'There is no alternative to the internet'
Jammed Photo: Peter Riches
Australians are yet to feel the reverberations of the world's largest cyber attack, but the unprecedented event has highlighted the fragility of the internet.
The denial-of-service attacks first targeted Spamhaus, a Dutch firm that provides web-host blacklists that help companies decide which email traffic to accept. Spamhaus blacklisted CyberBunker, a Dutch web-hosting company they accused of facilitating spam campaigns.
Denial-of-service attacks, or DoS, flood websites and internet addresses with millions of requests for page views, causing them to crumble. Attacks can be deployed by using botnets – networks of infected zombie computers – a tactic that distributes the origins and increases the volume of the attack, hence the term distributed denial-of-service (DDoS).
Since the attacks became public on Wednesday, the issue has polarised internet users, with many on social media justifying them as payback for Spamhaus' role as a "censor of the internet".
Some outlets have published interviews quoting a spokesman for CyberBunker, Sven Olaf Kamphuis, accusing Spamhaus of being a "major censorship organisation pretending to fight spam".
Clients of a blacklisted hosting company cannot send email and other traffic around the internet if others heed the blacklist, effectively crippling their business. From time to time, internet service providers are wrongly blacklisted, but the issue is often corrected quickly and email flows again.
In the RT.com interview, conducted via Skype, Kamphuis claimed Spamhaus uses "mafia" tactics and blacklists anyone who does not comply with their demands. He said members of another group, which he named as Stophouse.com, were carrying out the attacks, not CyberBunker.
"At this moment we are not even conducting any attacks because our people from our group stopped any attack yesterday morning so if they are still under attack, which I think they are because I get news feeds that they are still under attack, then it's now other people attacking them," Kamphuis told RT.com. He went on to say attackers had been joined by others who also "had problems" with Spamhaus.
After an initial attack against Spamhaus last week, attackers turned their rage towards CloudFlare, a company engaged by Spamhaus to mitigate the attack. CloudFlare essentially reroutes illegitimate traffic aimed at its clients, minimising the impact on them. Attackers then went upstream, attacking the networks CloudFlare connects to.
CloudFlare's chief executive, Matthew Prince, has detailed the attack on his blog overnight. The company advised its clients its Sydney servers had been affected overnight but were back online this morning.
Prince said the attack began last week, at first sending 85 Gbps of traffic. Since then, it has generated more than 300 Gbps of traffic – 300 gigabits of data per second. Prince suggested attackers may have a network of their own to be able to generate such a volume.
He said CloudFlare connects to a large number of networks directly and via internet exchanges. The major networks that make up the internet – such as Google, Facebook and Yahoo – connect to these same exchanges to pass traffic between each other efficiently, he said. Hence the potential impact on other users.
"When the Spamhaus attacker realised he couldn't go after CloudFlare directly, he began targeting our upstream peers and exchanges," he wrote.
Attackers also attacked the London, Amsterdam, Frankfurt and Hong Kong internet exchanges, Prince said, adding that the company then routed traffic around them.
This is why internet users in Europe and Asia have felt some impact, with some networks experiencing response delays. It has been felt mainly in relation to email, but could affect websites hosted in those regions.
In its latest Annual Worldwide Infrastructure report, Arbor Networks highlighted DDoS attacks as a growing threat. It said the largest attack reported in 2012 had generated 60 Gbps of traffic, similar to that experienced in 2011, and down from the peak 100Gbps in 2010.
John Ellis, enterprise security director Asia Pacific for Akamai, a company that also mitigates such attacks for customers in Australia, said this event was not only the largest, it was beyond the contingency plans of most telecommunication providers.
"By attacking the core exchanges, they are really attacking some of the fragility of the internet. The internet at the moment suffers from performance and design.
"Countries have been talking about [fixing it] for a long time; even the UN has been talking about a mandate to ensure the traffic to Tier 1 [telecommunication] providers is clean."
But the co-ordination among the different countries, including China, Russia and Middle Eastern nations, is complicated, he said.
"The internet has organically grown to a point where there are a lot of cyber criminals out there making a lot of money from sending spam out, and a lot of botnets.
"There is no alternative to the internet, but when you look at what it is, it's a very fragile ecosystem," Ellis said.
Sean Kopelke, director of security and compliance solutions at Symantec, which also filters spam in addition to providing internet security, said the company was monitoring the situation but had not noticed any impact on Australian customers or networks.
"There's no major impact at the moment. We expect there will be some slowdown and delays today, as over the last 24 hours, as email traffic tries to redirect," Kopelke said. He said the Easter long weekend would provide a welcome slowdown of traffic, so the impact may not be as noticeable.
Kopelke and Michael McKinnon, security adviser for anti-virus company AVG, reiterated the need for computer users to constantly ensure their machines were not infected with malware that can commandeer them to take part in botnet-organised attacks.
Peter Lee, chief executive of the Internet Industry Association (IIA), said the event highlighted the need for internet service providers to tell their customers if their computers are infected and potentially part of a botnet – an action enabled by the association's icode.
"This not only highlights the need for service providers to be vigilant in relation to their core internet server security but also the importance of initiatives such as the icode, which provides a mechanism for internet service providers to alert their customers, should such attacks result in the dissemination of malicious software that may affect an end-user's device," Lee said.
Akamai's Ellis said he expected computer users to blame any delays experienced in the next few hours on this cyber attack. They may or may not be related, he said.
"The question I have in the back of my mind is, what's next?"
Ty Miller, chief technology officer at Pure Hacking, said he was more concerned about the new level of attack than any potential impact this time on Australia.
"The more concerning impact that Australia needs to address is the fact that a hacking group is able to generate over 300 Gbps of network traffic at any target they choose.
"If this amount of traffic was directed at Australia's critical infrastructure, it may be able to hinder the functioning of power stations, telecommunications devices, as well as water supply and hospital systems. This could have a devastating impact on the day-to-day function, safety, and health of Australian consumers and businesses."
CORRECTION: The author of the Annual Worldwide Infrastructure report is Arbor Networks, not Akamai as previously noted.