Did the Spamhaus DDoS Really Slow Down Global Internet Access?

CowboyRobot writes "Despite the headlines, the big denial of service attack may not have slowed the Internet after all. The argument against the original claim include the fact that reports of Internet users seeing slowdowns came not from service providers, but the DDoS mitigation service CloudFlare, which signed up Spamhaus as a customer last week. Also, multiple service providers and Internet watchers have now publicly stated that while the DDoS attacks against Spamhaus could theoretically have led to slowdowns, they've seen no evidence that this occurred for general Internet users. And while some users may have noticed a slowdown, the undersea cable cuts discovered by Egyptian sailors had more of an impact than the DDoS."

reporting

[gbjbaanb]

as usual, ArsTechnica does a much better job of describing this, slashdot eds, take note please!

The best text-only (no ads!) reply though is from Richard A Steenbergen who responded to the gizmodo article. This guy works at one of the tier 1 providers and described the problem, particularly that the DDoS wasn't a big deal for them but that the attack on the INX exchanges might have been.. but turned out not to be after a little tweaking of their filters.

Nevertheless, the problem that I can see is that the internet is open to these kind of attacks. Now Spamhaus can get CloudFlare to handle these attacks on their behalf (for a lot of free advertising) but MyLittleSite.com cannot, and that leave them open to extortion attacks from the criminals who run these DDoSs. Surely a more appropriate response would not be "yeah, we're great, we can handle a poxy 300Gbps" but "we need to sort out this so the baddies cannot screw people with impunity". I'd prefer a technical resolution (eg ingress/egress filtering, rate limiting, non-recursive responses from outside your domain) to legal ones which is all there is at the moment it seems.

Re:reporting

[geoskd]

A technical solution would require redefining the IP standard.

Not really, Two things would go a long way towards ending the ddos threat permanently. First, Implementing gateway sanity checks that already exist. If a provider is forwarding packets with spoofed IP address', then un-peer them until they fix their configurations.

Second, is an out of band feature which provides a mechanism where the recipient of a packet can flag that packet as malicious and ask the upstream connection to shut them down at their source. This feature should be recursive, and with the same sanity checks to make sure the requests are legitimate.

As a result of these two, a ddos begins: The recipient computer starts flagging IP address and requesting that their host provider shut off the flows from each IP as they are identified. Host provider filters everything from that IP. for a random interval between 10 minutes and a half hour. The host IP also passes the filter request upstream to the next link in the chain. This process continues until it backtracks all the way to each source machine, which finds itself disconnected for 10 minutes. If the owner is private, then they will call their ISP to find out why their connection sucks, at which point the ISP tells them, your machine is taking part in an illegal ddos. If you don't know how to fix it, take your computer to the local shop to have it cleaned, and have them explain internet security to you while they're at it. If the computer is institutional, then their IT department is going to have one heck of lot of explaining to do, being as they have compromised servers and had to be told by their ISP that they have a problem... Either way, no bot net operator will risk having their botnet dismantled automatically without a very long thought about what they are trying to accomplish. Additionally, no ddos would be effective for more than a few minutes as the requests filtered back upstream and shut it down at its distributed sources.

The biggest complaint I always hear about this plan, is what if someone spoofs shutdown requests to get someone disconnected. That kind of spoofing could only work if one of the intermediate nodes is compromised, or the IP validation is not enabled. either way, it requires that the network be broken in easily fixable ways, which presumably will be fixed as soon as discovered. Think of the whole system as an autoimmune reaction to infection. Terribly effective and largely automatic.

-=Geoskd

SPAMHaus Promo Stunt

It's definitely a way for SPAMHaus to make the headlines. Whether it is proper conduct, especially for a trust-based organisation like SPAMHaus, is the real question.

DNSBL is not the way to fight spam. I've worked for several large ESP's, and we've had more issues with false positives and various DNSBL's blocking regular, solicited email everytime some angry recipient with a vengeace decided to file a spam-report, instead of just opting-out from the mailing they opted-in for themselves.

This has led to us using less and less DNSBL-related spam-filtering. Most of our spam-filters are now 'smart', using the recipient's own preferences to decide whether a mail should be blocked or not. I'm sure DNSBL's like spamhaus are feeling the heat, and stunts like these may give them the exposure they need to get some fresh customers.

But it's definitely sounds a bit 'shadey' to launch a misinformation-campaign for this, especially for an antispam-firm.

people slag DNSBLs... but need to learn

[Onymous+Coward]

People like to hear that DNSBLs are a problem. And then they like to repeat the accusations. Not sure how folks have gotten attached to the idea, but I'm certain it's not from detailed investigation.

For one thing, don't conflate the mechanism with the implementations. Anyone can publish a DNSBL. You could. And you could make your list all false positives. It would be a bad idea for people to subscribe to your list. Caveat emptor, right?

And that's why you get false positives. You've chosen badly. And you're not using the lists for scoring — sounds like you're using them as final arbiters.

The "trick" to getting DNSBLs to work is to choose wisely. You have to do some research into how the lists are made, and since it's you who will be blocking emails based on the information provided by the lists, it's your responsibility to understand the nature of that information. What are the listing/delisting policies? If you don't know, you're not being a smart consumer. "... everytime some angry recipient with a vengeace decided to file a spam-report ..." Hopefully you know better than to think that every DNSBL is made this way.

And the "smart" spam filters, so you know, are resource intensive. Instead, it's possible to eliminate lots of spam using extremely low resource checks. Validating the SMTP "HELO" (requiring they give FQDN, non-bare address literals, not your domain or IP, and a couple other checks as per RFC) will nix half of spam off the bat. And you can eliminate another third of spam (two-thirds the spam passing HELO checks) by using (well-chosen) DNSBLs. DNS lookups are cheap (and you can download zone files of you're worried about outages). That's 83% of spam cheaply nixed, all before you even get to "MAIL FROM:". If your "smart" checks are building Markov chains and feeding a naive Bayes classifier, that's gonna take time and effort in processing power, in disk resource, in procedures and staff attention/knowledge for maintenance.

DNSBLs are clearly a way to fight spam. But you have to know what they are and how to use them.

Shopping for DNSBLs takes effort, it's true. If you want to do a good job. Once upon a time, Al Iverson's http://www.dnsbl.info/ was up-to-date and gave wonderful statistics on success rates of the various lists (using his (rather knowledgeable) measures). Doing the research now without such a resource is much more challenging.

I use Spamhaus's XBL and SpamCop's SCBL. That's it. Combined, those give me the aforementioned inexpensive 33% spam reduction. (If I used them before the HELO checks the reduction would probably be near 75%, my guess.) I vetted the lists for efficacy (true positives v. false positives), policy (how they're made, listing and delisting), and longevity/reputability. I've been using these guys for 5 years without a hiccup.