Huffpost UK Tech uk
Michael Rundle Headshot

Sceptics Dispute Claims Of Massive DDoS Attack Slowing Down The Internet

Posted: Updated:

Scepticism has been thrown on reports that a massive online attack caused speeds on the internet to slow around the world on Wednesday.

Publications including the BBC and the New York Times reported that a 'war' between a hosting firm and a non-profit spam-fighting organisation had clogged up the internet for millions of users.

The New York Times said this attack was "jamming crucial infrastructure around the world" and quoted an expert who likened its effect to a "nuclear" attack.

But whether or not the attack had caused problems for "millions" of web users was unclear on Thursday, as services which were reported to have suffered outages said they had not experienced any problems.

The fight - which is real - is between Spamhaus, a London and Geneva-based group set up to fight spam, and the Dutch web host Cyberbunker.

Spamhaus recently added Cyberbunker to its blacklist, causing emails sent from its servers to be rejected by email providers who use its voluntary service to deal with spam. Cyberbunker denies it has ever sent spam, but is known for its relaxed attitude to the material it hosts on its servers. The two have a long history of conflict, which The Next Web have neatly summarised here.

The response from hackers was reportedly to launch a huge distributed denial-of-service (DDoS) attack against Spamhaus. The hackers exploited domain name system servers, sending millions of "spoof" requests that appeared to originate from Spamhaus. That in turn caused millions more requests to be directed back to Spamhaus. The result was a huge spike in traffic which may have impacted on thousands or millions of other net users.

The BBC reported that the attacks were "peaking at 300 gb/s" - of which Spamhaus said "if you aimed this at Downing Street they would be down instantly".

The BBC also quoted independent experts at the University of Surrey and Arbor Networks, who confirmed that it was the biggest DDoS attack they had ever seen - the previous highest being closer to 100 gb/s.

Vitaly Kamluk, chief malware expert of Kaspersky Lab, told Bloomberg that "this is indeed the largest known DDoS operation... Such DDoS attack may affect regular users as well, with network slowdown or total unavailability of certain web resources as typical symptoms."

Meanwhile the UK Internet Service Providers' Association told the Guardian that UK users may have seen their connections slow if hackers were able to use their router or connection to spoof DNS requests.

But other experts were more circumspect. David Gorodyansky, founder and CEO, AnchorFree, told HuffPost in an email that he wasn't sure if the attack was the biggest - "or that some similar attack won’t happen next week".

"This is just part of an alarming trend that’s affecting our lives online: the hackers are exploiting the many positive aspects of cloud computing - sharing data across the internet instead of locally on your hard drive - and have started to target companies that house massive amounts of personal information," he said.

He also warned that "consumers should be on an extra lookout and make sure all their security tools are up to date".

Sean Sullivan, Security Advisor at F-Secure told HuffPost that while "it is easily the case that UK bots can be used for such a DDoS… the bit about the “Internet” slowing down – yeah, that’s a bit much."

Amichai Shulman, CTO of Imperva, told HuffPost "there are still many unanswered questions regarding this attack."

He said:

For example, what is the real magnitude of the attack. CloudFlare admits to have seen ~100Gbps and speculates it was more than that. Why was the attacker launching the attack from the US while the target is in Europe? How come the owners of the DNS servers that took part of the attack did not notice an overload on their outgoing pipes? How long were the attackers really able to sustain the attack? Why did no one take down the C&C servers through which the attack was coordinated?

But without giving specifics he added that some users "must have" experienced problems - if trying to use the same pathways as used by the attackers.

"Other Internet users trying to go through the same pipes must have experienced degradation in their web activity," he said.

Meanwhile, despite reports that services like Netflix were experiencing issues in the wake of the attack, which has actually been in progress for about two weeks, there was little obvious evidence for that. In fact global internet speeds seemed consistent and both Netflix and Hulu denied any issues with their service.

The website Internet Traffic Report, which monitors online traffic around the globe, was showing no obvious dips over the past seven days that would have a serious impact on global speeds.

Gizmodo reporter Sam Biddle said there was "zero evidence of this Dutch conflict spilling over into our online backyards".

He pointed out that many of the quotes around the scope of the attack - and Cyberbunker's ability to deal with it - were either involved in protecting against this specific DDoS onslaught, or similar attacks in general.

They include CloudFlare, who were employed by Cyberbunker to help deal with the threat - and who posted a blog post within hours of the story about how well they had done.

Matthew Prince, CEO of CloudFlare, disputed Biddle's claims, and added on Twitter that Gawker's own server issues in the past might reflect badly on Biddle's reporting.


Matthew Prince
then evaluate whether Gawker Media, whose sites went offline for week post Sandy, should be your source of network knowledge.

Ultimately it seems that the only thing we can be sure of is that, on one corner of the internet, an unusually large DDoS attack has caused issues for Spamhaus, and possibly other users.

But while we'd love to use the headline 'internetopacalypse', or similar, we can't really justify that yet.