It's not just you: the entire Internet is slow right now

[DKT27]

Global internet slows after 'biggest attack in history'

The entire Internet has been experiencing a traffic slowdown this week, and it's all being blamed on a Dutch-based web host who allegedly has launched massive denial of service attacks.



If you have been trying to stream your favorite movie on Netflix today, or download your legally purchased copy of BioShock Infinite, you may be thinking that your connection is slower than normal. In this case, the problem may not be with your local ISP but with the entire Internet.

The BBC reports that the source of all these issues is a denial of service attack on the domain name servers run by Spamhaus. Its CEO, Steve Linford, claims that their servers have been under attack for over a week with peaks of 300 GB a second. Even though Spamhaus has stayed up and running, the attacks have caused Internet traffic globally to slow down.

So what caused this attack? Spamhaus also hosts blacklists that are designed to stop email spam around the world. Recently, the non-profit organization used its email spam list to block servers from Cyberbunker, a Dutch-based web hosting service. Spamhaus claims that Cyberbunker is working with other criminnal groups in Eastern Europe and Russia to launch these denial of service attacks. A spokesperson for Cyberbunker did state that in their opinion, Spamhaus was abusing their power by blocking Cyberbunker but did not actually admit to being involved in the cyber attacks.

View: Original Article

[majithia23]

Interesting .... :think:

As a matter of fact i had been experiencing damn clogged bandwith for the last few days and i did call up my ISPs tech support (2X) and even that guy was pretty damn pissed as to why the net was slow .

He did acknowledge that yes it is slow , but why , he has no idea ! :P

Might be related to thus report or might not be ,,,,,,

[chlorophyll]

here still am getting as usual NORMAL DL SPEEDS.no slow here.

[DKT27]

Visiting many sites has been slow, especially today.

[DKT27]

Spamhaus DDoS grows to Internet-threatening size

More than 300 Gb/s of traffic aimed at the anti-spam site's hosting.

Last week, anti-spam organization Spamhaus became the victim of a large denial of service attack, intended to knock it offline and put an end to its spam-blocking service. By using the services of CloudFlare, a company that provides protection and acceleration of any website, Spamhaus was able to weather the storm and stay online with a minimum of service disruptions.

Since then, the attacks have grown to more than 300 Gb/s of flood traffic: a scale that's threatening to clog up the Internet's core infrastructure and make access to the rest of the Internet slow or impossible.

It now seems that the attack is being orchestrated by a Dutch hosting company called CyberBunker. CyberBunker specializes in "anything goes" hosting, using servers in a former nuclear bunker (hence the name). As long as it's not "child porn and anything related to terrorism," CyberBunker will host it. This includes sending spam.

Spamhaus blacklisted CyberBunker earlier in the month. A CyberBunker spokesman, Sven Olaf Kamphuis, told the New York Times that CyberBunker was fighting back against Spamhaus because the anti-spam organization was "abusing [its] influence."

When the attack started, on March 18, it measured around 10 Gb/s. On March 19, it hit 90 Gb/s, on March 22 it reached 120 Gb/s. This still wasn't enough to knock CloudFlare or Spamhaus offline. So the attackers escalated.

Today, CloudFlare wrote that one of the Internet's big bandwidth providers is seeing 300 gigabits per second of traffic related to this attack, making it one of the largest ever reported.

This is bad news for the Internet. 300 Gb/s is the kind of scale that threatens the core routers that join the Internet's disparate networks.

As Ars wrote last week, CloudFlare uses a technique called anycast to distribute traffic to nearby servers. This greatly diffuses the potency of DDoS attacks, by preventing the attackers from focusing their traffic on a single system on the Internet. Instead, the attack traffic all gets directed to a nearby machine—one of CloudFlare's geographically distributed mirrors. A sufficient flood of traffic could still knock one of those local mirrors offline, but the impact of that should be relatively restricted, with users throughout the rest of the world unaffected.

Once an attack has been detected, the companies that CloudFlare buys bandwidth from—known as "Tier 2" providers—can then block the traffic to prevent it from entering their networks. That doesn't stop the problem, however; it just moves it upstream.

Tier 2 providers buy their bandwidth from the small number of Tier 1 providers. Tier 1 providers work a bit differently than Tier 2. They don't buy bandwidth from anyone. Instead, they just connect to other Tier 1 providers for free. These Tier 1 providers are the high-speed backbone that joins all the Tier 2 providers together, and hence makes the Internet a single global network, rather than a bunch of separate networks.

