So how big was it *really*?

So we all have heard the breathless news reports of how the recent
urinating contest between Spamhaus and a butthurt ISP was the "biggest
in history".

Where would you guys put it, if measured as "percent of total worldwide
available Internet bandwidth/resources"? My gut feeling is that by that
metric, it didn't even make the top 20. Think back to the Morris worm, or
Blaster/Nachi/etc - *nobody* had any free bandwidth when those happened. And
even if you restrict the discussion to intentional targeted attacks, I'm sure
we've had worse (Smurf, anybody? :slight_smile:

It's interesting, this just came up on gizmodo. As I said in another
forum, take it for what it's worth:


And there's a (semi-)public response from one of Cloudfare's upstreams:


I can't comment in detail, but there are some "lost in translation" moments with the reporting.

If you look at externally observable data, something surely happened at LINX on the 23rd:

I think it's easy to get fully into a doom-and-gloom scenario, but even if the numerical reporting is correct there wasn't a broad impact observed similar to slammer/blaster where everyone was congested.

I will say, please don't treat this as 100% hype and look at unicast-rpf and securing your DNS servers in parallel. That threat certainly is real. With 21,432,212 hosts that respond to dns queries (with the right answerl not including those that send a referral to root which is quite large), an amplification attack would be quite easy. It's somewhere around 1:173 hosts run a service that responds. That is real and clearly measurable.

your bind settings to look for are:

  additional-from-auth yes | no ;
  additional-from-cache yes | no ;

- Jared

Yes and no.

There's been quite a bit of exaggerated (and unhelpful, IMHO) hype around this entire episode from the outset; by the same token, the attacks did produce non-inconsiderable disruptive collateral effects in EMEA and APAC for various intervals, which would not likely be observed by an American sitting in his home in America watching online American content and accessing American applications and services hosted on American servers located in American IDCs in America.

Some folks don't seem to grasp the whole 'global' notion of the Internet, and the facet that not everyone who uses or does something on the Internet resides in America.


If you look at externally observable data, something surely happened at
LINX on the 23rd:

Yes, the polling server couldn't reach one of the networks - remember that
there are two networks at LINX.

I can tell you as one of the biggest peers at LINX if that much traffic
had gone we would have known about it.

From our perspective we observed almost nothing in-terms of impact other

than not being able to reach cloudflare.

We need to act I totally agree.


Surely the question is what was the impact?

If I had just installed 3 new 100G iinks the day before then its going to
be a lot bigger than if I didn't haven them.

In my view this was a minor blip, but very well sniper rifled at
Cloudflare - they have a lot of pissed off customers looking the blog they

Folks need to fix there infrastructure so this doesn't happen though.

Money quote:

In defense of the claims in other articles, there is a huge difference
between "taking down the entire Internet" and "causing impact to notable
portions of the Internet". My company, most other large Internet carriers,
and even the largest Internet exchange points, all deliver traffic at
multi-terabits-per-second rates, so in the grand scheme of things 300 Gbps
is certainly not going to destroy the Internet, wipe anybody off the map,
or even show up as more than a blip on the charts of global traffic
levels. That said, there is absolutely NO network on this planet who
maintains 300 Gbps of active/lit but unused capacity to every point in
their network. This would be incredibly expensive and wasteful, and most
of us are trying to run for-profit commercial networks, so when 300 Gbps
of NEW traffic suddenly shows up and all wants to go to ONE location,
someone is going to have a bad day.

-- jra

I am *sooo* reminded of

'Your internet is having a bad day, and
your packets will not be going to their destination'



I heard the failure of a server to boot described as
"You will not go to userspace today".