Who's To Blame For The Huge Cyberattack Slowing The Web? Your ISP

The Internet is groaning today under the load of a huge cyberattack — one of the worst on record — that's clogged some of its most vital systems. And while you might be inclined to blame Spamhaus or Cyberbunker, two European outfits at the center of this online dustup, almost no one is talking about the real villains here: the world's Internet service providers.

First, some background on Spamhaus vs. Cyberbunker. Yes, that sounds like the lineup at a punk-rock show, but it's actually a virtual battle that began when the anti-spam group Spamhaus added the Dutch web hosting company Cyberbunker to a blacklist used to fight spam. That apparently stung the outlaws at Cyberbunker, which prides itself on hosting anything but "child porn and anything related to terrorism."

Seemingly insulted, on March 19 Cyberbunker allegedly launched a major distributed denial-of-service (DDoS) attack — that is, one that aims huge streams of data at target Web servers in an attempt to knock them offline — against Spamhaus. When that failed, the attackers pivoted to a much more serious attack, one that exploited a vulnerability in the Internet's Domain Name System (DNS). And in so doing, they almost broke the Internet.

Dissing the DNS

DNS is a core service that translates URLs like readwrite.com into the numerical Internet addresses used by computers (204.9.177.211 in the case of ReadWrite). Without it, traffic on the Internet goes nowhere.

In this case, the attackers targeting Spamhaus turned to what's called a DNS amplification attack — one that basically tricks DNS servers into directing a huge flood of traffic at a target. This is relatively easy because many network providers and ISPs have left DNS servers (also called "resolvers") open and unprotected, meaning that they'll respond to requests from anywhere on the Internet.

All an attacker needs to do is to send a stream of forged DNS requests that appear to come from their target's computers. Open DNS resolvers do the rest, responding with automated messages that are much larger than the initial requests. The security company Cloudfare, which has assisted Spamhaus in its current fight, wrote that attackers can use DNS amplification to boost their initial DDoS data flood by a factor of 50 or more.

Which is exactly what Spamhaus's attackers appear to have done.

Why Your ISP Sucks

The big problem here, as you've probably already figured out, is that so many network operators have left their DNS resolvers open. It's fairly trivial to configure resolvers to filter out and ignore forged requests, but relatively few network operators have done so. The Open DNS Resolver Project, an Internet community initiative aimed at blocking this vulnerability, has catalogued more than 25 million open DNS resolvers around the world.

"If ISPs had fixed those issues, [which are] relatively simple, and [involve] very little cost, this kind of attack would have been impossible," Rodney Joffe, a senior vice president at the Virginia security firm Neustar, told me. 

Sam Erdheim, a senior security strategist at the network security company AlgoSec, says ISPs should be doing more to block certain IP addresses and identify and monitor network traffic better "before these threats impact the networks of the ISP’s customers." These are what's called DDoS signatures, and enabling them allows ISPs to track and trace the source of attacks.

While that wouldn't stop attacks, Erdheim said, it would be possible to identify them earlier and to cut off traffic from a questionable source before it bogs down users.

How To Stop The Suckage

DNS resolvers are becoming an increasingly popular target for hackers. Dan Holden, a security official at Arbor Networks, told me that in a recent Arbor survey, a full quarter of respondents said they'd experienced serious DDoS attacks on their DNS servers in 2012 — double the number who acknowledged similar attacks in the previous year.

Fixing DNS vulnerabilities would be an ideal way to stop these attacks, says security expert Dan Kaminsky, who has helped shore up previous DNS problems. But he's skeptical that this will ever happen.

"If only everyone on the Internet made major changes at the same time, this wouldn't have happened," Kaminsky told me via email. Short of that, he said, the answer may lie in straightforward police work:

We stop DDoS by getting as close as possible to the source and doing something about it there, or by doing nothing and tolerating it. I prefer the former, in this case, by perhaps finding the person almost certainly responsible.

Photo courtesy of Shutterstock