If a Tier 1 provider fails, that risks breaking the entire Internet.

Though the Tier 2 providers are blocking the flood traffic, the Tier 1 providers are still carrying it. As the DDoS attack has grown, so too has this load. The 300 Gb/s figure came from one of these Tier 1 providers. CloudFlare says that several of the Tier 1 networks have started to become congested, particularly in Europe. This congestion can make the entire Internet slower for everyone.

This has been particularly significant in London. Dotted around the globe are a number of "Internet Exchanges" (IXs). These are places where multiple networks from different service providers connect to each other. The London Internet Exchange (LINX), through which an average of about a terabit of traffic passes each second, suffered a substantial outage on March 23. At peak time, its traffic dropped from about 1.5 Tb to around half that.

The LINX team has subsequently changed some aspects of their network configuration to make their systems more robust against this kind of large scale attack, and normal service was resumed a little over an hour after the first attack.

The fundamental problem, however, remains. The traffic is being generated primarily from DNS amplification attacks. Small requests are sent to DNS servers, generating responses from those servers that are about 50-100 times larger. The sending address of these requests are spoofed, so the DNS servers think that they originated not from the attacker's machine but from the victim's machine; accordingly, the large responses are sent to that victim, overwhelming it with traffic.

To perform these attacks, the attackers need servers that are open to anyone (and arguably misconfigured). The Open DNS Resolver Project reports that there are about 25 million of these open DNS servers, and hence 25 million servers that can be used to generate enormous quantities of traffic. Making this worse is the fact that, unlike DDoS attacks using home PCs, these DNS servers typically have fast Internet connections.

The number of open DNS resolvers is dropping—CloudFlare reported that it was down by about 30 percent in February—but they're still abundant, and as the current attacks on SpamHaus make clear, still enough to be tremendously problematic.

To guard against these attacks in future, the open DNS servers need to be reconfigured in some way (to either restrict the IP addresses that can use them, or limit the number of queries they'll respond to, or both), and networks need to be reconfigured so that they won't send traffic with spoofed sender addresses.

Both of these fixes are well-known, and the problems have long been acknowledged. However, they require coordinated action from many parties: every DNS server operator and every ISP needs to do the reconfiguration work.

As for CyberBunker, the company boasts that although "Dutch authorities and the police have made several attempts to enter the bunker by force, none of these attempts were successful." Even a Dutch SWAT team allegedly failed to get in. CyberBunker argues that it is currently engaged in a blackmail war with Spamhaus. As Internet wars go, this one is using the nuclear option, and everyone is at risk of being caught in the blast.

View: Original Article

PS. I've moved this thread to Security and Privacy Center - it is indeed a security problem.

[Gabben]

no slowdown here. internet is fast

[Peet]

I've just tried going to CyberBunker's website and am getting the error "The connection has timed out. The server at cyberbunker.com is taking too long to respond.".

I wonder if something has happened to them - can't say I'd be surprised, considering recent events.

[DKT27]

Today, even my gaming pings are very high. :unsure:

[insanedown58]

I think I owe my ISP an apology after calling them non-stop for the past few days. :sorry:

[SnakeMasteR]

Today, even my gaming pings are very high. :unsure:

Where a ping is, should be a pong too (normally). :P

Fight those freaking spammers, who likes spam at all? What a funny story, CyberBunker is off, Spamhaus is on. On one side Spamhaus is not allowed to play internet sheriff when blacklisting spammers but attacking DNS servers what affects random people is freedom of speech or what? Stop peering to CyberBunker and they can close the doors (and i don't need to clean up my InBox so often). :)

‘Spamhaus mafia tactics – main threat to Internet freedom’: CyberBunker explains largest cyber-attack

Spamhaus is a major censorship organization only pretending to fight spam, a CyberBunker spokesman said in an RT exclusive. Sven Olaf Kamphuis claimed that as a constant bully of Internet service providers Spamhaus has only itself to blame for the attack.

In a Skype interview with RT, Kamphuis denied that CyberBunker was the organization behind the historical attack, pointing the finger at a large collective of internet providers around the globe called Stophouse.com.

Spamhaus has blackmailed a number of internet service providers and carriers into disconnecting clients without court orders or any legal process, Kamphuis says. Basically, he accuses them of claiming people are spammers when they are not.

“They do it on a regular basis,” Kamphuis said. “If people do not comply with their demands they just list the entire internet provider.”

