Month: March 2013

The DDoS That Almost Broke the Internet

massive_attack.jpg.scaled500

The New York Times this morning published a story about the Spamhaus DDoS attack and how CloudFlare helped mitigate it and keep the site online. The Times calls the attack the largest known DDoS attack ever on the Internet. We wrote about the attack last week. At the time, it was a large attack, sending 85Gbps of traffic. Since then, the attack got much worse. Here are some of the technical details of what we’ve seen.

Growth Spurt

On Monday, March 18, 2013 Spamhaus contacted CloudFlare regarding an attack they were seeing against their website spamhaus.org. They signed up for CloudFlare and we quickly mitigated the attack. The attack, initially, was approximately 10Gbps generated largely from open DNS recursors. On March 19, the attack increased in size, peaking at approximately 90Gbps. The attack fluctuated between 90Gbps and 30Gbps until 01:15 UTC on on March 21.

The attackers were quiet for a day. Then, on March 22 at 18:00 UTC, the attack resumed, peaking at 120Gbps of traffic hitting our network. As we discussed in the previous blog post, CloudFlare uses Anycast technology which spreads the load of a distributed attack across all our data centers. This allowed us to mitigate the attack without it affecting Spamhaus or any of our other customers. The attackers ceased their attack against the Spamhaus website four hours after it started.

Other than the scale, which was already among the largest DDoS attacks we’ve seen, there was nothing particularly unusual about the attack to this point. Then the attackers changed their tactics. Rather than attacking our customers directly, they started going after the network providers CloudFlare uses for bandwidth. More on that in a second, first a bit about how the Internet works.

Peering on the Internet

The “inter” in Internet refers to the fact that it is a collection of independent networks connected together. CloudFlare runs a network, Google runs a network, and bandwidth providers like Level3, AT&T, and Cogent run networks. These networks then interconnect through what are known as peering relationships.

When you surf the web, your browser sends and receives packets of information. These packets are sent from one network to another. You can see this by running a traceroute. Here’s one from Stanford University’s network to the New York Times’ website (nytimes.com):

Read More

Underwater cable damaged: Internet speed plummets by 60% nationwide

internetbancensorshipfirewall

 

KARACHI:
Internet speed across Pakistan plummeted by nearly 60% on Wednesday when an underwater fiber optic cable was damaged in the Arabian Sea near Karachi.
South East Asia-Middle East-Western Europe (SEA-ME-WE) 4, one of the four submarine cables that connects the country globally via the internet, was damaged around noon on Wednesday – only a couple of weeks following the breakdown of India-Middle East-Western Europe (I-ME-WE) fiber optic cable that has yet to be repaired.
As a result, internet services in the country will likely remain disrupted for an indefinite period. Internet service providers were unable to provide a timeframe on when the problem will be resolved.
Shortly after the disruption, internet users across Pakistan faced a host of problems ranging from intermittent to slow internet connectivity. Many complained that their browsing speed had decreased significantly.
“This is a result of a fault in the undersea cable line to Pakistan through Alexandria, Egypt. The fiber optic undersea cable SEA-ME-WE-4 was affected beyond Egypt for currently unknown reasons,” Wateen Telecom said in a statement. Read More