2013-03-30

Sergey Brin writes an article on journalism in the Guardian

The übergeek co-founder of Google uses Comment is Free to call out the frequent misuse of hyperbole, bathos and litotes in modern journalism:

While the infrastructure of the internet might not be easy for reporters to understand, simply juxtaposing quotes from opposing sides isn't all there is to journalism. Yes, this was a big attack in terms of traffic directed against one website (approx 300Gbps), but the internet seemed to cope just fine.
Oh, I am sorry; that was actually professor of journalism Heather Brooke writing about distributed denial of service attacks. Easy mistake to make.

Was this actually a problem?

To be fair, Brooke relied substantially on Sam Biddle at Gizmodo for the scepticism. So let's tackle Biddle's questions, shall we?

Why wasn't my internet slow?
If you weren't looking at a CloudFlare-hosted site, you wouldn't have noticed. This attack was very focused in its target. Where it caused congestion was at one exchange, and even then the interruption was very limited.
Why didn't anyone notice this over the course of the past week, when it began?
What makes you think no-one noticed, Sam? Whom, exactly, were you asking? A sudden spike in DNS traffic like this (UDP port 53 packets) is very noticeable to anyone who cares about their networks. It's also not easy to filter until you've identified the IP(s) under attack.
Why isn't anyone without a financial stake in the attack saying the attack was this much of a disaster?
See above; whom are you asking? And your idea of "disaster" is immediate, whereas people acquainted with the daily DDoS attacks of the Net have a very different perspective that involves the potential for a well-resourced attacker to DDoS sites.
Why haven't there been any reports of Netflix outages, as the New York Times and BBC reported?
Probably because the level of any Netflix traffic degradation fell into the usual noise of ISP / Netflix unreliability. If the attacker had been targeting Netflix, it may have been a very different story.
Why do firms that do nothing but monitor the health of the web, like Internet Traffic Report, show zero evidence of this Dutch conflict spilling over into our online backyards?
The botnet controlled by whoever mounted this attack was relatively small. The frightening aspect of the attack was the effective amplification of the relatively small botnet outbound traffic capacity. A more substantial attack with a botnet an order of magnitude greater in membership is quite capable of causing an order of magnitude more of a problem. As more and more of India, Brazil and China come online, sourcing botnet members is only going to get easier.

The technical nitty-gritty

The Spamhaus/CloudFlare DDoS was not notable for the effect of its attack - CloudFlare successfully blocked the attack, mostly because it was relatively easy to identify the malicious traffic. If you're wondering "how so?" here's the detail.

If you imagine the Internet as a virtual version of the Post Office, every data packet on the Internet can be thought of as an envelope with a destination address and (usually) a return address. Envelopes are coloured according to what kind of information they carry. Regular web traffic (HTTP) could be white, email (SMTP) could be yellow, DNS queries could be red. The way that Internet traffic works is that at every sorting office (point in the network) there are rules ("routing tables") that determine how to move any envelope closer to its destination address. Normally these rules don't take account of the envelope's colour, but when sorting offices get very busy they have the ability to control what colour of envelopes they accept; they can for instance hold up deliver of non-time critical yellow envelopes in order to process time-critical white envelopes promptly.

Some bad guys (spammers) have the ability to generate vast quantities of yellow envelopes, threatening to drown the sorting offices in mail, but the sorting offices are given a list of return addresses by firms like Spamhaus which are known to be spam sources; they can choose to throw all mail from those addresses into the trash. Unfortunately, the spammers are wise to this and forge their return addresses to appear to be legitimate, regular folks. They don't care if their messages are returned to the wrong people.

Regular people under the threat of spam can change address to a magic PO Box number, provided by companies like CloudFlare. These PO Boxes are special because the same address exists in many places across the world (an "anycast" address); in the USA, in Europe, in Japan etc. Mail to PO Box 1 sent from the USA or Canada will go to a CloudFlare office in the USA as it's closest; mail to the same address sent from Germany will go to a CloudFlare office in France, and so on. That way, even if lots of spammers send mail to the PO Box 1 address, the mail will be less likely to be concentrated in one place.

CloudFlare's PO Box establishments have dedicated security systems that can be told to throw away certain kinds of envelope as they arrive. In this case, because they are aware that a DNS-based attack on Spamhaus is happening, any red (DNS) envelope sent to PO Box 555 (Spamhaus) which comes from certain sources (the open DNS resolvers) can safely be thrown away before it goes to the company mailboy. Note that this is only possible because CloudFlare knows that Spamhaus does not expect DNS traffic from those resolvers. CloudFlare can't throw away all red envelopes because one of the ways Spamhaus works relies on its clients sending red envelopes to Spamhaus asking for information about a domain ("DNSBL" - DNS Block list).

The threat

If I wanted to cause widespread disruption with an attack like this, my botnets would be targeting tens if not hundreds of IPs; say, the public IPs of UK online banking sites. Even if the open DNS resolvers had rate limiting implemented, they would have significant problems identifying legitimate traffic from botnet traffic since they would appear to be getting requests from many IPs, not just a single IP. I would switch targets frequently, making it harder to build a blacklist of source IPs. I would rent many bot computers on low-speed connections rather than fewer bots on high-speed connections, and aim for geographic diversity to make it harder to identify traffic spikes until the traffic was very close to its targets.

Spamhaus was able to avoid the attack by moving to CloudFlare, taking advantage of their much more robust and distributed hosting system, but this costs money - and even CloudFlare is not invulnerable, if the attack is sufficiently large, distributed and/or difficult to filter. Most online firms will be hosted on the cheapest hosting provider possible, and so will be ridiculously vulnerable to an attack like this. Anyone intent on large scale malice - and I'm thinking of state-level actors - could cause havoc by using a much larger target list selected for public impact.

The open DNS resolver issue is a worry for the Net, but it's a relatively manageable problem - we know where the high-capacity resolvers are, and have some way of being able to squash their traffic in an emergency by blacklisting their IPs, which will annoy a lot of users but at least save the Internet. The real worry is when more households get high-capacity outbound pipes to the Internet (BT Openreach Fibre to the premises, Google Fiber, Verizon FiOS etc.) and black-hat hackers are able to target these households to compromise their computers and turn them into a high-capacity DDoS attack machine. With the current rate of zero-day exploits discovery, and the relatively slow uptake of security patches on home computers, this is a very real and frightening problem. The Spamhaus DDoS is just a taste of what's coming down the pipe.

Stick to writing articles about journalism, Ms. Brooke.

Update: Ars Technica addresses these questions in more detail with similar conclusions - there was some hype, but this is a real problem and could have done serious damage.

No comments:

Post a Comment

All comments are subject to retrospective moderation. I will only reject spam, gratuitous abuse, and wilful stupidity.