Kamphuis claims they use “mafia tactics” and have a list of internet users that they do not like, which features a lot of users from China and Russia because they allegedly believe that a lot of spammers and criminals in these two countries use the internet to facilitate crime.

Spamhaus first reported massive DDoS attacks on March 20. At one point Spamhaus servers were flooded with 300 billion bits per second (300Gbps) of data, making it the largest registered attack of this kind in the history of the internet, according to Kaspersky anti-virus giant’s experts.

“The data flow generated by such an attack may affect intermediate network nodes when it passes them, thus impeding operations of normal web services that have no relation to Spamhaus or CyberBunker,”corporate communications manager at Kaspersky, Yuliya Krivosheina, wrote in a statement for RT.“Therefore, such DDoS attack may affect regular users as well, with network slowdown or total unavailability of certain web resources being typical symptoms.”

Kamphuis however claimed that the allegations of web access slowing down world-wide as a result of the attack could be a part of a PR stunt effort by a web performance and security company CloudFlare that helped Spamhaus to tackle the problem.

“That was basically just CloudFlare putting itself in the middle,” he explained. “CloudFlare took on a customer that was under attack in an attempt to make good PR for itself, and it kind of backfired.”

‘Spamhaus mafia tactics’

“Spamhaus mafia tactics are definitely the largest threat to the freedom of the internet at the moment,”Spamhaus told RT. And it is not about money, but about control, he says. Spamhaus just wants to own the platforms on which communications take place.

Earlier, speaking with RT's news video agency RUPTLY, Kamphuis said that CyberBunker was just one of the many groups who took part in the attack, most of them being various internet service providers outraged by Spamhaus’ constant bullying and blackmailing.

Source & Interview with Kamphuis

[stylemessiah]

Here in Australia its been fine and the reports have been met with meh and media reports it as being completely overblown

Havent noticed a damn thing myself.

[DKT27]

@n0_risk!: What a turn of the tides. Thanks for the info. :)

Now that you have mentioned it, while banning spammers, we check a lot of things and sites before taking the final call. Funny I would say, many times I've seen some of the nsane.forum staff's credentials blacklisted on spamhaus. :huh:

[Bizarre™]

If only these spammers focused their attention on greedy anti-piracy groups.

[dcs18]

Oh yeah, it's certainly slowed down - fortunately, the nSane surfing has been fine, for me (heard november_ra1n complaining at the ShoutBox, though.)

[Avitar]

Everthing is going crazy here... youtube, damn site is streaming at 14kb/s. Everything belonging to google has slowed down somewhat. Other sites see slow too. Facebook is unstable and anything on AKAMAI servers just will not serve.

[Nima]

No significant speed changed here, but some sites are loading extremely slow for me. :)

Yahoo! Mail, YouTube and Facebook are really slow. :(

Hope it get fixed soon. ^_^

[Shadowx]

Same here thoo , hope they fix it soon

[kmr1684]

i am also getting half of the speed promosied by my isp i hate this internet :duh: :mad2:

[SnakeMasteR]

@n0_risk!: What a turn of the tides. Thanks for the info. :)

Now that you have mentioned it, while banning spammers, we check a lot of things and sites before taking the final call. Funny I would say, many times I've seen some of the nsane.forum staff's credentials blacklisted on spamhaus. :huh:

Yup, i actually researched directly after posting and found the article and i need to edit nearly at the same time. :lol:

I thought using such a big amount of data for attack could not just be handled from one single point, that there maybe was a bigger operation ongoing. I agree with Kamphuis when he says that there has to be a better review and legitimacy for blacklisted "spammers", i get a bunch of spam every single day and that really is spam but if it's such an unfair way. Hosters and providers have many customers and clients and a big amount of peers, blacklisting the whole provider instead of the individuals seems to be the fastest and easiest way but it is completely wrong.

I didn't know nsane sends staff members out to spam around. :lmao:

CloudFlare estimates that Spamhaus "is directly or indirectly responsible for filtering as much as 80 percent of daily spam messages."

Well, if there are only 20-30 percent legitime, i get why they have been attacked. :(

[lordi]

no significance change, my internet still sluggish like usual, :lol:

damn, I hate internet speed on my country :duh:

[shamu726]

Noticed a general slowdown in browsing for me. I wonder if it's becos of this. Hope whatever it is gets fixed soon. :think:

[DKT27]

Here in Australia its been fine and the reports have been met with meh and media reports it as being completely overblown

Havent noticed a damn thing myself.

