BIGGEST DDoS in history FAILS to slash interweb arteries

'A minor amount of collateral congestion'

Spamhaus compiles lists of IP addresses of servers and other computers accused of distributing spam or promoted using junk mail. These blacklists are used by ISPs, businesses and spam-filtering firms to block the worst sources of unsolicited marketing mail before applying more computational intensive filtering techniques, such as analysing the actual content of messages.

Junk-mail distributors and the like regularly threaten, sue or DDoS Spamhaus. Some businesses also object to Spamhaus's alleged vigilante approach to tackling spam.

Spamhaus's blocklists are distributed via DNS and are widely mirrored in order to ensure the overall system is resilient to attacks. The blacklists were never affected and were even updated, with none of its core infrastructure going titsup, according to Spamhaus.

"Only the website and our email server were affected," Steve Linford, chief executive for Spamhaus, told the El Reg. "All Spamhaus DNSBL [DNS Block List] services continued to run unaffected throughout the attack. In fact Spamhaus DNSBLs have never once been down since we started them in 2001."

Linford praised the support of engineers at CloudFlare and Amazon, which supplied load balancing of DNS services, for ensuring its service remained available during the packet carpet bombing. He claimed the attack caused Netflix to slow down and caused congestion elsewhere on the web.

Netflix itself said that the attack had no impact on its service, while internet traffic exchanges in both London and Amsterdam - two of the top three peering hubs in Europe, the arteries of the internet - both played down the impact of the attack beyond CloudFlare and its customers.

Malcolm Hutty, head of public affairs at LINX, the London Internet Exchange, said: "Apart from CloudFlare we saw a minor amount of collateral congestion in a small portion of our network which may, or may not have, have affected some members. This would have been accommodated through their normal procedures."

Ordinary internet users would not have been affected because the DNS flood "only have affected CloudFlare and its customers", he added.

CloudFlare uses Anycast technology which spreads the load of a distributed attack across all 23 of its data centres. Even so it was left reeling from the weight of the assault, which prompted it to suspend its peering in London.

Overblown reports that the internet slowed down or ground to halt appear to be well wide of the mark. This is not to dismiss the significance of the attack, or take anything away from CloudFlare for helping Spamhaus to weather the storm. The simple fact is the attack amounted to nothing more severe than minor congestion, an assessment backed up by AMX-IX, the Amsterdam internet exchange as well as its counterpart in London.

"We have not experienced any disruptions related to our platform," a spokeswoman for AMX-IX told El Reg. "When we look at the amount of traffic some of our members and customers exchange we see some increases here and there, but they could easily manage it."

The New York Times claimed that the attacks against Spamhaus appear to be tied to a dispute with CyberBunker, a website hosting provider in the Netherlands. CyberBunker is accused by Spamhaus of being the world's most toxic haven of phishing and malware.

CyberBunker is quite open in running a bullet-proof anonymous hosting facility out of a Cold War bunker in the Netherlands where anything goes except child-abuse material and terror-related websites. "Customers are allowed to host any content they like, except child porn and anything related to terrorism," its online policy states.

The hosting provider told El Reg it denies any involvement in spamming. It declined to respond directly to the accusation in the NYT article that CyberBunker was retaliating against Spamhaus for “abusing its influence” and using vigilante tactics in the fight against spam:

The only thing we would like to say is that we (including our clients) did not, and never have been, sent any spam. We have no further comment. Thank you.

®