Hey you two, go fight outside!
posted by tommasz at 3:24 PM on March 27, 2013 [6 favorites]

wow, this is fascinating. It's really a free-market approach to regulation
posted by rebent at 3:30 PM on March 27, 2013 [2 favorites]

IF WE CAN'T HAVE IT NO ONE CAN
posted by resurrexit at 3:30 PM on March 27, 2013 [6 favorites]

The company has not been eager to given interviews, but a self-proclaimed spokesman has issued a statement that Spamhaus should not be able to decide "what goes and does not go on the Internet."

Wasn't there an antispam proposal that involved the sender's computer having to do some computational work before being able to send a message?

Spinning cycles wouldn't interfere with messages between legitimate parties, but the idea was that it would effectively cut spam off at the knees, given that the financial return on spam is a direct function of the volume of messages being sent; the volume of messages required to run a spam operation would require computational power that would make the larger operation financially impractical.

Am I misremembering things or did anything ever come from this idea?
posted by Blazecock Pileon at 3:35 PM on March 27, 2013 [4 favorites]

So, time to hit CyberBunker sites with DDoS?
posted by klangklangston at 3:35 PM on March 27, 2013 [2 favorites]

Spinning cycles wouldn't interfere with messages between legitimate parties

No I suspect that it would cost everyone but that legitimate senders are simply willing to pay the cost. I suspect that's why no one is very interested - it's just a tax and doesn't really do anything to improve trust. Plus I have no idea if it's technically possible. It may not be.
posted by GuyZero at 3:37 PM on March 27, 2013

klangklangston: "So, time to hit CyberBunker sites with DDoS?"

Granted this is John Dvorak talking, but apparently CyberBunker is hosting Wikileaks.

Time to get out the tinfoil hats?
posted by mullingitover at 3:37 PM on March 27, 2013 [6 favorites]

Wasn't there an antispam proposal that involved the sender's computer having to do some computational work before being able to send a message?


Your post advocates a

(x) technical ( ) legislative ( ) market-based ( ) vigilante

approach to fighting spam. Your idea will not work.
posted by alex_skazat at 3:39 PM on March 27, 2013 [30 favorites]

Your post advocates a

( ) technical ( ) legislative ( ) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business
(X) Spammers will take down the entire Internet to spite you
posted by lantius at 3:39 PM on March 27, 2013 [44 favorites]

If spammers are primarily using other people's hijacked computers to send their spam, the cost to them is already pretty much zero. Making it a little more expensive to send email (in computational work, time, money or some other quantity) just punishes the people who own the zombified systems and doesn't hurt the spammers.
posted by Kevin Street at 3:43 PM on March 27, 2013 [9 favorites]

So, time to hit CyberBunker sites with DDoS?

Please don't even joke about this here, thanks.
posted by jessamyn at 3:45 PM on March 27, 2013 [16 favorites]

People who allow their systems to be zombified deserve to be punished.
posted by Justinian at 3:45 PM on March 27, 2013

Kevin and Justinian: the Ars Technica link claims that it's not ordinary citizen's zombie computers that are the problem, it's folks who run DNS servers whose computers are the main driver behind this attack:

To perform these attacks, the attackers need servers that are open to anyone (and arguably misconfigured). The Open DNS Resolver Project reports that there are about 25 million of these open DNS servers, and hence 25 million servers that can be used to generate enormous quantities of traffic. Making this worse is the fact that, unlike DDoS attacks using home PCs, these DNS servers typically have fast Internet connections.

The number of open DNS resolvers is dropping—CloudFlare reported that it was down by about 30 percent in February—but they're still abundant, and as the current attacks on SpamHaus make clear, still enough to be tremendously problematic.

Also, the first link has an update where Sven is claiming Cyberbunker is not involved, and has not been coordinating with the spammer attack against Spamhouse:

We want to be abolutely clear that the DDoS attacks are not and have not ever been orchestrated within CB3ROB/CyberBunker, nor are they conducted under the supervision of Sven or his constituants. He is a press contact for the group, an activist in the web community, and a freedom fighter for net neutrality. Spamhaus has always combat net neutrality and we all take an interest in internet liberty. http://www.stophaus.com/ - The STOPhaus movement.
posted by mediareport at 3:46 PM on March 27, 2013 [5 favorites]

Apparently this is printing a tightening of DNS settings that will make DDoSs harder in future, so that might be an upside.
posted by Artw at 3:48 PM on March 27, 2013 [1 favorite]

Are DNSBLs still relevant to spam filtering? I have been using bayesian filtering (spambayes) since about 2005 and at the level of a site with about 2 recipients it's quite adequate.
posted by jepler at 3:48 PM on March 27, 2013

http://www.stophaus.com/ - The STOPhaus movement.

Ok, these guys seem seriously unhinged and quite possibly dangerous. There's a whole lotta dox'ing going on there.
posted by GuyZero at 3:51 PM on March 27, 2013

I hope that every network in the chain that carries CyberBunker's traffic shuts them and their ISP completely off.
posted by Foci for Analysis at 3:52 PM on March 27, 2013

Eventually this is going to start costing some nutjob third-party money.
posted by SkinnerSan at 3:53 PM on March 27, 2013

Just looking at the board names on ths STOPhaus forum, it screams "conspiracy theory".
posted by immlass at 3:54 PM on March 27, 2013

Man, fuck spammers.
posted by Artw at 3:56 PM on March 27, 2013 [3 favorites]

>So, time to hit CyberBunker sites with DDoS?
posted by klangklangston at 3:35 PM on March 27 [+] [!]

The www.cyberbunker.com link above has been down for me for the last 10 minutes. Perhaps someone beat you to it.
posted by Dr Ew at 3:58 PM on March 27, 2013

For those proposing to D/DoS Cyberbunker - they're already way ahead of you in that game, and unless you control several million or several hundred million PCs in a botnet or you happen to be a top tier peering carrier or superpower-status nation you're not going to put much of a dent in their services.

They've basically been in operation since 1998 or so and they've been designed from the start to be able to resist most common forms of attack including DDoS, DNS amplification attacks and basically everything else you can think of.

Keeping sites online is a core competency and component of their business. They've configured their multiply-homed connections very well. They've even fudged their network configuration to report that most of their servers appear to be in Antarctica.

They also supposedly have multiple hardened bunkers across Europe and/or Russia to share loads and offer redundant, multiply hosted services across those locations, so even if you take down the main Cyberbunker NOC/colo down chances are it'll just fail over to another hosting center in an entirely different country and set of connections/backbones.

They're pretty serious about what they're doing. Hell, they've even resisted a number of direct police raids who have tried to pry open or bash down their blast doors... of a hardened Cold War era bunker designed to withstand up to a 20 megaton nuclear blast and EMP at several miles.

They're probably one of the few hosting sites in the world where much of the staff lives on site and is prepared with water, food and fuel stores to hunker down and wait out a physical attack.
posted by loquacious at 4:06 PM on March 27, 2013 [56 favorites]

The real question is can the net keep growing fast enough to make these an annoyances an acceptable drag on the system. I've been hearing this story, in increasing complexity and degree for twenty years now and the drag is never really appreciable to me, as far as I can tell.
posted by SkinnerSan at 4:10 PM on March 27, 2013

Or is that just because I'm right in the middle of the USA? Serious question.
posted by SkinnerSan at 4:12 PM on March 27, 2013

The www.cyberbunker.com link above has been down for me for the last 10 minutes. Perhaps someone beat you to it.

I wouldn't judge them by their own sales site. That might not even be hosted at their own facility, and if it was it would be the first site they'd let go down because it's just their vanity page.

That URL is under a great deal of load right now due to media interest including reddit, digg and many other forums.

If I were them I'd be firewalling or airgapping that public site from their main hosts/servers anyway. They know they're disliked on the internet for hosting spammers and other illegal or quasi-legal services, so it's likely it's compartmentalized to prevent people from deciphering useful IPs that could be used in an attack.

They don't allow pings or traces to their actual facility.

This is the same company that kept a bank of decoy servers on the top floor of the bunker so they could be conveniently taken away in the instance of a successful raid (which as far as I know hasn't yet happened) and they kept that secret for about a decade or more before talking about it.
posted by loquacious at 4:14 PM on March 27, 2013 [8 favorites]

Or is that just because I'm right in the middle of the USA? Serious question.

Probably, yeah. I've been reading reports yesterday and today that sites like Netflix and others that rely on streaming have been affected, mainly around Europe.
posted by loquacious at 4:16 PM on March 27, 2013

And if they're hosting wikileaks as is rumored, I would say follow the money. This might not just be about Spamhaus, and it's really fishy to me that they would claim responsibility for a DDoS of this size.

The amount of resources required to push 300 gigabits per second is either the work of a tier-1 peering provider or the largest botnet ever set to one task in the history of botnets.

There is big money behind this. It's not just a bunch of script kiddies from 4chan running LOIC or something.

Another easy guess is backing from organized crime, particularly Russian and Eastern Bloc orgs.
posted by loquacious at 4:22 PM on March 27, 2013 [3 favorites]

They're pretty serious about what they're doing. Hell, they've even resisted a number of direct police raids who have tried to pry open or bash down their blast doors... of a hardened Cold War era bunker designed to withstand up to a 20 megaton nuclear blast and EMP at several miles.

They're probably one of the few hosting sites in the world where much of the staff lives on site and is prepared with water, food and fuel stores to hunker down and wait out a physical attack.

spam is a hassle, but I can't help but respect this
posted by This, of course, alludes to you at 4:22 PM on March 27, 2013 [12 favorites]

Holy crap, loquacious, you just blew my mind with your description of Cyberbunker's operations. Wow. This is one of those "I just realized we're living the future" moments.
posted by treepour at 4:23 PM on March 27, 2013 [3 favorites]

Hell, they've even resisted a number of direct police raids who have tried to pry open or bash down their blast doors... of a hardened Cold War era bunker designed to withstand up to a 20 megaton nuclear blast and EMP at several miles.

Their dad can also beat up anyone else's dad.
posted by kithrater at 4:24 PM on March 27, 2013 [3 favorites]

It'll be interesting to see what comes out of this. I doubt it's CyberBunker behind the attack, since it would just get everyone arrested / bank accounts frozen. My guess is it's one of their customers - probably those Eastern European organized crime groups someone mentioned above.
posted by Mitrovarr at 4:29 PM on March 27, 2013

Of course it's possible this is all just a fight over some free bananas in the cyberbunker.
posted by mannequito at 4:30 PM on March 27, 2013 [8 favorites]

Some global internet traffic reports:

http://www.internetweathermap.com/map

http://www.internettrafficreport.com/europe.htm

http://www.internettrafficreport.com/

Most of the exciting stuff may be over already. Most of the maps and connections are nominal and within range.

Those crowded/dying links on the eastern seaboard of the US are probably unrelated unless some three letter agencies or IXPs/ISPs around the Virginia and DC area are involved in the attack or a counterattack on Cyberbunker or something.
posted by loquacious at 4:32 PM on March 27, 2013

They're probably one of the few hosting sites in the world where much of the staff lives on site and is prepared with water, food and fuel stores to hunker down and wait out a physical attack.

Just cut the power. Once the fuel runs out, those electrons aren't going anywhere.
posted by Blazecock Pileon at 4:36 PM on March 27, 2013 [2 favorites]

Holy crap, loquacious, you just blew my mind with your description of Cyberbunker's operations. Wow. This is one of those "I just realized we're living the future" moments.

We've been living in the future for a while now.

More fun facts about Cyberbunker: They apparently not only have a nice entertainment center, kitchen, and living apartments in there but they also supposedly have a heated indoor swimming pool.

They've also apparently kept and maintained the airlocks and NBC (nuclear, biological and chemical weapons) air filters in place.

Sure, it's not actually NORAD and Cheyenne Mountain but it's about as close as you could get to owning the real thing.
posted by loquacious at 4:40 PM on March 27, 2013 [3 favorites]

Just cut the power.

then cut the wires that connect them to the net
posted by pyramid termite at 4:45 PM on March 27, 2013 [3 favorites]

Just cut the power. Once the fuel runs out, those electrons aren't going anywhere.

Sure, but how much fuel do they actually have? They most likely have way more fuel than your average host who generally just relies on generators for short term power interruptions.

That's one of the things they've always kept classified, but they could have up to a month or more of fuel in there, just like NORAD does.

Or maybe even more than a month of fuel, considering their actual utility load is probably less than that of a fully staffed and equipped NATO bunker with old hardware.

And, again, apparently the Cyberbunker in the Netherlands is just the most visible one. They've supposedly built links to the other sites for redundancy and mirroring. They could easily transfer data and hosting to other sites while you're waiting for their fuel to run out.

And then after all the data is out and hosting is transferred to other locations they can wipe everything, open the blast doors and say "Problem?"

Sure, they're not invulnerable or even nigh-invulnerable, but "always up, no questions asked" and "hey, look we have nuclear hardened bunkers!" hosting is their main schtick and gimmick.
posted by loquacious at 4:49 PM on March 27, 2013 [1 favorite]

The simplest things for a real law enforcement agency to do would be to shut down their bank accounts. I would be surprised if their sysadmins kept themselves locked in an underground bunker without being paid.
posted by GuyZero at 4:52 PM on March 27, 2013 [3 favorites]

Cyberbunker.com is now down.
posted by leotrotsky at 4:53 PM on March 27, 2013

then cut the wires that connect them to the net

They thought of this, too, and it was probably the first problem they solved. They have multiple links. I wouldn't put it past them to have installed and buried their own fiber from the site.

Sure, you can probably find and cut all their connections or just turn off their IXPs but this quickly becomes legally problematic and very expensive in a freedom-loving country like the Netherlands or Germany, and may actually damage local infrastructure if they're doing any peering or exchanges.

The last few times they've been physically attacked they won damages in court. What they're doing isn't actually illegal in the Netherlands. And apparently they've retained some pretty aggressive lawyers.
posted by loquacious at 4:55 PM on March 27, 2013 [1 favorite]

Cyberbunker apparently has nothing to do with it? Clarity is needed itt.
posted by Potomac Avenue at 4:56 PM on March 27, 2013

So my work email became the target of a "joe jobbing" hijack yesterday (a new term for me). I wonder if its related. It used up all of my available SMTP relays. The hosting company says they set up some damn thing to shut it down. Ugh.
posted by Brocktoon at 5:00 PM on March 27, 2013

The simplest things for a real law enforcement agency to do would be to shut down their bank accounts.

Why use bank accounts if you have gold, bitcoin, litecoin or ripple?

They only accept payments in money orders, wire transfers or other (mostly) anonymous payment schemes. They do not accept checks, credit cards or paypal.

I would be surprised if their sysadmins kept themselves locked in an underground bunker without being paid.

I wouldn't be. For job seekers they only had a small page saying "We don't pay competitive rates, and you may have to learn to enjoy living a bunker lifestyle."

They're not doing this entirely for money, or a steady paycheck so they're probably well prepared to have their publicly available assets seized and well compartmentalized.

You wouldn't be hired and working there if you didn't agree with their philosophies.
posted by loquacious at 5:00 PM on March 27, 2013 [2 favorites]

"For those proposing to D/DoS Cyberbunker - they're already way ahead of you in that game, and unless you control several million or several hundred million PCs in a botnet or you happen to be a top tier peering carrier or superpower-status nation you're not going to put much of a dent in their services."

Klangstonia is a superpower nation, and I won't have anyone saying otherwise.
posted by klangklangston at 5:03 PM on March 27, 2013 [1 favorite]

Let's all take a moment to appreciate the fact that, while specific sites are vulnerable to attack, the internet as a whole is built to be extremely resistant to targeted disruption.

*hugs internet*
posted by dephlogisticated at 5:05 PM on March 27, 2013 [4 favorites]

Why use bank accounts if you have gold, bitcoin, litecoin or ripple?

Because those are illiquid with respect to popping out to the grocery store to buy stuff.

They're not doing this entirely for money, or a steady paycheck so they're probably well prepared to have their publicly available assets seized and well compartmentalized.

So they may be doing this for philosophical reasons, sure. But it sure ain't a charity either.

And yes, I'm sure they're well-protected from casual harassment. But as anyone who has tried to evade taxes can attest, one the government brings out the big guns, it's game over. Although I'm sure they could last a long time.
posted by GuyZero at 5:05 PM on March 27, 2013

Yeah, I don't see how the bunker helps them against the police. Fine, they can lock themselves in the bunker. The cops will just wait outside, and in a month when they run out of food, everyone's going to jail for resisting arrest and obstruction of justice for the bunker antics alone.

It lets them wipe all of their servers, but it won't save the employees or the company.
posted by Mitrovarr at 5:09 PM on March 27, 2013

They're probably one of the few hosting sites in the world where much of the staff lives on site and is prepared with water, food and fuel stores to hunker down and wait out a physical attack.

So they may well be stocked with... spam? That could be ironic. (I think. I'm sorry, Alanis Morisette was big when I took the SATs).
posted by maryr at 5:10 PM on March 27, 2013 [12 favorites]

Seriously though, could someone enlighten me a bit as to that Internet Weather Map? What does it mean? Like, why is a connection between a suburb of Toronto and Guam high traffic/latency? Does the latency mean traffic/volume?

Wait, now the Toronto-Guam link has died down but there's a slow Guam-Sydney link. Why are things so slow in Pennsylvania?
posted by maryr at 5:13 PM on March 27, 2013 [1 favorite]

And yes, I'm sure they're well-protected from casual harassment. But as anyone who has tried to evade taxes can attest, one the government brings out the big guns, it's game over.

Why do you assume they're not paying taxes?

Everything I've read about them indicates that they play by the legal rules of operating a business with care. When they first started operations they even asked the local and state government if they had a problem with them starting a host in a bunker, and they got permission.

Plus they have some pretty mean lawyers retained already for this kind of thing, and various local governments have already suffered financial losses trying to raid them. The Netherlands isn't going to want to tangle with them without severe provocation or proof of illegal practices.

As far as I know spamming or hosting spammers isn't illegal in their jurisdiction. To raid or seize them for spamming would open up a huge legal can of worms in the Netherlands that would shake their long-standing freedoms and protections of the press and information to the core to the point it could be a constitutional crisis.

People in this thread are making the mistake of using their experience of US law (and it's disregard for it's own laws) as a guide for what could legally happen there. Their laws aren't the same.
posted by loquacious at 5:15 PM on March 27, 2013 [5 favorites]

And yes, I'm sure they're well-protected from casual harassment. But as anyone who has tried to evade taxes can attest, one the government brings out the big guns, it's game over. Although I'm sure they could last a long time.

Exactly. No one has has the inclination yet to devote the resources to them. But it's cheap to cut the external power, and cheap to station people with machine guns in entrenched positions outside. The doors will open eventually. Sooner, depending on the ventilation.

They've got the resources to mess with Spamhaus, certainly. But not to challenge a government army. And they know it. This is why they carefully stay just inside plausible deniability. That deniability, not the blast doors, is their real shield.
posted by tyllwin at 5:18 PM on March 27, 2013 [1 favorite]

...I think the taxes were just an example of something governments are sometimes highly motivated to respond to, sometimes with disproportionate force..
posted by maryr at 5:18 PM on March 27, 2013 [1 favorite]

Why do you assume they're not paying taxes?

I'm not. That's just an example of a situation where pretty serious stuff happens and where a bunker is actually not super-useful. I'm actually quite sure they pay their taxes specifically for that very reason. And probably not with bitcoin.

As far as I know spamming or hosting spammers isn't illegal in their jurisdiction.

Sure. I'm not saying they're doing anything illegal at all. All I'm saying is that they are not immune from any interruption. If they did break the right law there is no hole deep enough form them to hide in, that's all. And sadly, those laws are tax laws for the most part, even in the Netherlands.
posted by GuyZero at 5:20 PM on March 27, 2013

Seriously though, could someone enlighten me a bit as to that Internet Weather Map? What does it mean?

Depending on the map or metric, it measures ping/transit times (latency, congestion) against theoretical maximums/averages, as well as packet loss (dropped/lost packets that don't arrive at their destination or aren't acknowledged as received.)

Higher ping times or more lost packets usually means that connection is saturated.

Also keep in mind that any given link you see going red could be due to scheduled downtime, maintenance, upgrades or repairs. Or operator errors.

It doesn't automatically mean that that link is being attacked or used for an attack.

Major chunks of the internet go down all the time for the above reasons on an hourly or daily basis. The internet routes around the downed or damaged links when alternate routes are available.

(Another random telcom fact: They're now constantly laying fiber links across oceans as redundant backups. There is basically always a big cable ship out there on every major ocean laying new cable. Every major transoceanic link has or should have one or more backup cables ready to go and already installed so they just have to flip a switch to bring it online. This is because they're frequently damaged by storms or large boat anchors or even salvagers looking for scrap metal.)
posted by loquacious at 5:24 PM on March 27, 2013 [6 favorites]

If CyberBunker is actually responsible, it was a stupid idea, even if they don't get tied to the attack by the law. They just got on Spamhaus' blacklist forever and about a million others besides.

I would suspect a false-flag op to attack Wikileaks but their comments make me think it might have actually been them. Oh well.
posted by Mitrovarr at 5:24 PM on March 27, 2013

Sure. I'm not saying they're doing anything illegal at all. All I'm saying is that they are not immune from any interruption. If they did break the right law there is no hole deep enough form them to hide in, that's all. And sadly, those laws are tax laws for the most part, even in the Netherlands.

Right. I'm not saying they're invulnerable either. But they're a lot more invulnerable than Dreahost or Hostgator or something.
posted by loquacious at 5:25 PM on March 27, 2013

This is pretty great advertising for CloudFlare.
posted by BungaDunga at 5:25 PM on March 27, 2013 [3 favorites]

You don't need to stage a police raid on the building to get them offline. A pair of bolt cutters to their extremely vulnerable outside fiber connections would do just fine. Even easier, serve warrants to their upstream providers. Once they're offline they can stay the bunker as long as they like with their rooms full of extremely expensive space heaters.
posted by mullingitover at 5:26 PM on March 27, 2013 [2 favorites]

Wow. That Stophaus place reminds me of when I worked for an ISP and started the antispam efforts at it, after we had a huge issue with our upstream provider for a massive firing-off of stuff. I'd be a lot of the names behind it are a lot of the same names, as they seem to be members of the "True Free Speech" lunkheads from then, who thought that things like 'no spam' and 'keep to the newsgroup topic on Usenet' were sins against free speech. (Their only even mildly redeeming feature there was their hatred-bordering-on-howling for the Church of Scientology.)

I'm having flashbacks.
posted by mephron at 5:34 PM on March 27, 2013 [2 favorites]

Gizmodo: That Internet War Apocalypse Is a Lie

As much as I dislike Gizmodo - I agree with this analysis. I'm not an expert or anything but I've been watching internet traffic reports off and on for the past few days since the story broke and there hasn't been any major red flags to indicate that things are as bad as Cloudflare has been claiming.
posted by loquacious at 5:34 PM on March 27, 2013 [3 favorites]

Find out who provides internet to CyberBunker, and block them too.

That's how it works: you block people who refuse to address the spammers in their network. If everyone did this, spam would in fact wither and die. But it's too profitable to too many ISPs. Some people are getting rich off of CyberBunker's antics, and they need to be hurt.
posted by Fnarf at 5:47 PM on March 27, 2013

Okay, I'll buy the penis enlarger! Just let me keep the internet.
posted by dances_with_sneetches at 5:47 PM on March 27, 2013 [4 favorites]

So, basically, this is a Pepsi Blue promotion for Cloudflare that fooled the New York Times but not Gawker? Just another "let's bash the Internet to remain relevant" moment from The Old Grey Lady of News (and her British half-sister the BBC).

Please, MetaFilter, give up your obsessive (and generally unrequited) love affair with the NYT before she really starts abusing you.
posted by oneswellfoop at 6:02 PM on March 27, 2013 [1 favorite]

Yeah, that Gizmodo piece is some good reporting; I'm curious to watch that unfold. But you know, right now all this mostly tech-ignorant Internet-lover wants to know is does the open DNS server problem remain serious or not? If so, how is it being fixed?
posted by mediareport at 6:23 PM on March 27, 2013

They're probably one of the few hosting sites in the world where much of the staff lives on site and is prepared with water, food and fuel stores to hunker down and wait out a physical attack.

[and the bit about the swimming pool in there]

I'm betting a movie script is in the making.
posted by beagle at 6:30 PM on March 27, 2013

DNS DDoS depends not only on open DNS servers, it depends on open and stupid DNS servers.

The DNS Response Rate Limiting patch fixes this. It will eventually be included in mainline BIND. Sometimes it helps to have an open server because if your customers roam, they can continue to use it and not have to change their resolving server settings.

Network administrators and Internet providers should allow source addresses they own outside their network. This is a really simple filter on most major brands of routers, but spoofing isn't going away any time soon, because most networks don't do it. A position I can't understand, because why would I want to send spoofed traffic out my network? It doesn't do anything for me, it causes problems for others, and those bits cost money.
posted by pashdown at 6:36 PM on March 27, 2013 [1 favorite]

i once opened the terminal window on a row of stations in the computer lab and started them pinging the same IP. then I left. the network got really slow and everyone complained. this is kind of like that, I guess?
posted by ninjew at 6:43 PM on March 27, 2013 [2 favorites]

This reads like an epic eve online battle.
posted by roboton666 at 6:43 PM on March 27, 2013 [1 favorite]

Sometimes it helps to have an open server because if your customers roam, they can continue to use it and not have to change their resolving server settings.

If you want / need them to use your DNS, shouldn't you have them on a VPN, rather than configuring your dns server to recurse requests from anybody (I'm assuming that's what is meant by an "open DNS server")?
posted by junco at 6:44 PM on March 27, 2013

I'm betting a movie script is in the making.

Conveniently, rollerblades are the best mode of transportation in an underground concrete bunker.
posted by clearly at 6:45 PM on March 27, 2013 [16 favorites]

They're probably one of the few hosting sites in the world where much of the staff lives on site and is prepared with water, food and fuel stores to hunker down and wait out a physical attack.

Is anyone else desiring a cite for that? Or for the claims in the last paragraph of that Ars Technica piece?

the company boasts that although "Dutch authorities and the police have made several attempts to enter the bunker by force, none of these attempts were successful." Even a Dutch SWAT team allegedly failed to get in.

Based on what's been presented in this thread, the only source we have for the claim that Dutch SWAT teams attacked and couldn't get in is Cyberbunker itself. Are we supposed to believe heavily armed police attacked a bunker, couldn't get in and then, um, left it at that? Really? loquacious, can you clarify where you're getting the info that "they've even resisted a number of direct police raids who have tried to pry open or bash down their blast doors"?
posted by mediareport at 6:51 PM on March 27, 2013 [3 favorites]

Is there a map somewhere of this stuff?
posted by hank at 6:52 PM on March 27, 2013

map -- something like this here
posted by hank at 6:59 PM on March 27, 2013

Look, if these guys manage to clog up the Internet and slow down the flow of data around the world, massive corporate and government power will fall upon their heads. I don't care how many bunkers and generators and lawyers and redundancies they have. They will be toast.
posted by tommyD at 7:05 PM on March 27, 2013

Yeah, it's a big story, but it's not armageddon or mass mayhem.

I'm guessing it's Spamhaus finally feeling froggy enough to jump at CyberBunker now that they're on Cloudflare, and CyberBunker decided to drop a proverbial nuke on them in retaliation. Spammers are big, crazy money, and CyberBunker has a lot to lose if they're blacklisted outright. Cloudflare seems to work as advertised.

The story Cloudflare should have told - "My guys are still alive and kicking after taking the most savage DDoS hit of all time."

What they told instead - "James bond villains are trying to break your Netflix, everyone! We'll save you! Tell your ISP or hosting company about us!"

Their PR will be years digging themselves out from this one. Or maybe everyone will just roll their eyes at the antics and do business anyway - Kaspersky is still in business after all, and damn: CyberBunker or one of its allies/clients did just lower the hammer in a serious way, and Spamhaus is still here.
posted by Slap*Happy at 7:06 PM on March 27, 2013

the company boasts that although "Dutch authorities and the police have made several attempts to enter the bunker by force, none of these attempts were successful." Even a Dutch SWAT team allegedly failed to get in.

Yeah, because cops are notorious for just giving up in those kinds of situations.

That's a classic force escalation situation. It would become a siege.
posted by unSane at 7:15 PM on March 27, 2013 [3 favorites]

So, it's just a pure coincidence that I watched this clip of Danny Hillis talking about the problems of the current internet architecture and how it's evolved far beyond what it was meant for, and this current action, right?
posted by symbioid at 7:16 PM on March 27, 2013

Dutch. It says "Dutch", not "American".
posted by symbioid at 7:18 PM on March 27, 2013 [1 favorite]

They're probably one of the few hosting sites in the world where much of the staff lives on site and is prepared with water, food and fuel stores to hunker down and wait out a physical attack.
[and the bit about the swimming pool in there]

Yeah, and it turns out those are just decoy employees.
posted by 445supermag at 7:40 PM on March 27, 2013

Man of twists and turns, that Ars Technica article you just linked leads with the most hilariously terrible infographic I have seen in a long time.