It can be that the websites you are trying might not be directly effected. Or it might be routed differently. Or websites might be having a CDN servers in your country. :)

Everthing is going crazy here... youtube, damn site is streaming at 14kb/s. Everything belonging to google has slowed down somewhat. Other sites see slow too. Facebook is unstable and anything on AKAMAI servers just will not serve.

Can confirm the youtube thingy.

@no_risk!: Will be interesting to where this leads.

[Lyon275]

A bit slower connection here in the last few days... But it's OK :D

[R0H1T]

What a load of putz, the net is always crawling in this part of the world :pos:

[anuseems]

Massive DDoS attack against anti-spam provider impacts millions of internet users

Noticed any anomalies online in the last week or so? Do you live in Europe or North America? Chances are if you said yes to both you are being impacted by the largest distributed denial of service (DDoS) ever recorded.

What is happening? A little over a week ago a questionable internet hosting provider in The Netherlands called Cyberbunker took umbrage with SpamHaus, an non-profit organization that was founded in 1998 to take on spammers and the internet hosts who profit from their activities.

Cyberbunker takes its name from the former NATO bunker that the company operates out of. Not surprisingly they appear to be offline at the moment, whether that is due to a DDoS attack or other circumstances is difficult to discern.

Cyberbunker caters to customers who are unwanted by or afraid to use traditional web hosts because of the activities they are involved in.

Their target markets include copyright abusers, spammers, malware malcontents and just about any other type of activity... Except child porn and terrorism (thank god for that).

Because of the nature of Cyberbunker's traffic Spamhaus decided to add Cyberbunker's IP addresses to their blacklist of dodgy, spammy hosts. Cyberbunker proceeded to attempt to take Spamhaus offline in retribution.

How big is the attack? At times it has been reported to be as large as 300 gigabits per second. Traditionally even large botnets are only able to deliver hundreds of megabits or a few gigabits per second.

What is so special about this attack? It is a large scale DNS reflection attack that takes advantage of misconfigured DNS servers to amplify the power of a much smaller botnet.

Cloudflare, an anti-DDoS provider, was hired by Spamhaus to protect their systems (which remain online). They have reported that in a much smaller attack in late 2012 more than 68,000 DNS servers were utilized in a single attack.

How big is this problem? The Open Resolver Project reports more than 21.7 million insecure/misconfigured DNS servers on the IPv4 internet today.

Why does this make my internet slow? Despite the laughter echoing throughout the internet when a US Senator called the internet a system of tubes, it is in fact that way to a degree.

Many of the primary internet backbones ("tier 1 service providers") are being overwhelmed by the volume of traffic from this attack. This can make access to some sites slow or even temporarily impossible during peak attack volumes. These sites and providers could be considered collateral damage.

How does a DNS reflection attack work? DNS requests are typically sent over UDP, a connectionless protocol. This allows an attacker to forge the from address on the packets to appear to come from the victim of the attack rather than the actual originating computer.

As mentioned above, over 21.7 million DNS servers are misconfigured to allow anyone to query them for name services without any filtering or rate-throttling.

The attackers begin by identifying these vulnerable assets and use a sizable botnet to begin forging queries to the DNS servers. That is the reflection part, next comes the amplification component.

If a DNS request or response is under 512 bytes it uses UDP, so the attackers make sure the requests are very small. If a DNS response exceeds 512 bytes, DNS will switch to using TCP and the accompanying three-way handshake that is both time consuming and bandwidth amplifying.

Not only does DNS begin using TCP the replies are designed to be a couple of KBytes. So for only 300 bytes of botnet traffic you get over 3,000 bytes of attack traffic.

Unfortunately this problem has been made even worse by a security technology, DNSSEC. The signing of DNS is an important step toward preventing abuse, but it also makes DNS replies even larger, sometimes upwards of 5,000 bytes or more total.

You can see how a few hundred megabits of botnet bandwidth can quickly turn into gigabits of attack traffic from servers, which often have more processing and bandwidth available to them.

What can you do? If you are a regular user of the internet, not much. Don't panic, your data is safe you are simply being denied service or experiencing delays.

If you are an administrator of DNS services, it is critical that you configure your recursive name servers to only reply to your own network.

If you must provide public DNS, be sure to apply filtering for abusive queries and ensure the frequency of queries is commensurate with your expected volumes.

@ http://nakedsecurity.sophos.com/2013/03/28/massive-ddos-attack-against-anti-spam-provider-impacts-millions-of-internet-users/