Did the Spamhaus DDoS Really Slow Down Global Internet Access?

CowboyRobot writes "Despite the headlines, the big denial of service attack may not have slowed the Internet after all. The argument against the original claim include the fact that reports of Internet users seeing slowdowns came not from service providers, but the DDoS mitigation service CloudFlare, which signed up Spamhaus as a customer last week. Also, multiple service providers and Internet watchers have now publicly stated that while the DDoS attacks against Spamhaus could theoretically have led to slowdowns, they've seen no evidence that this occurred for general Internet users. And while some users may have noticed a slowdown, the undersea cable cuts discovered by Egyptian sailors had more of an impact than the DDoS."

reporting

[gbjbaanb]

as usual, ArsTechnica does a much better job of describing this, slashdot eds, take note please!

The best text-only (no ads!) reply though is from Richard A Steenbergen who responded to the gizmodo article. This guy works at one of the tier 1 providers and described the problem, particularly that the DDoS wasn't a big deal for them but that the attack on the INX exchanges might have been.. but turned out not to be after a little tweaking of their filters.

Nevertheless, the problem that I can see is that the internet is open to these kind of attacks. Now Spamhaus can get CloudFlare to handle these attacks on their behalf (for a lot of free advertising) but MyLittleSite.com cannot, and that leave them open to extortion attacks from the criminals who run these DDoSs. Surely a more appropriate response would not be "yeah, we're great, we can handle a poxy 300Gbps" but "we need to sort out this so the baddies cannot screw people with impunity". I'd prefer a technical resolution (eg ingress/egress filtering, rate limiting, non-recursive responses from outside your domain) to legal ones which is all there is at the moment it seems.

Re:reporting

[Hentes]

A technical solution would require redefining the IP standard.

Re:reporting

[heypete]

Now Spamhaus can get CloudFlare to handle these attacks on their behalf (for a lot of free advertising) but MyLittleSite.com cannot, and that leave them open to extortion attacks from the criminals who run these DDoSs.

Why not? CloudFlare has a free tier specifically designed for smaller sites. It's mostly used by bloggers and stuff to cache static content than for DDOS protection, but it offers the same level of functionality. The paid service they offer has extra features like SSL support and other options, but all levels of the service offer DDOS protection.

Re:reporting

[sl4shd0rk]

resolution (eg ingress/egress filtering, rate limiting, non-recursive responses from outside your domain) to legal ones

Umm.. I'm not sure I follow you. The DDoS was comprised of DNS Reflection. Trying to add filtering at layer 2/3 is absolutely pointless since you're saturated at layer 0. The physical hardware is overwhelmed trying to keep up with the packets coming in.

Re:reporting

[geoskd]

A technical solution would require redefining the IP standard.

Not really, Two things would go a long way towards ending the ddos threat permanently. First, Implementing gateway sanity checks that already exist. If a provider is forwarding packets with spoofed IP address', then un-peer them until they fix their configurations.

Second, is an out of band feature which provides a mechanism where the recipient of a packet can flag that packet as malicious and ask the upstream connection to shut them down at their source. This feature should be recursive, and with the same sanity checks to make sure the requests are legitimate.

As a result of these two, a ddos begins: The recipient computer starts flagging IP address and requesting that their host provider shut off the flows from each IP as they are identified. Host provider filters everything from that IP. for a random interval between 10 minutes and a half hour. The host IP also passes the filter request upstream to the next link in the chain. This process continues until it backtracks all the way to each source machine, which finds itself disconnected for 10 minutes. If the owner is private, then they will call their ISP to find out why their connection sucks, at which point the ISP tells them, your machine is taking part in an illegal ddos. If you don't know how to fix it, take your computer to the local shop to have it cleaned, and have them explain internet security to you while they're at it. If the computer is institutional, then their IT department is going to have one heck of lot of explaining to do, being as they have compromised servers and had to be told by their ISP that they have a problem... Either way, no bot net operator will risk having their botnet dismantled automatically without a very long thought about what they are trying to accomplish. Additionally, no ddos would be effective for more than a few minutes as the requests filtered back upstream and shut it down at its distributed sources.

The biggest complaint I always hear about this plan, is what if someone spoofs shutdown requests to get someone disconnected. That kind of spoofing could only work if one of the intermediate nodes is compromised, or the IP validation is not enabled. either way, it requires that the network be broken in easily fixable ways, which presumably will be fixed as soon as discovered. Think of the whole system as an autoimmune reaction to infection. Terribly effective and largely automatic.

-=Geoskd

Re:reporting

[Zumbs]

What if someone - say one of the millions of compromised computers out there - were to send a shutdown request against a large player - say spamhaus. By your example, spamhaus would be taken offline until someone at spamhaus' IT department called their ISP to get the block cleared. At which point another compromised computer sends a new shutdown request. Sure, you loose a few bots, but at the cost of one bot per 5 minutes downtime for a large vendor, you can get a pretty big bang out of a small bot network.

Re:reporting

[somersault]

Yep, your solution is worse than the DDoS itself, because it only requires a few requests to take a server offline, not a massively sustained attack.

Can you explain to me how to progmatically tell the difference between your "spoof" shutdown request and a real one? If you can't do that, then you could effectively DDoS an entire ISP when all of their customers have their connections shut down, and they can't get through to support lines because everyone else is phoning up to get their line re-enabled, etc..

Re:reporting

[gbjbaanb]

I wasn't thinking of blog sites and so, but commercial entities that are more likely to be sent an email telling them that unless they pay $10k on a special day (eg a card retailer on Valentine's day) they'll be knocked off the internet for a week.
CloudFlare will handle these extortion attempts, but as the site taking orders will require SSL, its probably cheaper just to pay the criminals. and that's a bad state of affairs.

SPAMHaus Promo Stunt

It's definitely a way for SPAMHaus to make the headlines. Whether it is proper conduct, especially for a trust-based organisation like SPAMHaus, is the real question.

DNSBL is not the way to fight spam. I've worked for several large ESP's, and we've had more issues with false positives and various DNSBL's blocking regular, solicited email everytime some angry recipient with a vengeace decided to file a spam-report, instead of just opting-out from the mailing they opted-in for themselves.

This has led to us using less and less DNSBL-related spam-filtering. Most of our spam-filters are now 'smart', using the recipient's own preferences to decide whether a mail should be blocked or not. I'm sure DNSBL's like spamhaus are feeling the heat, and stunts like these may give them the exposure they need to get some fresh customers.

But it's definitely sounds a bit 'shadey' to launch a misinformation-campaign for this, especially for an antispam-firm.

Re:SPAMHaus Promo Stunt

[khallow]

But it's definitely sounds a bit 'shadey' to launch a misinformation-campaign for this, especially for an antispam-firm.

What part of "launch a misinformation-campaign" doesn't sound "shadey"? Well, aside from the accusation coming from from an anonymous poster who doesn't bother to provide a shred of supporting evidence for the claim. That part doesn't sound the least bit shady.

It was slow for Spamhaus

[donak]

If you tried to access the Spamhaus website, the DDoS was very effectively blocking that corner of the internet!

we saw email slow down

[mixed_signal]

We and two partner firms saw a big increase in email latency for the afternoon, up to a few hours delay in some cases. General connectivity (vpn, vnc etc.) was not affected, though.

Slow Internet connection speeds

[grantspassalan]

The Internet connection speed for many is so slow already, that they would not even notice if the Internet speed as a whole dropped by 90%. In the evening, watching Netflix or any other video is a pain. That is why we still get DVDs in the mail.

people slag DNSBLs... but need to learn

[Onymous+Coward]

People like to hear that DNSBLs are a problem. And then they like to repeat the accusations. Not sure how folks have gotten attached to the idea, but I'm certain it's not from detailed investigation.

For one thing, don't conflate the mechanism with the implementations. Anyone can publish a DNSBL. You could. And you could make your list all false positives. It would be a bad idea for people to subscribe to your list. Caveat emptor, right?

And that's why you get false positives. You've chosen badly. And you're not using the lists for scoring — sounds like you're using them as final arbiters.

The "trick" to getting DNSBLs to work is to choose wisely. You have to do some research into how the lists are made, and since it's you who will be blocking emails based on the information provided by the lists, it's your responsibility to understand the nature of that information. What are the listing/delisting policies? If you don't know, you're not being a smart consumer. "... everytime some angry recipient with a vengeace decided to file a spam-report ..." Hopefully you know better than to think that every DNSBL is made this way.

And the "smart" spam filters, so you know, are resource intensive. Instead, it's possible to eliminate lots of spam using extremely low resource checks. Validating the SMTP "HELO" (requiring they give FQDN, non-bare address literals, not your domain or IP, and a couple other checks as per RFC) will nix half of spam off the bat. And you can eliminate another third of spam (two-thirds the spam passing HELO checks) by using (well-chosen) DNSBLs. DNS lookups are cheap (and you can download zone files of you're worried about outages). That's 83% of spam cheaply nixed, all before you even get to "MAIL FROM:". If your "smart" checks are building Markov chains and feeding a naive Bayes classifier, that's gonna take time and effort in processing power, in disk resource, in procedures and staff attention/knowledge for maintenance.

DNSBLs are clearly a way to fight spam. But you have to know what they are and how to use them.

Shopping for DNSBLs takes effort, it's true. If you want to do a good job. Once upon a time, Al Iverson's http://www.dnsbl.info/ was up-to-date and gave wonderful statistics on success rates of the various lists (using his (rather knowledgeable) measures). Doing the research now without such a resource is much more challenging.

I use Spamhaus's XBL and SpamCop's SCBL. That's it. Combined, those give me the aforementioned inexpensive 33% spam reduction. (If I used them before the HELO checks the reduction would probably be near 75%, my guess.) I vetted the lists for efficacy (true positives v. false positives), policy (how they're made, listing and delisting), and longevity/reputability. I've been using these guys for 5 years without a hiccup.