We were told it was the biggest DDoS ever, but Prolexic’s CEO says it’s hugely unlikely that’s true
When Spamhaus, an anti-spam organisation that some have labelled a vigilante group, claimed it was being hit by a 300Gbps distributed denial of service (DDoS) attack, it made plenty of headlines.
That’s because it was the biggest cyber attack on record. At least, that’s what we were all told and it may well be true. Some suggested it even caused a global Internet slowdown, with Spamhaus’ DDoS protector CloudFlare saying it “almost broke the Internet”, claims that were later torn apart by more cynical onlookers.
Then today, the biggest DDoS protection vendor in the world, Prolexic, brought out a report on DDoS attack power, writing that those involved in the Spamhaus hit had reported “grossly inflated” figures. The report didn’t mention the attack again.
But Prolexic CEO Scott Hammack (pictured) subsequently told TechWeekEurope the whole thing was based on erroneous data and dubious use of facts. He was fairly certain it was not the biggest attack ever, claiming it was “very, very unlikely”.
Playing with the figures
Hammack believes those pushing the “biggest attack ever” message combined traffic figures of separate attacks on those involved in the Spamhaus DDoS hits, including Tier 1 network providers and exchanges like LINX in London, to get to 300Gbps. When talking about DDoS attack records, only single strikes should be counted.
When TechWeek looked into the Spamhaus attacks, a Tier 1 provider said it saw over 300Gbps between an internal router port and another port that served customers in London. But that was in two different attacks.
CloudFlare CEO Matthew Prince said he was sure of the 300Gbps figure, pointing to an online comment from Richard Steenbergen, CTO of nLayer, one of the upstream network providers of CloudFlare. Although Steenbergen said the company saw a 300Gbps hit going after CloudFlare, which targeted “pieces” of the core network, it was nothing “record smashing” or “game changing”.
Actual data proving a 300Gbps hit remains thin on the ground. Hammack said his firm had not seen anything above 160Gbps in a single DDoS, with 144 million packets sent per second, and he doesn’t believe there has been one higher. He won’t be convinced otherwise unless someone shows him proof one organisation’s network took more traffic in an attack.
“When you’re trying to get an aggregate total of the attack size, it’s very difficult to get real data when your systems are down,” he explained.
“Those guys were down and you’ve got attack traffic from around the world converging on a couple of different points. And what’s happening is they are taking down circuits around the origin they’re trying to attack.
“When you hear numbers coming out of people out of thin air, unless they can verify them like we do, it’s extremely difficult to validate that number and believe it is real.
“When we announce a number we take in all of the attack traffic at our scrubbing centres around the world, so we see at our border routers all of that traffic.”
Going on a cyber attack
If it’s the biggest DDoS vendor in the world, why has Prolexic only now started speaking up? “When you start seeing this erroneous stuff happening out there, you’ve got to speak up a little bit,” Hammack added.
“We want to make sure the information out there is verifiable and that it’s not alarmist.”
His comments back up what one of Prolexic’s rivals told TechWeek in the aftermath of the Spamhaus hit. “We did not positively correlate any specific issue with this specific attack,” said Patrick Gilmore, chief network architect at Akamai.
“We could observe some higher latency in specific locations but cannot confirm any direct correlation with the attack.
“The Internet is a big place, there are lots of problems all the time. This caused quite a few, but there were plenty of others happening at the same time for completely separate reasons.”
The 160Gbps attack Prolexic recorded was on a financial institution in the second quarter of 2013. Attacks that battered US banks last year only hit 70Gbps, showing how serious the threat is getting.
It’s the 144 millions of packets per second figure that disturbs Hammack more, however. “That’s a more devastating number.
“There are very few infrastructures in the world that can handle that. It’s an unbelievable amount of data.”
UPDATE: Spamhaus got in touch with TechWeekEurope on the Prolexic claims, saying it was not the one who claimed the 300Gbps figure, the data came from its partners, whom it believes to be telling the truth.
A spokesperson pointed us to a graph from Arbor Networks, which is published below. But it is unclear whether Arbor recorded that 300Gbps or if it had taken the reported size of the hit and added it to their list of biggest attacks. We have contacted Arbor and will update when a response comes through.
UPDATE 2: The Tier 1 provider involved in the Spamhaus attacks has told us the two separate attacks were around the 300Gbps mark – 295Gbps and 309Gbps.
John Reid of Spamhaus also had this to say: “It’s easy for one to say ‘that didn’t happen’ and that it is ‘certainly false’, but when one is not a first-hand witness, then it’s just a guess.”
And it appears Arbor networks did not base the 300Gbps figure on its own data. “Based on what we know, from our customers and others in the industry, the 300Gbps estimate was accurate,” said Darren Anstee, Arbor Networks solutions architect team manager.
What do you know about Internet security? Find out with our quiz!