17

Last week a news article went viral about a Dutch web hosting/data center company that was allegedly using a DNS amplification attack to DDoS an anti-spam company, because they blacklisting the former. Many news sites claimed that IT experts said that it could slow 'the whole Internet' down.

My question is, would it really be possible with the power of any company or botnet to create such a significant data load as to slow the whole (or at least a large part of) the Internet noticeably?

Chris
  • 273
  • 1
  • 5
  • The DDOS attack itself could not slow the whole internet down in this case, but the problem is that the service being targeted (spamhaus) is a major anti-spam real time black list. Spamhaus going down could mean a sudden increase in global spam. –  Mar 28 '13 at 12:22
  • It actually slowed down the internet too, see the [cloudflare blog](http://blog.cloudflare.com/the-ddos-that-almost-broke-the-internet). – Dennis Kaarsemaker Mar 28 '13 at 12:22
  • 2
    @DennisKaarsemaker I'm not so sure. While I don't doubt they performed a useful service here, I've not seen any properly independant verification of that claim. – Rob Moir Mar 28 '13 at 13:11
  • 1
    An interesting realization is that, if the internet is down due to an attack, how will it remain down? The attack can't reach the other side of the world because the internet is down. Any attack aiming for this must be highly distributed and autonomous in order to take the internet down entirely. – Luc Mar 28 '13 at 14:36
  • 2
    Yes, it would be possible to slow or break the entire Internet by attacking [the root name servers](http://en.wikipedia.org/wiki/Root_name_server). But it would take a massive computational event to do so. – asteri Mar 28 '13 at 14:39
  • Funny how nobody mentioned the [Internet kill switch](http://en.wikipedia.org/wiki/Internet_kill_switch) yet. If something like that were to be implemented, then the probability of shutting down a large part of the internet would be higher. If hackers were able to gain access to the internet kill switch, then it would cause major issues. – SameOldNick Mar 29 '13 at 02:58
  • If the US counts as a large portion, it turned out that a lot of traffic ran through [a single railway tunnel](http://en.wikipedia.org/wiki/Howard_Street_Tunnel_fire). Not a DDoS attack, so not an answer. – derobert Apr 02 '13 at 22:32

7 Answers7

15

First we need to understand what exactly you're asking. Every time someone sends a packet on the Internet it consumes some of the potential bandwidth of the Internet. Just like when a car drives down a road, no other car can drive in that same spot, so you have one less available spot on the road.

If we continue that comparison, a single site sending out many cars can easily jam the roads around it, watch the madness after any sports game is over and all the fans are leaving at the same time. But this only causes very localized disruptions, the same is generally true of the Internet. But the attacker used an amplification technique to do more congestion damage than they could have done alone. This employed unwilling 3rd parties, who had specific vulnerabilities. This allowed the attacker to generate much more congestion than they could have alone.

So there are two more important questions, which you will never find in the news as they're technical. The news is almost exclusively concerned with dire predictions that average people can understand, and the more sensational the better, regardless of accuracy.

The questions:

  • Could an attack be constructed with such scale as to affect a large portion of Internet traffic in a noticeably detrimental way?
  • Are there vulnerabilities in key systems of the Internet which can allow relatively little attacker effort to result in the average users' experience being disrupted meaningfully.?

As to the first question, it's highly unlikely. As you've seen attacks can be constructed which will disrupt certain very localized portions of the Internet. Spamhaus represents a very small portion of the overall Internet, and the attack was mitigated largely by a single other Internet entity. The attacker had significant resources compared to most potential attackers and was still not able to fully overcome Spamhaus and Cloudfare collaborating. As fun as it might be to theorize what might be possible, it's more than one giant leap from taking out Spamhaus to afflicting the Internet as a whole.

To the second question, this is somewhat more plausible. The Internet relies on a variety of key infrastructure. Many times security takes a back seat to functionality, especially where there are strong economic forces (ie, cheaping out). A great first example is BGP, which is what helps connect the many individual networks that make up the Internet. BGP was accidentally "hacked" by a Syrian ISP in 2012, which ended up disturbing a large portion of IP Routing. This wasn't malicious, was quickly fixed (quickly considering the scope), but illustrates how a small corruption can cause massive problems if systems aren't secured against such.

If I could predict the next such occurrence, I would be a millionaire. The best defense we have now is thoroughly analyzing systems for vulnerabilities, understanding them, developing best practices to guard against them, and vigilantly implementing appropriate measures.

Chris S
  • 899
  • 7
  • 10
4

It sounds like you are asking if any particular companies have the ability to slow down the Internet. While the Internet was originally designed to be a distributed network that would resist interruptions, the fact is that now large portions of the Internet run on backbones (really big sets of cables) owned by a relatively speaking small number of companies. These companies work with each other to exchange data in what is known as "Peering". Peering is the agreement about how they allow data on each others' networks. Occasionally, when these back bone providers disagree, they may cut off access to another peer network.

When two large backbone providers (such as Level 3 and Cogent back in 2005) have a dispute and stop trading traffic, the Internet gets fractured, routing gets screwed up and large portions of the Internet become unavailable to many. Googling for "level3 cogent peering dispute" will get you many details about what happened in 2005, which is pretty much the worst case in recent memory of this happening.

