Biggest DDoS Attack in History? Experts Say Attack More Hype Than True Assault

The distributed-denial-of-service operation known as Operation Stophaus has been blamed for major online disruptions last week in Europe. In fact, some media outlets have dubbed it the "biggest cyber-attack in history."

But some DDoS and online-activity monitoring experts say the attack pales relative to the DDoS activity U.S. banking institutions have been withstanding since the fall of 2012. In short, they say that Operation Stophaus is more hype than reality.

"This was a DNS reflection attack," Dan Holden of DDoS-mitigation provider Arbor Networks says about the attacks waged against The Spamhaus Project, a Geneva-based not-for-profit organization dedicated to fighting Internet spam operations.

See Also: CISO Agenda 2015: Adding Value to a Security Program with Application Security

At the height of the attack, which has since subsided, Spamhaus was seeing traffic at an unprecedented pace of 300 gigabytes per second, or roughly three times the strength of even the biggest DDoS attacks against U.S. banks, according to Spamhaus hosting partner CloudFlare, which refers to this incident as, "The DDoS that almost broke the Internet."

But some DDoS experts say this attack wasn't necessarily as menacing as reported, and it has no relationship, whatsoever, to the bank attacks credited to the hacktivist group Izz ad-Din al-Qassam Cyber Fighters.

Spamhaus Attack

For several weeks, The Spamhaus Project and the countermovement known as Operation Stophaus have been dueling it out in public forums such as Pastebin. Operation Stophaus attackers took aim at Spamhaus, claiming the group was using The Spamhaus Project as a front to conceal an offshore criminal network of Internet terrorists pretending to be spam fighters.

Early on March 28, 10 days after the DDoS assault began, Spamhaus found itself so besieged by press inquiries that it set up an FAQ page to address questions about the attack.

On that FAQ page, Spamhaus claims the DDoS attack has subsided, and declines to point fingers at a single source to blame for the attacks. "A number of people have claimed to be involved in these attacks," Spamhaus states. "At this moment, it is not possible for us to say whether they are really involved."

News reports, including one by The New York Times, say the attack began on March 18 after Spamhaus added CyberBunker, a Dutch data storage company, to its blacklist of spammers. CyberBunker has not claimed credit for the attack, which is said to have been so massive that it jammed Internet traffic to the point where users had difficulty accessing Netflix and other consumer sites.

Spamhaus also dodges the question of whether this is truly "the biggest cyber-attack in history," saying only, "It certainly is the biggest attack ever directed at Spamhaus."

But the organization is using the incident as a global rallying cry for organizations to improve their abilities to detect and deflect DDoS.

"These attacks should be a call-to-action for the Internet community as a whole to address and fix those problems [that enable DDoS]," Spamhaus says.

'Almost Broke the Internet'

CloudFlare, retained by Spamhaus to help mitigate the attack, has posted two blogs about the incident. The latest posting, The DDoS that Almost Broke the Internet, goes into great technical detail about the attack, which relied not on just a botnet of PCs, but on the strength of open recursive DNS resolvers, which are used in the DNS process to translate URLs into IP addresses. Using open DNS resolvers gave the attackers massive strength, CloudFlare says.

"Unlike traditional botnets, which could only generate limited traffic because of the modest Internet connections and home PCs they typically run on, these open resolvers are typically running on big servers with fat pipes," CloudFlare writes in its latest blog. CloudFlare goes on to compare the attack vectors to bazookas, which caused the collateral damage of jamming the Internet for millions of users.

"If the Internet felt a bit more sluggish for you over the last few days in Europe, this may be part of the reason why," CloudFlare writes. "What's troubling is that, compared with what is possible, this attack may prove to be relatively modest."

Attack Size Relative to Others

Meanwhile, U.S. banking institutions continue to be targeted by DDoS attacks attributed to Izz ad-Din al-Qassam Cyber Fighters. Two new institutions, TD Bank and Key Bank, this week confirmed that they are among the latest DDoS victims, which include more than a dozen U.S. banks and credit unions that have suffered online outages since the attacks began last fall.

But some DDoS experts say the Spamhaus and bank attacks are completely separate.

Holden says the bandwidth consumed during the Spamhaus attack was four to five times greater than what U.S. banking institutions have faced. But the traffic was just noise that had a ripple effect that impacted other Internet users.

"Because it was so large, it brought damage to others on the Internet, outside the intended victim," Holden says. "Any streaming media with a streaming connection, such as Skype or Netflix, could have experienced a disruption."

But Aaron Rudger, Web performance marketing manager for online-traffic monitoring and performance provider Keynote, says online traffic patterns for the last four weeks reveal the attack was not so large.

"In other words, the Internet appeared to be relatively unclogged throughout most of the DDoS event," Rudger says. "There is a little blip that shows up [March 26] across the European agents," but nothing extremely significant, he adds. From March 13 through March 27, those European agents experienced online response times that were 40 percent slower than average, he notes.

Keynote's KB40 Index, which includes online-uptime traffic measurements for the top 40 websites in the world - including a handful of European agents and three U.S. agents - shows traffic experienced its greatest dip between the hours of 8:30 a.m. PT and 2:30 p.m. PT on March 26. But none of the online outages were that significant.

"I don't have any reason to not believe in the severity or the size of the attacks, as they've been characterized in the media," Rudger says. "What I have less confidence in is the impact that this attack has had on the rest of the Internet. There does not appear to be that massive slow-down that has been reported, but we cannot substantiate that across our network."

The Internet is designed to be extremely resilient, he says. So a single focused attack would not have that big of an impact.

"I think the U.S. may just be more used to these types of attacks," Rudger adds. "This attack does seem to be a little overly exaggerated."

Carl Herberger, a security expert at DDoS-prevention provider Radware, says the Stophaus attack was not extraordinary. "We don't see this as being the largest attack ever," he says. "From our perspective, there's nothing there that has not become fairly normal, when it comes to online attacks."

Although he's reluctant to put any gigabyte size to the attack, since determining a specific size is too subjective, Herberger says the numbers Radware has seen don't suggest the attack was all that substantial.

Relative to attacks U.S. banks have been facing, this attack was relatively low-grade, Holden says.

"The DNS deflection attacks can consume a great deal of bandwidth, but they are different than what we've seen against the banks," he says. "These guys would not be able to do the sophisticated, targeted attacks that are being launched against U.S. banks."


About the Author

Tracy Kitten

Tracy Kitten

Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 18 years' experience, Kitten has covered the financial sector for the last 11 years. Before joining Information Security Media Group in 2010, where she now serves as the Executive Editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.





Around the Network