The dust is settling from this week’s Dutch DDoS attacks — by some accounts, the largest denial-of-service action ever mounted, channeling 300 gigabits of junk traffic to the web’s weakest spots. For the most part, our tubes performed admirably. Most web users didn’t see anything more than a mild slowdown. Spamhaus, the European anti-spam watchdog site targeted by the action, is still online. But despite recent skepticism from Gizmodo, the attacks caused real damage behind the scenes, overwhelming critical pieces of internet infrastructure and leaving serious questions about the vulnerabilities of the machinery that powers the web.
The most tangible damage came Saturday afternoon at the London Internet Exchange (LINX), a fiber-equipped exchange point that moves data between different parts of the network. It’s legally designated as critical infrastructure. On a typical day, LINX peaks out at 1.6 terabits per second, but if you look at the graph below, you can see their self-monitored traffic line crater for hours in the middle of the day.
The good news is that the web is built on redundancy, so the extra terabit-per-second of bandwidth could be spread across the network without any catastrophic failures, but the wake-up call for telecoms is real. There’s never been a DDoS attack against an internet exchange before, and exchanges aren’t set up to protect against them. LINX is run as a non-profit collective of ISPs, a kind of no-man’s-land between providers, so it doesn’t have the resources of multi-national telecom to back it up. And before today, their internal IPs were open to traffic from outside the network, leaving them vulnerable to DDoS attack.
That’s already changing. According to Cloudflare CEO Matthew Prince, who worked to mitigate the attack, LINX has already switched to a more closed network that will be harder to reach from the outside. Hopefully, other internet exchanges will follow suit, but because of the distributed nature of the exchanges, there are no guarantees.
Beyond the internet exchanges, the sheer size of the attack suggests an evolution in DDoS techniques. Most measurable attacks cap out at 100 gigabits per second, simply because that’s enough traffic to crash even a high-end router. But in Spamhaus’s case, distributed protection kept them from crashing, so the attack got stronger and stronger, and changed its target from Spamhaus to the larger infrastructure that Spamhaus’s hosting is built on. That means ISPs and, eventually, internet exchanges. They’re bigger targets than DDoS attacks have taken on in the past, but as DDoS protection becomes more common, they’re likely to be targeted more often. Hopefully, by the time the next attack comes, they’ll be better prepared.