Spamhaus DDoS attack just another day for ISPs

Large-scale denial-of-service attack was only noteworthy because attackers hit Internet exchange points, says GTT's CTO

The large-scale DDoS attack recently targeting Spamhaus wasn't as unprecedentedly devastating or potentially Internet-crippling as certain media outlets or organizations (ahem, CloudFlare) may have liked us to believe. That's according to such experts on the matter as Richard Steenbergen, CTO at GTT, one of Cloudflare's very own network providers.

In an open letter to Gizmodo, Steenbergen provided some insider perspective as to what really went down: Any degradation of Internet performance was a "completely unrelated and unintended side effect" of the DDoS attacks, resulting from an inherent shortcoming in Internet architecture.

It started with attackers launching a large-scale, 300Gbps DDoS attack on Spamhaus, a provider of data for Internet traffic filters. The organization turned to CloudFlare, a global content-delivery network aimed at improving website performance, for support. CloudFlare and its own providers evidently followed appropriate protocol to thwart the attack, which per Steenbergen neither "record smashing" nor "game changing" in any special way.

"In our case, we worked with CloudFlare to quickly identify the attack profile, rolled out global filters on our network to limit the attack traffic without adversely impacting legitimate users, and worked with our other partner networks (like NTT) to do the same," he wrote.

Had the DDoS attack ended then and there, "nobody in the 'mainstream media' would have noticed, and it would have been just another fun day for a few geeks on the Internet," Steenbergen wrote.

But rather than giving up on wreaking havoc, attackers shifted their focus to any interconnection points they could find, ultimately targeting some of the world's largest IXPs (Internet exchange points), including LINX (in London), AMS-IX (in Amsterdam), and DE-CIX (in Frankfurt). An IXP is "essentially just a large switched LAN, which acts as a common meeting point for different networks to connect and exchange traffic with each other," according to Steenbergen.

In targeting the IXPs, the attackers perhaps unwittingly managed to exploit an inherent shortcoming in IXP architecture: "One downside to the way this architecture works is that there is a single big IP block used at each of these IXPs, where every network who interconnects is given one IP address, and this IP block can be globally routable," he explained.

Thus, when the attackers started bombarding the IXPs with bogus traffic, they managed to slow down a good chunk of traffic flowing along the Internet tubes. Ultimately, "IXP operators were able to work with everyone to make certain the IXP IP blocks weren't being globally re-advertised," Steenbergen explained.

The vast majority of global Internet traffic does not travel over IXPs, he noted, though the portion that does "collectively still adds up to be a pretty big chunk of traffic."

Still, the impact of the attack on those IXPs wasn't overly significant. Keynote, which measures mobile communications and Internet performance, reported seeing "pretty consistent and normal performance" throughout the duration of the DDoS attack. "In other words, the Internet appears to be relatively 'unclogged' throughout most of the DDoS event," said Aaron Rudger, Web performance marketing owner at Keynote, in a written statement. "The claims have been of 'days of disruption' -- which we simply do not see from our data."

Rudger did observe response times in Europe between 8:30 a.m. and 2:30 p.m. Pacific Time on March 26 that were 40 percent slower than average. "It is possible that the Spamhaus attack could be related to this slowdown but we can't be sure," he wrote. "There was a big soccer game also being played during that timeframe. If thousands of people were streaming it, that could constrict bandwidth.

This story, "Spamhaus DDoS attack just another day for ISPs," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies