Slashdot Mirror

← Back to Stories (view on slashdot.org)

Did the Spamhaus DDoS Really Slow Down Global Internet Access?

Posted by samzenpus on from the what's-to-blame dept.

CowboyRobot writes "Despite the headlines, the big denial of service attack may not have slowed the Internet after all. The argument against the original claim include the fact that reports of Internet users seeing slowdowns came not from service providers, but the DDoS mitigation service CloudFlare, which signed up Spamhaus as a customer last week. Also, multiple service providers and Internet watchers have now publicly stated that while the DDoS attacks against Spamhaus could theoretically have led to slowdowns, they've seen no evidence that this occurred for general Internet users. And while some users may have noticed a slowdown, the undersea cable cuts discovered by Egyptian sailors had more of an impact than the DDoS."

2 of 70 comments (clear)

  1. reporting by gbjbaanb · · Score: 5, Interesting

    as usual, ArsTechnica does a much better job of describing this, slashdot eds, take note please!

    The best text-only (no ads!) reply though is from Richard A Steenbergen who responded to the gizmodo article. This guy works at one of the tier 1 providers and described the problem, particularly that the DDoS wasn't a big deal for them but that the attack on the INX exchanges might have been.. but turned out not to be after a little tweaking of their filters.

    Nevertheless, the problem that I can see is that the internet is open to these kind of attacks. Now Spamhaus can get CloudFlare to handle these attacks on their behalf (for a lot of free advertising) but MyLittleSite.com cannot, and that leave them open to extortion attacks from the criminals who run these DDoSs. Surely a more appropriate response would not be "yeah, we're great, we can handle a poxy 300Gbps" but "we need to sort out this so the baddies cannot screw people with impunity". I'd prefer a technical resolution (eg ingress/egress filtering, rate limiting, non-recursive responses from outside your domain) to legal ones which is all there is at the moment it seems.

  2. people slag DNSBLs... but need to learn by Onymous+Coward · · Score: 5, Interesting

    People like to hear that DNSBLs are a problem. And then they like to repeat the accusations. Not sure how folks have gotten attached to the idea, but I'm certain it's not from detailed investigation.

    For one thing, don't conflate the mechanism with the implementations. Anyone can publish a DNSBL. You could. And you could make your list all false positives. It would be a bad idea for people to subscribe to your list. Caveat emptor, right?

    And that's why you get false positives. You've chosen badly. And you're not using the lists for scoring — sounds like you're using them as final arbiters.

    The "trick" to getting DNSBLs to work is to choose wisely. You have to do some research into how the lists are made, and since it's you who will be blocking emails based on the information provided by the lists, it's your responsibility to understand the nature of that information. What are the listing/delisting policies? If you don't know, you're not being a smart consumer. "... everytime some angry recipient with a vengeace decided to file a spam-report ..." Hopefully you know better than to think that every DNSBL is made this way.

    And the "smart" spam filters, so you know, are resource intensive. Instead, it's possible to eliminate lots of spam using extremely low resource checks. Validating the SMTP "HELO" (requiring they give FQDN, non-bare address literals, not your domain or IP, and a couple other checks as per RFC) will nix half of spam off the bat. And you can eliminate another third of spam (two-thirds the spam passing HELO checks) by using (well-chosen) DNSBLs. DNS lookups are cheap (and you can download zone files of you're worried about outages). That's 83% of spam cheaply nixed, all before you even get to "MAIL FROM:". If your "smart" checks are building Markov chains and feeding a naive Bayes classifier, that's gonna take time and effort in processing power, in disk resource, in procedures and staff attention/knowledge for maintenance.

    DNSBLs are clearly a way to fight spam. But you have to know what they are and how to use them.

    Shopping for DNSBLs takes effort, it's true. If you want to do a good job. Once upon a time, Al Iverson's http://www.dnsbl.info/ was up-to-date and gave wonderful statistics on success rates of the various lists (using his (rather knowledgeable) measures). Doing the research now without such a resource is much more challenging.

    I use Spamhaus's XBL and SpamCop's SCBL. That's it. Combined, those give me the aforementioned inexpensive 33% spam reduction. (If I used them before the HELO checks the reduction would probably be near 75%, my guess.) I vetted the lists for efficacy (true positives v. false positives), policy (how they're made, listing and delisting), and longevity/reputability. I've been using these guys for 5 years without a hiccup.