Reactions to the DDoS Attacks on Spamhaus

By Isaac Molho

An Example DDoS Graphic. Source: Wired.

An Example DDoS Graphic. Source: Wired.

Last week, a cyber attack targeted Geneva-based Spamhaus, a prominent anti-spam organization. Some analysts called it the biggest distributed denial of service (DDoS) attack in the history of the Internet, which dramatically slowed down web traffic worldwide and even affected popular services like Netflix. Some experts cynically labeled the panicked response to the attack as the result of a marketing ploy by internet security companies.

In a series of intermittent cyber assaults lasting more than a week, a group attacked Spamhaus’s website using a DDoS attack. The group then attacked servers run by San Francisco-based CloudFlare, which were configured to protect Spamhaus against such attacks. The New York Times elaborates: “the data stream grew from 10 billion bits per second last week to as much as 300 billion bits per second this week, the largest such attack ever reported, causing what CloudFlare estimated to be hundreds of millions of people to experience delays and error messages across the Web.” On March 18th, Spamhaus’s website went down; the government of the Netherlands is currently investigating the attacks.

Spamhaus is known for its efforts to combat online spam. In an interview with USA TodayMcAfee CTO Phyllis Schneck explains that the company “maintains databases that are essentially massive catalogues of spam and anti-spam tools.” Added Schneck, “using this information, SpamHaus helps stop exploits and other security loopholes that could allow spam to reach consumers.”

Schneck emphasized the need for improved security measures, especially after such attacks, explaining that “companies need to provide better protection now that they are responsible for hosting so much of consumer’s private data, and consumers need to be on the lookout and take responsibility for their own online privacy and security.”

By implementing a series of simple best practices (known to industry specialists as BCP 38), networks can guard against cyber attacks. “This is an opportunity for us to educate network operators to reconfigure their networks,” Rick Wesson, CEO of computer security firm Support Intelligence, told the The New York Times. “We spend too much time discussing cyberwar and not enough time discussing what a peaceful Internet looks like—and that is one in which people implement BCP 38 and care about their neighbors.”

Writing for Gizmodo, Sam Biddle turned a critical eye on media coverage of the attack, which he called over-hyped. “Hours after the Times and BBC broke the ‘news’ of our Internet’s artillery wounds,” he wrote, “CloudFlare put up a breathless blog post entitled, subtly, ‘The DDoS That Almost Broke the Internet.’ Yikes!” Continued Biddle, “what follows is essentially a press release that would be like Pfizer telling you how horrible various diseases are, and how well their pills work against them.”

Biddle continued, saying “CloudFlare CEO Matthew Prince tells a harrowing story of warding off the internet attack after Spamhaus hired him—which is certainly true—but warns us of existential threats to the net still lurking out there, like lost Soviet nukes.”

Citing the high traffic rate of the attack, Akamai Technolgies’ Patrick Gilmore toldInfoworld, “given the 300Gbps number being reported, this would be the largest publicly acknowledged attack on record.” Arbor Networks’ Dan Holden said the attack “was essentially stressful to the fabric of the Internet.”

In contrast, Biddle questioned the impact of the DDoS attack, arguing that it was at worst a “minor Western European problem.” Based on traffic estimates, Biddle pointed out that the rate for the Spamhaus attack, 300 Gbps, is relatively small compared to traffic levels for larger organizations like the German Internet exchange in Frankfurt, which “regularly handles 2.5 Tbps at peak on any given day.” 

“I don’t think there’s any immediate effect on the Internet, but it is a wake-up call,” said Alan Woodward, a Professor at the University of Surrey in Gigaom. “If it was done really seriously in a wider attack, then it could affect [many users]. Trying to take down the whole Internet is impractical, but you could start to decapitate sections of it.”

Sven Kamphuis, a representative of an anti-Spamhaus group, claims the organization oversteps its bounds and unfairly blacklists companies as spammers, which causes them to suffer significant financial damage. “Everyone in the business has had more than enough of Spamhaus,” he told Infoworld

Cyber attacks like the ones against Spamhaus are common and likely to continue in the future. One difficulty is assessing the nature of the threat, as cyber attacks are often fraught with ambiguity and uncertainty–especially regarding the nature of the threat and identities of the perpetrators.

Writing for Foreign Policy Blogs in February, EWI’s Franz-Stefan Gady presented six big policy action ideas for combating cyber crime. One interesting idea he proposes involves improved transparency and  information sharing measures on cyber threats. “We propose the creation of a private sector-led trusted entity to aggregate voluntarily submitted statistical data,” he wrote. “The main focus here should be on collecting enough statistical data to start objectively quantifying where we are and tracking progress or backsliding over time.”

Isaac Molho is a communications and public policy intern for the EastWest Institute.