You might've read some headlines today—in very reputable publications—saying that there's an online attack underway. The biggest in history. Enough to slow down the internet. This would be exciting and scary, except it's just not true.
The entire thing sounds so dramatic—the swarming DDoS onslaught is "jamming crucial infrastructure around the world," the NYT screams from the trenches—that it sounds just plausible enough. And indeed, the combatants in question have been battling it out online: a conflict between Spamhaus, a
Dutch European group that tracks spammers and Cyberbunker, a Dutch hosting company accused of housing them. That's really happening: as far as we can tell, botnets acting on behalf of (or run by) Cyberbunker have been trying to crash Spamhaus for days with a strong stream of overload junk data.
And if you believe what you've been told online, their head-butting is quaking the entire web. This is it. The big one. The hacks to end all hacks, a hack attack with collateral damage that reverberates 'round the globe. But once you read beyond a few scary sentences of CYBERWEBATTACKS, you might wonder:
- Why wasn't my internet slow?
- Why didn't anyone notice this over the course of the past week, when it began?
- Why isn't anyone without a financial stake in the attack saying the attack was this much of a disaster?
- Why haven't there been any reports of Netflix outages, as the New York Times and BBC reported?
- Why do firms that do nothing but monitor the health of the web, like Internet Traffic Report, show zero evidence of this Dutch conflict spilling over into our online backyards?
(There would be massive dips and spikes in those graphs if war were being waged across the net)
Why are the only people willing to make any claims about the validity or scope of the attack directly involved: Spamhaus reps, the group's leader, and most dubiously, CloudFlare, the anti-DDoS firm Spamhaus enlisted to ward off the attack. And it's that last party that's responsible for the sky-falling internet weather report, the party that stands to profit directly from you being worried that the internet as we know it is under siege.
Hours after the Times and BBC broke the "news" of our internet's artillery wounds, CloudFlare put up a breathless blog post entitled, subtly, "The DDoS That Almost Broke the Internet." Yikes! What follows is essentially a press release that would be like Pfizer telling you how horrible various diseases are, and how well their pills work against them. CloudFlare CEO Matthew Prince tells a harrowing story of warding off the internet attack after Spamhaus hired him—which is certainly true—but warns us of existential threats to the net still lurking out there, like lost Soviet nukes:
As someone in charge of DDoS mitigation at one of the Internet giants emailed me this weekend: "I've often said we don't have to prepare for the largest-possible attack, we just have to prepare for the largest attack the Internet can send without causing massive collateral damage to others. It looks like you've reached that point, so... congratulations!"
At CloudFlare one of our goals is to make DDoS something you only read about in the history books. We're proud of how our network held up under such a massive attack and are working with our peers and partners to ensure that the Internet overall can stand up to the threats it faces.
In a quote to the NYT, Prince even makes the nuclear analogy himself:
"These [DDos attacks] are essentially like nuclear bombs," said Matthew Prince, chief executive of CloudFlare. "It's so easy to cause so much damage."
This would be so terrifying if it weren't advertising. Prince, of course, is in the business of selling protection against online attacks. And his company is, as far as I can tell, pretty good at this business. But he's also clearly in the business of scaring people: in his blog post today, he warns that the Spamhaus attack "may prove to be relatively modest" compared to what comes next. Bigger nukes, I suppose.
I was publicly skeptical about this alleged online devastation, and attracted the attention of Prince himself:
He wanted to put me in touch with a Tier 1 operator—a company that maintains the physical underpinnings of the entire internet. This guy, Prince said, could back up CloudFlare's claims. This really was Web Dresden, or something. After an inquiry, I was ready to face vindication. Instead, I received this note from a spokesperson for NTT, one of the backbone operators of the Internet:
Hey Sam, nice to hear from you.
I'm afraid that we don't have anything we can share that substantiates
global effects. I'm sure you read the same 300gbps figure that I did, and
while that's a massive amount of bandwidth to a single enterprise or service
provider, data on global capacities from sources like TeleGeography show lit
capacities in the tbps range in most all regions of the world. I side with
you questioning if it shook the global internet.
I received a similar reply from Renesys, a global company which devotes the entirety of its time to monitoring the status of the internet. It would know if something were going down. But it hadn't:
We believe that the DDOS attack potentially had severe impacts on the websites it was directed at, however, according to our data, the Internet as a whole did not experience a wide spread disruption.
Just to put it in perspective the traffic estimates for the DDOS attack were as high as 300 Gbps at the target. That would easily overwhelm the average hosting center, but not a core component of the Internet. For example, DECIX, the German Internet exchange in Frankfurt, regularly handles 2.5 Tbps at peak on any given day:
While it may have severely affected the websites it was targeted at, the global Internet as a whole was not impacted by this localized incident.
Translation: nope. It was a Dutch problem, or at most, a minor Western European problem with a couple actual hotspots. There's scant evidence, though, suggesting even that much (or little) happened at all.
This ain't internet-shaking so far.
Strike two, CloudFlare. But still, we kept looking for any evidence at all that the net had been shaken at its core.
There are zero credible reports, whatsoever, that Netflix went down. Not a single one.
What about Amazon's massive cloud hosting enterprise, which operates on a humungous scale all over the world? If the internet had a nuke dropped on it, wouldn't it have been singed? Even a little? Not according to Amazon's data, which shows zero outages over the past week. Even in Europe, where the attack has been based.
See all of those green checkmarks? They mean exactly what they look like: everything is OK. Everything has been OK.
What's not OK is a company trying to scare the internet's residents thinking they're the residents of Dresden in order to drum up business. There are plenty of scary things, people, and plots online. There are plenty of bad guys. There are plenty of attacks. There will be plenty more. If you're in the anti-hacker business, business has no signs of slowing down. So if your product is worth a damn, you shouldn't have to lie to the internet to sell it. Don't believe the hype.