The Internet is currently slowed down because of a massive DDoS attack against one anti-spam organization. At least this is the story being reported everywhere, from the New York Times to The Guardian. Or is it?
Spamhaus is a non-profit organisation dedicated to fighting unsolicited communications by maintaining a number of real-time spam-blocking databases. These include information about who is sending spam, and from which computers, and this is given to Internet service providers so that they can block the unwanted content from reaching end-users. Recently, Spamhaus blacklisted several servers from Dutch hosting provider Cyberbunker. This company is well-known as a haven for shady activities, as their own website states that they will host anything “except child porn and anything related to terrorism”. When Spamhaus listed Cyberbunker as a spammer, the Dutch company retaliated by deploying a massive distributed denial of service against Spamahus. The legalities of this action are fascinating, and will be the subject of a future article. However, several media outlets are claiming that this DDoS attack is undermining the Web’s basic backbone infrastructure, slowing down the Internet as a whole.
This is an interesting claim, but is it true? How does one determine if the Internet is slow? Social media has responded to the news in its usual snarky fashion, pointing out that their ISP is already slow, so they wouldn’t notice otherwise. According to an article in Gizmodo, there appears to be little evidence that the Internet is slowing down. So when presented with conflicting reports, I did what any reputable Internet architecture geek would do, I went out to try to find out where the truth lies.
The first report about the DDoS attacks originated from a blog post from cloud provider CloudFlare, who provided information about the actual attack against Spamhaus, how massive it was, and what they had done to stop it. Pretty basic anti-DDoS stuff. The difference seems to have been the size of the attack, which everyone agrees is the largest attack of its kind in the Internet’s brief history.
However, at some point the story of a large-scale Internet conflict mutated into the largest threat we had ever seen. The source of this is the New York Times article cited, which seems to use as its evidence mostly quotes from experts, of which CloudFlare is the main proponent of the thesis that this is so massive that it is slowing down the Web. As Gizmodo points out, CloudFlare’s word on this instance should not be totally believed, as they have a clear commercial interest in scaring people about DDoS attacks, they sell anti-DDOS protection after all. It is like “Pfizer telling you how horrible various diseases are, and how well their pills work against them” as Sam Biddle comments.
After the reports were out, CloudFlare produced another blog post, but this time they included the line that the DDoS incident had almost broken the Internet. Just like their previous report, this one seems very plausible, and it is clear that many journalists thought so too, to the point of repeating most of the salient points featured in the article. The post explains the nature of the attack, and why it is actually affecting everyone. To make a long story short, whenever data gets from one server to your computer, it has to go through several intervening service providers. Some of these services may be cloud providers like CloudFlare, which make the Internet faster; then it goes to Internet exchange points (IXPs), and finally to a handful of core bandwidth providers. Cyberbunker attacked Spamhaus (and by proxy) CloudFlare directly, but as it could not knock it down any more, then they started attacking other intervening services, particularly Internet exchange points in which CloudFlare relies. These basic backbone services are used by large parts of the Internet, so any attack on them is an attack on the whole. This is grossly over-simplified, but will suffice for explanatory purposes.
The plausibility of the scenario is fascinating, but is it true? The first place to look for Internet report data is the Internet Traffic Report. This covers several indications of how good the Internet is working, listing packet loss (an indicative that there is something major broken), average response times, and a general traffic index that measures ping times compared from one week to the other. Looking at the data for the last week, there seems to be little evidence that the Internet has slowed down considerably. On the contrary, the average response time has dropped below 98ms on March 21, and under 100 in the last 24 hours (average globally is around 107ms). There is however, a large peak of response time early in March 22, but there is nothing that indicates a catastrophic Internet slow-down as described by the media reports and by CloudFlare.
Akamai, one of the largest Internet content delivery networks, runs a real-time Internet traffic monitor. While it does not have the capacity to check back in time, since yesterday it seems like Internet traffic is heavier than average, with the UK reporting up to 6% larger loads. However, what seems interesting is that the number of attacks are at 65% above average, which seems consistent with what has been reported so far.
There is a great trove of network information from other sources. The CAIDA project (Cooperative Association for Internet Data Analysis) hosts several real-time Internet traffic reports. I found the UCSD Network Telescope particularly useful because it offers daily snapshots, but also useful comparisons with data from a week back, 4 weeks, and 2 years for comparison. Looking at the data for Denial of Service attacks, there would seem to be higher averages than the norm, particularly with a large spike two weeks ago. However, this does not translate into increased average traffic from other sources.
To summarise, there is no doubt that there is a large-scale DDoS operation taking place at the moment, which seems to have peaked two weeks ago. But there is little evidence that I could find that this has been translated in any sort of noticeable Internet slow-down. I cannot possibly conclude that this is not happening, but at least from the tools normally available to researchers, this effect cannot be measured. I will be very interested to find out any hard data that confirms the reports emanating from CloudFlare. After all, the narrative seems to corroborate many of my recent suspicions about the less resilient nature of the Internet. If it is true that the Internet exchange points are vulnerable to disruption, we are in serious trouble indeed.