This week, the Internet was slowed by an unprecedented attack—no, not by an ongoing battle between a spam blacklist provider and an alleged spammer. Instead, Egypt caught three men in the process of severing the undersea fiber-optic cable connecting Africa, the Middle East, and Europe.
Questions remain with regard to each attack, including whether or not they had any effect in increasing latency for the regions affected.
The Associated Press reported that the Egyptian military had captured three divers near Alexandria who were in the process of cutting the cable owned by the country’s main communications company, Telecom Egypt. The cable was partially severed, according to reports.
Telecom Egypt executive manager Mohammed el-Nawawi told the private TV network CBC that the reason for the region’s slowdowns was not the alleged saboteurs, but damage previously caused by a ship. On March 22, cable provider Seacom reported a cut in its Mediterranean cable connecting Southern and Eastern Africa, the Middle East and Asia to Europe. “We understand that several other cable systems (some of which Seacom also [utilizes as] part of its network) were also affected at the same time and went down on this same route through the Mediterranean,” Seacom chief executive Mark Simpson said at the time, by way of explaining the general slowdown for the region.
Seacom later suggested that the most likely cause of the incident was a ship anchor, and that traffic was being routed around the cut, through other providers. But repairs to the cable took longer than expected, with Simpson announcing March 23 that the physical capability to connect additional capacity to services in Europe was “neither adequate nor stable enough,” and that it was competing with other providers. The repairs continued through March 27, after faults were found on the restoration system; that same day, Seacom denied that the outage could have been the work of the Egyptian divers, but said that the true cause won’t be known for weeks.
“We think it is unlikely that the damage to our system was caused by sabotage,” Seacom wrote in a statement. “The reasons for this are the specific location, distance from shore, much greater depth, the presence of a large anchored vessel on the fault site which appears to be the cause of the damage and other characteristics of the event.”
Mohammed el-Nawawi suggested there would be a full recovery by March 28. Monitoring service Renesys told the AP that Internet services in the general region had slowed, but not to any definitive degree. The Internet Traffic Report—which doesn’t measure the Middle East, but Europe and Australia—also appeared to indicate no ill effects in the regions it covers.
Meanwhile, U.S. news reports focused upon the ongoing war of packets between Spamhaus, a company that develops blacklists of IP addresses from which spam is believed to originate, and Cyberbunker, a server hosting company. Blocking IP addresses via a blacklist allows ISPs and other providers to prevent spam without needing to filter by packet.
After Cyberbunker was added to the Spamhaus blacklist, a flood of packets began hitting Spamhaus servers on March 19, and Spamhaus asked a third party, CloudFlare, to intervene to prevent the denial-of-service attack. CloudFlare blogged about the incident, noting that it had stepped in to mitigate the attack.
“Put simply: if you have a router with a 10Gbps port, and someone sends you 11Gbps of traffic, it doesn’t matter what intelligent software you have to stop the attack because your network link is completely saturated,” CloudFlare noted. The company filters incoming packets through a network of its own servers, “scrubbing out” the incoming “bad” packets from the DDoS attack.
The question quickly became whether the attacks against CloudFlare affected the Internet as a whole. On March 27, CloudFlare backed a New York Times article that claimed the attack was the largest DDoS event ever experienced on the Internet.
The Times never actually claimed that the attacks had slowed down the Internet as a whole. “Millions of ordinary Internet users have experienced delays in services like Netflix or could not reach a particular Web site for a short time,” the paper wrote—a normal occurrence during any particular day.
CloudFlare, however, went further, claiming that the attackers had begun flooding the Tier 1 peering companies that provided the key critical infrastructure. Tapping into open DNS resolvers, the attackers used a technique called DNS amplification, which spoofs ICMP requests to all devices behind the router. The total bandwidth of the attack topped 300 Gbits/s, CloudFlare claimed, enough to swamp even Tier 1 providers.
“Over the last few days, as these attacks have increased, we’ve seen congestion across several major Tier 1s, primarily in Europe where most of the attacks were concentrated, that would have affected hundreds of millions of people even as they surfed sites unrelated to Spamhaus or CloudFlare,” CloudFlare wrote. “If the Internet felt a bit more sluggish for you over the last few days in Europe, this may be part of the reason why.”
Gizmodo was one of the first to challenge the claim, concluding that those Tier 1 operators would have also had the bandwidth to handle any directed attack, a conclusion which appears to be borne out by peering data published by Deutsche Telekom and others.
So were a trio of Internet saboteurs responsible for slowing Internet connectivity in the Middle East? Probably not—the same answer to the question of whether the CloudFlare-directed attacks did the same for Europe. Instead, an accident—a trailing ship anchor—appears to be the only culprit.