The Internet + Little Orange Clouds + Big Cloud (?) + Ninja Attacks = Anycast. And that's How Whitehats Saved the Internet!
posted by Scientist at 7:56 PM on March 27, 2013 [5 favorites]

Klangstonia is a superpower nation, and I won't have anyone saying otherwise.

Klang, there is a difference between a nation with superpowers and a superpower nation.
posted by Sparx at 8:17 PM on March 27, 2013 [2 favorites]

I'd be a lot of the names behind it are a lot of the same names, as they seem to be members of the "True Free Speech" lunkheads from then, who thought that things like 'no spam' and 'keep to the newsgroup topic on Usenet' were sins against free speech. (Their only even mildly redeeming feature there was their hatred-bordering-on-howling for the Church of Scientology.)

this sentence was painful to read
posted by This, of course, alludes to you at 8:20 PM on March 27, 2013

300gb of traffic in a distributed DDOS is nothing. There might have been a few links that went down, but nothing like THE ENTIRE INTERNET.

Way overblown.
posted by empath at 8:21 PM on March 27, 2013

Have the Dutch authorities even tried to arrest anyone from CyberBunker? Criminals have lawyers all the time; organized crime is assured of it. That doesn't stop the police from arresting them if there's a good cause to do so. Is the Dutch government really powerless in this case?
posted by shivohum at 8:34 PM on March 27, 2013

t,oc,aty: the concepts behind it, or the actual sentence itself?

I wish I was joking. Some of those people actually argued daily that being asked not to crosspost a reply to alt.sex.stories into comp.lang.pascal was censorship and restraint of their right to post, and that the lashing out against Canter and Siegel was a starting point for communist control of communication.
posted by mephron at 9:01 PM on March 27, 2013

Artw: "Apparently this is printing a tightening of DNS settings that will make DDoSs harder in future, so that might be an upside."

I've got mixed feelings about this. After years of dealing with ISP resolvers with terrible performance and redirected/hijacked NXDOMAINs, I really like that there are open resolvers out there (like Google's, for example). I'd hate to see them disappear because of this.

As I understand it, these particular attacks are quite dependent on source address spoofing. I don't know how core routing works on the internet, so could someone explain how this is still possible? Why are ISPs not filtering out packets with spoofed source addresses originating from within their networks?
posted by vanar sena at 9:14 PM on March 27, 2013 [1 favorite]

Today, I lost both internet and fax options for my company while attempting to improve both. Suddenly, phone service (with an answering machine) and the USPS is very appreciated.
posted by breadbox at 9:39 PM on March 27, 2013 [1 favorite]

tyllwin: "But it's cheap to cut the external power, and cheap to station people with machine guns in entrenched positions outside.

You'd think, but it has apparently already cost the British government £2.9 million just for the salaries of the police officers standing outside the Ecuadorian embassy to arrest him if he ever comes out. The cost of paying people to wait around adds up eventually.
posted by Copronymus at 9:40 PM on March 27, 2013 [1 favorite]

The mechanism being used for the attack is basically this:
a) attacker connects to DNS server that talks to anyone, and makes a request for the zone file for ripe.net. The request is small. The response is much bigger.
b) the sender is faked so the DNS server thinks it's spamhaus that asked for the DNS zone file, so sends it their way.
c) repeat with many more DNS servers; each DNS server also gets asked over and over.
d) cross fingers and hope spamhaus can't handle the volume of data headed their way, causing legitimate traffic to time out because their connection is so busy dealing with all the DNS traffic.
e) not working yet? scale up the attack with more sending servers!

It's known as a DNS amplification attack, and allows the attacker to scale up their ability to send traffic against the target by hundreds of times (the difference in size between the DNS request, and the response). Individual DNS servers don't see that much more traffic, especially if they're already quite well used.

Open DNS servers are pretty common, i.e. ones that don't restrict users to a subset of IP addresses. If you use any DNS servers on your computer other than the ones your ISP gives you, you'll almost certainly be using an open DNS server. There are well known ones like google and OpenDNS (natch), but there are many more, often intentionally hosted by ISPs. A safely configured one will rate limit its traffic responses so it doesn't keep sending a lot of data to one recipient, but currently that's a somewhat custom setup.

To defend against this attack in particular and a few other attacks going on, spamhaus signed up with Cloudflare for hosting their website. Firstly, they use anycast, so when you send traffic to an IP address, it can be answered from anywhere, from any number of different server farms, generally the one physically closest to your location. Since the 'attack' DNS servers are also everywhere, it means any one destination server farm only gets hit with a portion of the attack traffic, dissipating the attack across many locations. If any one location gets overwhelmed, you can take it out of the loop.

Secondly, they get their tier 2 ISP to block the traffic from getting to them. However, the traffic still exists - it just doesn't go down the cable to cloudflare. It becomes the problem of the ISP providing bandwidth for the tier 2, the tier 1 providers. These are the global operators like level 3 that link together and make the internet the globally connected system that it is (tier 2 providers often link directly - peer - with many other tier 2 providers, but still have to pay a tier 1 to get to absolutely everyone).

