Questions over whether CloudFlare exaggerated the impact of the denial of service attacks on Spamhaus should not be allowed to divert attention away from the real security threat highlighted by the attacks.
Any distributed denial of service attack involving 300Gbps of traffic -- or even half that amount -- is noteworthy, regardless of whether it choked portions of the Internet or not.
Multiple security firms have confirmed seeing traffic streams of up to 300 gigabits per second -- three times larger than the largest DDoS on record to date. Arbor Networks, which helps companies deal with DDoS attacks, has a really telling chart on its blog showing just how much bigger the DDoS streams against Spamhaus were compared to other large attacks.
Some have questioned CloudFlare CEO Matthew Prince’s assertion that the Spamhaus attacks were so large that they caused certain sections of the Internet to slow down.
According to Renesys, a network performance tracking firm, the Internet as a whole did not experience any disruption on account of the Spamhaus attacks. The traffic estimates for the DDoS attacks were high enough to easily overwhelm the average hosting center, but not enough to affect core Internet components, according to Renesys.
Keynote Systems, another company that keeps tabs on Internet performance, had a similar take. Website speeds across Europe have remained pretty consistent over the past several weeks -- meaning that the Internet was not really impacted by the Spamhaus attacks, the company noted Thursday.
According to Keynote, some network segments in Europe did experience up to 40% slower-than-average response times during a six-hour period Tuesday. However, it is hard to tell whether the Spamhaus attacks caused the slowdown or it arose because so many people were live-streaming a soccer game between France and Spain during that time, Keynote said.
Some have begun wondering whether CloudFlare played up the attacks to drum up business for itself. That certainly is a legitimate question, but it is not necessarily the most important one in this situation.
Even if Prince did overhype the reaction, the fact remains that the DDoS attacks were the largest ever seen on the public Internet by far. Much more importantly, the attackers took advantage of open DNS servers to generate magnitudes more traffic for their attack than they would have been able to generate via a botnet alone.
This is significant because the threat posed by open DNS resolvers has been well understood for a long time. Yet, it is an issue that has remained largely unresolved. The Open DNS Resolver Project, an effort by a group of security experts to draw attention to the issue, estimates that there are currently about 27 million DNS servers that are open resolvers. About 25 million of those pose a significant threat, according to the project's website.
Only a fraction of those open servers were used to launch the attack on Spamhaus. It’s conceivable the attackers could have generated a lot more traffic if they had tapped more open DNS resolvers.
A DNS resolver is supposed to only handle DNS look-up requests made from inside its own domain or known IP address range. Open DNS resolvers, on the other hand, accept and respond to queries from outside their own domain, making them vulnerable to exploitation. Virtually anyone on the Internet can exploit open DNS servers and get them to participate in a DDoS attack.
The Spamhaus attacks have attracted some long-overdue attention to the problem. Several security experts are hoping that this will finally get more ISPs and DNS server operators to configure their systems more securely to prevent them from being co-opted into similar attacks in the future.
It would be a pity if CloudFlare’s over enthusiasm in talking about the story diverts attention from the bigger security issue at stake.