If you are reading this it might have taken lot longer to download the article than expected. The reason of course is the Distributed Denial of Service (DDoS) attack—which in simple terms is somebody using distributed resource to overwhelm targeted servers with literally millions of dummy messages with the intent to slow them down or cause them to crash—that erupted on March 15 that has grabbed headlines around the world because it appears to be setting records for its size, scope and nastiness.

DDoS attacks have been a staple of those with malicious intent for years. However, reality is these types of attacks are becoming more frequent and lethal, and they are hard to defend against which is why they are so popular.

It is not nice to anger the bad guys

At this point, fortunately or unfortunately, we know a significant amount about how this got started, who is behind it, the weapon employed and the havoc it has caused. To quickly summarize here is what we know.

First, the attacks were focused on a company called Spamhaus, which maintains a "domain name system" (DNS) that is foundational to the Internet’s ability to correctly rout requests for content to the correct server hosting the content.

Second, as widely reported by the New York Times, Bloomberg and the BBC, a Dutch web hosting company called Cyberbunker—now notorious because it says it will host anything except child pornography or terrorism-related content and literally is housed in an old NATO bunker which they say has withstood SWAT team attacks to apprehend company executives— got peeved at Spamhaus when in their role as an anti-spam early warning capability, they blocked Cyberbunker's servers in an effort to weed out any spammers that might host their content with the company. In short, Cyberbunker got blacklisted. And, Spmhaus has been busy telling the media that Cyberbunker is not only the culprit (which Cyberbunker is proud of), but that they receive help from Russian and Eastern European criminal organizations in facilitating the attack and keeping it going.

Third, the reason this attack is being called “historic” is because a typical DDoS attack is roughly 50 gigabits per second (enough to take down even the largest of financial institutions), and this one is 300 gigabits per second. As we have witnessed, but for the fact that Spamhaus has a distributed DNS architecture which somewhat mitigates the impact of the attack, nevertheless because it is aimed at DNS and has had ramifications on Internet operations worldwide. 

A host of questions

To say the least, the attacks have raised worldwide concern on a number of technical and non technical fronts which all serve as a wakeup call not just to companies, but governments as well.

On the non-technical side, before drawing too many conclusions about Spamhaus, it should be remembered that this is a volunteer organization which many have accused of being “Internet vigilantes” because of the arbitrariness of who goes on their blacklist. In fact, they have been targets of DDoS retaliation by blacklisted companies in the past, but this is the first time the DNS was the target.

 In this instance, Spamhaus looks like the good guys because Cyberbunker: a) despite vehement denials (pardon the expression) that they are engaged in spamming, got caught in the act and got angry and even about it; b) have a less than stellar reputation for hosting unsavory content and thus are easy to paint as totally unethical cyber bullies at best and criminals possibly; and c) have been unrepentant about getting even. 

All of that said, it does raise serious questions and here are a few to ponder. Are volunteer groups capable or should have the role of policing the Internet? What is the definition of spam that seems to be in the eyes of the beholders and is that something that needs international legal clarification? What remedies are available to punish potential offenders? 

On the technical front, DDoS’ are problematic when aimed at just one large target like banks and global brand retailers, but the continued vulnerability of DNS to being compromised which in turn threatens the operation of “E”verything from sending e-mail to transferring money online, poses a serious challenge to the entire online global community about the viability and sustainability of the Internet as a trusted means of interaction and commerce. The reason, for those unfamiliar, is that DNS is analogus to the telephone networks’ routing system where names of websites become numeric addresses which are then translated by end points and other computers so traffic end up at the correct destination much like telephone numbers are used to ring specific phones anywhere in the world. 

It is because of the importance of DNS that this attack has raised the bar for concern. It indicates a need for:

• Better sharing information as attacks occur to stop the spread of the contagion
• Sharing best practices to quickly remediate impacted servers to mitigate risks to not just the target, but the Internet itself
• Creating national and international public/private partnerships to implement the first two points that be both proactive as well as reactive
• The need for large Internet service providers to set up their networks to make sure that traffic leaving their networks is actually coming from their own users as opposed to those of attackers
• Mechanisms to go after bad actors, including the real challenges of figuring out what to do when governments are involved with sponsorship and facilitation of such attacks

That last point is a real sticky one since no government wants to foreclose using any available tool in cyber warfare which means at best lip service would be paid to punishment of rogue nations. However, they do want to defend better and hamper criminal organizations from using DDoS as tools not just for disruption, but for things like cyber ransom. 

As noted in the two points above, this attack demonstrates the need for greater transparency and cooperation. It must be noted that the reason they came to light, and now has gone viral, is because a few days ago CloudFlare, an Internet security firm in San Francisco, was trying to help Spamhaus defend against the attacks and became collateral damage as it was in turn targeted for attack. Matthew Prices, CloudFlare CEO stated that, “These things are essentially like nuclear bombs…It’s so easy to cause so much damage.”

I like what Dan Kaminsky, a security researcher who has been on the case about DNS vulnerability had to say: “You can’t stop a DNS flood by shutting down those servers because those machines have to be open and public by default. The only way to deal with this problem is to find the people doing it and arrest them.”

Like so many events these days, it seems that only a crisis can cause action, whether this historic attack causes the industry and governments to act remains problematic. Let’s hope we don’t have to wait for the next “historic” attack before something is done.