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110
  • 1
    That's interesting I didn't know that. My question was more targeted about attacks though. – Chris Mar 28 '13 at 13:41
1

Yes, that is indeed what happened: a botnet and a metric boatload of misconfigured DNS servers. Spamhaus was only able to defend itself with the help of cloudflare, who published a blog post yesterday about how it was mitigated and the effect this large scale attack had on the rest of the internet.

Dennis Kaarsemaker
  • 466
  • 5
  • 5
  • 1
    But this news message has been brought yesterday too. They claim that there is indeed an attack, but there is no sign if it slowing the internet down: http://gizmodo.com/5992652/that-internet-war-apocalypse-is-a-lie. Hence why my question is in a hypothetical form, and i was wondering if it really could happen. Since what I understand from DNS Amp attacks is that the overload is not at the DNS side, but at the side of Spamhaus. Which would mean that if someone like us does a DNS request for a website it would just get handle. Or would those DNS servers be overladed too? –  Mar 28 '13 at 12:32
  • 2
    If I read that article and CloudFlare's blog correctly, they actually agree: the delay was measurable mostly in the EU, and specifically for LINX. So it did not slow down the internet globally, but caused regional problems. For a region that I'd call a 'large part of the internet' as this question says. – Dennis Kaarsemaker Mar 28 '13 at 12:36
  • 1
    As it turns out I'm in London right now and most if not all of my packets go through LINX. I'm seeing latency and packet loss above what I would normally see. It's making my SSH sessions a little frustrating. But they *are* working and very few people in my office who use less latency sensitive applications have even noticed the difference. – Ladadadada Mar 28 '13 at 13:22
1

It has happend, partially at least. The (in)famous "Internet worm" essentially crashed the nascent Intrenet, later the "I love you" email worm clogged much of the email handling. There have been theoretical studies on superworms, which constructed right (and it is not that difficult to build them, it is definitely not just theory) which will take over more than 90% of vulnerable hosts worldwide in an hour or so. The slammer worm created havoc, even though its vulnerable population was tiny (Internet facing SQL server on Windows), and its analysis gave rise to the paper, if memory serves. I can't find the original paper anymore, it was around 2000-2005 IIRC.

vonbrand
  • 149
  • 3
1

It's trivial to slow down or disable "part" of the internet. Got a website or email server hosted at your business with a 100Mb connection to the internet? Well you're "part of the internet". And it's not that hard to flood a 100Mb pipe.

I realise that's not quite what you were thinking of but it's a simple example that illustrates a point: The internet is a series of connections. If an attacker can generate enough traffic to flood one of those connections then they've overloaded that "part" of the Internet. Simple enough really.

It doesn't even need to be malicious. Imagine you host a small, limited website and it ends up getting namechecked on the front page of a major website like CNN or the BBC. It's quite possible for legitimate access attempts to overload a connection just as much as illegitimate access attempts.

As for this specific incident, I think the claims that this attack could take the whole internet down are a little over-stated. I think this is possibly an example of non-technical people trying to report on technical issues.

  • The attack was directed against Spamhaus.
  • Spamhaus provides a service that is used by a lot of email systems on the Internet.
  • Disrupting the Spamhaus service could cause problems for email flow on the Internet.

It's perhaps a subtle distinction, certainly too subtle for the average "technical reporter" from a mainstream news service, but it's important.

Rob Moir
  • 399
  • 1
  • 10
  • So I presume there's no such thing as an undirected attack, which means that this scenario could only influence the computers connected with/using the victims network. Is that right? – Chris Mar 28 '13 at 13:33
  • I've learnt to never say never, but I've certainly not heard of it. Internet traffic is *routed* after all, and a route implies the traffic is directed. There have been worms that scan portions of the internet looking for vulnerable hosts to attack, and in some ways these are undirected (and the traffic generated disruptive), but I would suggest that this is still 'directed'; the author knows what platforms they're targetting even if they don't know where all the specific machines using that platform are. – Rob Moir Mar 28 '13 at 14:00
1

There are hubs of Internet connectivity which, if brought down, would slow or disable large portions of the Internet. The hacker group Anonymous once threatened to attack them. They are called "root name servers".

It would take an overwhelming amount of resources to actually bring one of these down, much less all of them. But in theory? Sure, it's doable.

As I said, it's been threatened and attempted before.

asteri
  • 1,885
  • 3
  • 15
  • 22
0

Yes, you could. You would need a lot of resources, but it is possible.

NickW
  • 101
  • 1
  • The troublesome fact is that you would not need all that much. The DNS amplification attack performed has an excellent yield ratio of 50x or more, so with just a 100 Mbps upstream (which is a thing a single $5/month VPS would give you) you could induce 5 Gbps of traffic on the net directed to your victim(s). See http://blog.cloudflare.com/deep-inside-a-dns-amplification-ddos-attack – syneticon-dj Mar 28 '13 at 12:51
  • Yeah, to seriously gum up traffic you'd need a factor larger than 5Gbps though. Nothing I run would survive though :) –  Mar 28 '13 at 12:58
  • I believe his point is that bandwidth is cheap and easily available. Large organizations and nation states should have no problem with this. Even if they are geographically distant, its trivial to buy hosts across the world...Hell most of them give free trials. – David Houde Mar 28 '13 at 13:20