example, DECIX, the German Internet exchange in Frankfurt, regularly handles 2.5 Tbps at peak on any given day: http://www.de-cix.net/about/statistics/

While it may have severely affected the websites it was targeted at, the global Internet as a whole was not impacted by this localized incident.

So at best a regional problem, at worst a marketing attack on corporates to convince them there's a monster at large and there's a solution at hand.

Or just read The Guardian Spamhaus Internet attack: was it all a PR stunt?.

But, wait... The Guardian is quoting Gizmodo, which now amplifies and perhaps even "legitimises" the blog post.

You see how things go around?

freitasm

BDFL - Memuneh
79250 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#789301 29-Mar-2013 16:07

And NetworkWorld says this was hyped:

"The hundreds of websites that Keynote monitors showed no performance changes that were out of the ordinary at all, says Aaron Rudger, senior market manager at Keynote, which went back and closely compared U.S. Web performance to European performance to see if it could find evidence to support all these Internet slowdown assertions heard in both the European and U.S. the media."

jpollock

600 posts

Ultimate Geek

Trusted

#789464 29-Mar-2013 23:50

A response from one of CloudFlare's upstream providers.

http://cluepon.net/ras/gizmodo

First off I can confirm a few basic facts, namely that we really did 
receive a ~300 Gbps attack directed at Cloudflare, and later 
specifically targeted at pieces of our core infrastructure. This is 
definitely on the large end of the scale as far as DoS attacks go, but 
I wouldn't call it "record smashing" or "game changing" in any special 
way. It's just another large attack, maybe 10-15% larger than other 
similar ones we've seen in the past, and I'm certain we will continue 
to see even larger ones in the future as global traffic levels 
increase. What made this particular attack notable is where it was 
targeted, which greatly increased the number of people who noticed it.

It's a really good post, full of information on what happened.

Still, we've got a list of NZ companies which are operating systems in an insecure fashion which is impacting other organisations. How do we effect a change in their behaviour?

---
http://blog.jason.pollock.ca

freitasm

BDFL - Memuneh
79250 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#790564 2-Apr-2013 11:46

Try Orcon:

Anybody know why Orcon Genius is wide open and allows DNS resolution? I'm browsing the net using somebody's Orcon IP right now..
— Steve Biddle (@stevebiddle) March 28, 2013

quentinreade

351 posts

Ultimate Geek

Trusted

2degrees

#790594 2-Apr-2013 12:26

Wide-open is a little exaggerated. If you turn the firewall off, on some firmware there is a risk of an exploit – although too few devices to be a serious target for exploitation perhaps. Thanks for spotting it Steve – the guys are fixing it as we speak.

Comms chap

2degrees