How the massive cyberattack may have been overblown

Some media outlets labeled Wednesday's internet slowdown the 'biggest cyberattack in history,' but in reality the disruption went largely unnoticed by users. Still, incidents like these highlight the internet's fragility and may prompt necessary fixes.

A man passes Communications House, a building listed as containing an office of the Spamhaus Project Ltd, in London March 27, 2013.

REUTERS/Luke MacGregor

March 27, 2013

Is it "the biggest cyberattack in history"? Or just routine flak that network-security providers face all the time?

News websites across the Western world proclaimed Internet Armageddon today (March 27), largely due to a New York Times story detailing a "squabble" between the spam-fighting vigilantes at Spamhaus and the dodgy Dutch Web-hosting company Cyberbunker.

"Fight Jams Internet," the Times headline said. "Global Internet slows," the BBC proclaimed in the wake of the Times' story. Both websites alleged that Netflix streaming was slowing down as a result.

The reality is less exciting, though still serious. The Internet disruptions, which were centered in Western Europe, appear to be largely over, and were largely unnoticed even when occurring.

But, if anything, the incident may prompt a fix for a basic security flaw in the Domain Name System that serves as one of the underpinnings of the Internet.

"Despite the work that has gone into making the Internet extremely resilient, these attacks underscore the fact that there are still some aspects of it that are relatively fragile," said Andrew Storms, director of security operations at San Francisco-based network-security provider nCircle.

Too much information

Cyberbunker appears to be behind a massive distributed denial-of-service (DDoS) attack that first tried to first take down Spamhaus, then Spamhaus' network-reliability provider CloudFlare, and finally this past Saturday (March 23) hit CloudFlare's own bandwidth providers in Europe.

Boston-based Akamai Networks told the Times, and Spamhaus told the BBC, that the last round of attacks peaked at 300 gigabits per second, possibly the largest amount of bandwidth ever recorded during a DDoS attack.

Can Syria heal? For many, Step 1 is learning the difficult truth.

According to a CloudFlare blog posting, the attack was launched on March 18 and immediately involved a tactic called DNS amplification, in which unprotected Domain Name System (DNS) servers are used to flood targeted servers with huge amounts of useless information, tying up bandwidth and processing time.

The attacks increased in volume during the week, finally peaking on Saturday when, according to CloudFlare, half of the infrastructure on the London Internet Exchange, an Internet node connecting several large-scale networks, was tied up by the attack. (CloudFlare is based in Palo Alto, Calif., but runs a global network.)

DNS servers are essentially the phone books of the Internet. Every Internet-connected device, from your computer to your smartphone, uses them to match a website address that humans use, such as "www.technewsdaily.com," with an Internet Protocol address that computers and routers use, such as "207.86.128.60."

DNS servers are essential, yet many remain "open," which means they will accept lookup requests from anyone, not just their specified clients.

Attackers make lookup requests using the IP addresses of their targets, then request tons of information, which ends up flooding the targeted servers with huge amounts of DNS information.

[5 (Probably) American Cyberweapons]

Did two wrongs make a bigger wrong?

Spamhaus, a group of related companies based in London and Geneva, was started in 1998 to track and combat email spam and spammers. It maintains a blacklist of Web-hosting companies known to host spammers, and a whitelist of known "clean" Web hosts.

Both lists are used by Internet service providers around the world, and Spamhaus is partly responsible for the huge drop in email spam in recent years.

Some Web-hosting companies have complained they've been unfairly placed on the Spamhaus blacklist. Spammers have launched DDoS attacks against Spamhaus' website and servers. (There's even a "Stophaus" website based in Russia and dedicated to combating what it calls Spamhaus' "underhanded extortion tactics.")

It appears Cyberbunker has both complained and attacked.

Cyberbunker bases its operations in a decommissioned NATO bunker, built to withstand a nuclear war, in the southern Netherlands. The company was founded in 1998 by a group of hackers who proclaimed the "Republic of Cyberbunker," a sovereign state "surrounded by the Netherlands on all borders."

The company pledges not to ask questions about what its clients are up to.

"In most cases we have no idea as to who or where our customers actually are," the Cyberbunker site proclaims. "Customers are allowed to host any content they like, except child porn and anything related to terrorism. Everything else is fine."

Such a policy has attracted some unsavory clients, including the file-sharing site The Pirate Bay, and, according to Spamhaus, the cybercrime gang known as the Russian Business Network. Cyberbunker also claims to have been raided by a Dutch police SWAT team, which apparently found nothing incriminating on the premises.

It was Cyberbunker's alleged hosting of spammers that caused Spamhaus to place both Cyberbunker and its ISP on the Spamhaus blacklist in the fall of 2011.

As a result, Cyberbunker's ISP dropped it as a client, but both the ISP and Cyberbunker posted long manifestos about why Spamhaus was evil.

The issue seems to have lain dormant until March 18, when a false Anonymous campaign called "Operation Stophaus" was proclaimed on the online bulletin board Pastebin.

It listed a litany of complaints against the "tax-circumventing self-declared Internet terrorists" of Spamhaus, then added a variant of the Anonymous "We Are Legion" tagline.

That posting may have been cover for the DDoS attacks that began the same day. In a statement to the New York Times, Sven Olaf Kamphuis, who claimed to speak for Cyberbunker, and whose Google+ page gives his residence as "Republic Cyberbunker," affirmed that the Dutch hosting company was behind the attacks.

"Nobody ever deputized Spamhaus to determine what goes and does not go on the Internet," Kamphuis told the newspaper. "They worked themselves into that position by pretending to fight spam."

It's hard to see how such an attack can be legally justified. The Netherlands has famously lax laws governing the Internet and other digital communications, but odds are Cyberbunker will be facing another SWAT raid very soon.

Fixing a hole

For his blog posting, CloudFlare's Matthew Prince used the headline "The DDoS That Almost Broke the Internet." That's not entirely accurate, since the problems were rather localized.

However, the attack may prompt an overhaul of the DNS system. Prince and others have been vocal about the need to lock down most or all DNS servers so they no longer respond to lookup requests from anyone.

That move would go against the model of openness and accessibility that's guided the Internet for 40 years. The idea has always been that any Internet-connected device can reach any other using any path, and open DNS servers are essential to that model.

But the problem of DNS-amplified attacks has been growing exponentially in just the past few months.

The ongoing attacks against U.S. bank websites which began last September use the tactic, and have reached 100 Gbps at times.

If this week's unrelated attacks truly did hit 300 Gbps, the end to the open-DNS server model may be inevitable.

Follow Paul Wagenseil @snd_wagenseil. Follow us @TechNewsDailyFacebook or Google+.