The Spamhaus attack's real lessons

Don't fall for the PR guff, the Spamhaus cyber attack didn't slow the world's internet. But hyperbole aside, the saga highlights some key points on how businesses can deal with distributed denial of service attacks.

"A shadowy Cold War bunker is believed to be the nerve-centre for what is the biggest cyber-attack in the history of the internet," began The Sun's breathless story on the Spamhaus attack. "Powerful assaults from hackers slowed the internet around the world for days — and could have even taken down the government's internet infrastructure."

Bulldust.

It was just a large distributed denial of service (DDoS) attack — certainly one of the biggest publicly discussed, yes, but not unexpectedly so. But it was blown out of all proportion thanks to journalistic ignorance, laziness and herd mentality, fuelled by some of the most outrageous security-vendor scaremongering ever seen.

But hidden in the hyperbole is an important reminder for every business: anyone can be targeted by DDoS, and you need to mitigate the risk appropriately.

DDoS attacks are nothing more than an orchestrated traffic jam. The attacker barrages the target's internet presence with so much malicious traffic that it's overwhelmed. Thousands to millions of hijacked computers are used — that so-called botnet is the "distributed" part. It's like getting ten thousand of your closest friends to phone the company's call centre and not hang up, and the end result is the same. Legitimate traffic can't get through — service is denied — and the business is brought to a standstill.

DDoS will certainly affect the target, and perhaps cause collateral problems for businesses hosted on the same infrastructure. But it certainly won't "slow the internet", any more than a traffic jam in South Melbourne will affect courier drivers in Sunshine.

The target in the current case was Spamhaus, a European organisation that compiles blacklists of sites known to be sources of spam. These blacklists are used by email administrators and vendors of anti-spam filters, but they're just one of many techniques at their disposal.

Spamhaus has been involved in a long-running battle with CyberBunker, a Dutch data centre that'll host anything "except child pornography and anything related to terrorism". To call them soft on spammers, including those believed to be associated with Eastern European and Russian crime syndicates, would be an understatement.

A few weeks ago Spamhaus escalated the conflict, blacklisting all of CyberBunker's internet addresses. Soon after, the DDoS against Spamhaus started. You do the maths.

The attack was certainly big. According to CloudFlare, the company Spamhaus brought in to deal with it, the volume of malicious traffic started at 10 gigabits per second but soon rose to 100Gbps, the same level as attacks against US banks last September. Some surges even reached close to 300Gbps.

Those numbers sound big, but they're nothing compared with the total traffic handled by major providers.

"The biggest attack that we've seen is around 150Gbps, and we expect much larger attacks in the future," said Alex Caro, Akamai Technologies' chief technology officer and vice-president of services for Asia Pacific and Japan, last October. "Today, we're probably serving eight, maybe ten terabits per second of traffic at peak, so a 150Gbps denial of service attack is actually fairly small when all is said and done."

Akamai, a content delivery network whose customers include many news organisations, was more concerned about the far bigger traffic spikes during major events like natural disasters, election nights and sports finals. Even though attacks have been steadily increasing in size, it's something that can be planned for.

"Whilst 300Gbps is certainly a huge attack, it is in line with my expectations on where I see DDoS attacks are going," Akamai's director of enterprise security John Ellis told Technology Spectator in a written statement on Thursday. "Virtual hosting, increased bandwidth, and the explosive growth of connected devices makes for a 'perfect storm' for those looking to weaponise DDoS for such cyber offensives."

All this had been written up mid-week in a sober and nuanced article at Threatpost, the respected security news site run by Russian vendor Kaspersky Lab, which also detailed some significant technical aspects of interest only to geeks. It might have ended there, had it not been for CloudFlare's over-the-top PR efforts.

"The DDoS that Almost Broke the Internet" was the headline on a blog post by CloudFlare CEO Matthew Prince, who boldly told the New York Times that "These [attacks] are essentially like nuclear bombs... It's so easy to cause so much damage." Right. The Guardian tells how shoddy journalism reigned from there on, and Gizmodo debunked the technical idiocy.

But despite CloudFlare's ham-fisted PR efforts and the ease with which experienced hosting providers can handle DDoS, businesses do need to make sure they're covered. DDoS is cheap and easy to do, and botnets can be rented on the criminal underground for just tens of dollars a day.

Unethical businesses have been using DDoS to disrupt competitors since at least 2004, when Jasmine Singh Cheema aka Zero Cool used a botnet to target competitors of his mate's sneaker store. He was 17 years old.

Extortion is another possibility, with even small businesses becoming targets. In the week before Christmas 2011, Manly-based Wealth Focus was hit. His hosting provider didn't know how to defend against DDoS — so he was dumped as a threat to other customers.

The lessons there are to evaluate the potential damage to your business of being taken offline. If you need to work through a DDoS rather than ride it out — and attacks can be sustained for weeks or months — make sure your hosting provider can handle it.