A distributed denial of service (DDoS) was launched against an anti-malware company just recently. This has become fairly common lately, but this time there was a twist. There was an escalation. It may not have been a programmed response but the resulting data about the attack was very surprising.
Spamhaus, an Internet Security Company
Spamhaus is a B2B service company which gathers and sells a blacklist of spam sites. With offices in London and Geneva, Spamhaus is responsible for preventing 80% of all spam worldwide. Seeing that the success of the business made it a likely target of attacks, it put in place security measures. One of these security measures was meant to lessen the damages in the event of a DDoS attack. Spamhaus uses the services of Cloudfare to make sure that they remain in operation even if there was a DDoS attack.
A DDoS attack is so called because the server is kept so busy that it cannot reply to legitimate requests from across the Internet. This is done with the use of compromised computers and automated programs called botnets. These are infected computers which can be activated to send a ping to a specific address on demand. The owners of these computers do not know that the machines have been compromised because they do not do anything out of the ordinary unless they are activated for the attack. Even during a DDoS attack, the computing power and bandwidth required are almost negligible on the infected computers. Usually, these computers are just sending a ping to the server, and doing it as a background process. With thousands of compromised computers pinging the server, the server would be processing these ping requests instead of serving web pages. The web page delivery would grind down to a crawl, and if the DDoS is successful, it would inundate the server and no requests would be served.
With the help of Cloudfare, the attacks were deflected by sending the requests to other data centers. However, there was something interesting about the latest DDoS attack. Whereas this defense would have worked with older attacks, this time, the bots attacked upstream, by going after Cloudfare’s service provider. On top of that, the traffic volume normally would have been only about 100 gigabits per second. This time it had ramped up to 300 gigabits per second of data.
Inundated DNS Servers
Along the way, other servers were also affected, specifically, the DNS servers. Domain Name Servers or DNS servers convert the URL of every Internet browser request into the numeric IP address that network equipment like routers and switches would understand. The bots had gone so far upstream that they had affected DNS servers as well. With DNS servers being too busy, the rest of the world felt the Internet slow down as well.
The above simplifications explains why global Internet use slowed down last week during the attack. This was not the first time that Spamhaus was attacked, but it was the largest. The normal response to a DDoS was to shutdown the servers, and then implement filters to distinguish between legitimate requests and pings. One of the most famous DDoS attacks happened in April 2007 when an Estonian newspaper was attacked, bringing down that whole country’s Internet.
Facebook
Twitter
Pinterest
Google+
LinkedIn
Email