Thing is, tier 1 providers have a LOT of capacity - they have to have! Usually they see 1.5 to 2.5Tb of peak traffic at any given exchange, so even 300 Gb of traffic won't be a world ender for them - and of course, that traffic is split up and coming in from all over, and going all over rather than concentrated at one location, so I'm a bit sceptical that it's actually causing any significant issues for the tier 1 providers. Maybe other cloudflare customers, until they get new attack traffic blocked, but that would be about it.
posted by ArkhanJG at 12:30 AM on March 28, 2013 [8 favorites]

I wonder how much of this was cloudfare just telling spamhaus that 'oh, our DDOS prevention isn't working because um, uh, the entire internet is down, yeah that's it', and spamhaus saying: Hey, isn't that a big deal, shouldn't we tell someone about that, and everything just getting out of control from there.
posted by empath at 12:50 AM on March 28, 2013 [2 favorites]

As I understand it, these particular attacks are quite dependent on source address spoofing. I don't know how core routing works on the internet, so could someone explain how this is still possible? Why are ISPs not filtering out packets with spoofed source addresses originating from within their networks?

Because cyberbunker are their own ISP, I believe a tier 2. They provide services for many companies, some of which are blackhats or spammers. It may not be cyberbunker themselves doing the attack, but someone using their services. As long as cyberbunker says the traffic is legitimate, then the other tier 2 ISPs they peer with, and the tier 1(s) they pay for for the rest, accept that, that's kinda how it works.

It would be possible to blackhole cyberbunker, but you'd have to convince all the other ISPs they peer/exchange with to do so, and do so for all its sites, not all of which are known. That's a big job.

Besides, if every tier 2 ISP got blacklisted for carrying some bad traffic, you'd have no internet - everybody has some blackhat customers, though some more than others. Eastern Europe has a reputation for hosters that don't ask awkward questions, but the US is probably the source for the most bad traffic.

Tier 3 providers, that buy in all their connectivity from a tier 2, are what you most likely use as an end-user. They can and do block bad traffic, because if their tier 2 provider gets fed up with them, they can get cut off the net altogether.
posted by ArkhanJG at 12:54 AM on March 28, 2013 [2 favorites]

Tier 3 providers, that buy in all their connectivity from a tier 2, are what you most likely use as an end-user.

I don't think that's really true. Most people get their broadband from a cable provider or a ILEC, these days.
posted by empath at 1:01 AM on March 28, 2013

There's a lot more tier 2's in the US that also provide end-user services, so given the audience, you're probably right. I was thinking like a european, we're largely all on tier 3 or tier 2 resellers over here.
posted by ArkhanJG at 1:05 AM on March 28, 2013

Is all the bogus traffic originating from within cyberbunker? I got the impression that it was just the C&C originating from there.

Sometimes the way large-scale routing works just seems really flimsy to me (cf the way some buggy BGP advertisements in Indonesia and Pakistan were able to take down mostly unrelated parts of the net a few years ago). I guess this is another bit of the legacy of IPv4 and the chaotic way address blocks have been allocated - the resulting tables are just so large and haphazard that doing sensible things like source address filtering are practically impossible at the Tier 1 and 2 levels.

Just my outsider impression. Maybe there's something I'm not understanding.
posted by vanar sena at 1:16 AM on March 28, 2013

the company boasts that although "Dutch authorities and the police have made several attempts to enter the bunker by force, none of these attempts were successful." Even a Dutch SWAT team allegedly failed to get in.

Every bunker has a vulnerability. Give me some C4 and a tanker truck full of liquid nitrogen, I'll get you in there.
posted by charlie don't surf at 4:43 AM on March 28, 2013

The mechanism being used for the attack is basically this:
a) attacker connects to DNS server that talks to anyone, and makes a request for the zone file for ripe.net. The request is small. The response is much bigger.
b) the sender is faked so the DNS server thinks it's spamhaus that asked for the DNS zone file, so sends it their way.
c) repeat with many more DNS servers; each DNS server also gets asked over and over.
d) cross fingers and hope spamhaus can't handle the volume of data headed their way, causing legitimate traffic to time out because their connection is so busy dealing with all the DNS traffic.
e) not working yet? scale up the attack with more sending servers!

And what makes that insidious is that the only routers that can tell if a source is spoofed are the ones on the spoofer's end. The further out into the internet your request goes, the less a router/firewall can be sure the address is wrong. If I'm here at home using Comcast, their first router should absolutely be dropping packets that appear to originate from anywhere but one of the source addresses on my subnet. The next router on the chain can only drop packets that are provably NOT connected to them. Which might be all of Comcast's IP addresses in the region. So if my end router is misconfigured, or if I know how to wrap my request into something that fools the router, then I can start a DDOS on anyone with Comcast service.

If you have 100,000 computers all over the world in your botnet, you only have to get a minority of them to successfully break through their ISP's security to successfully start a DDOS.

Sometimes the way large-scale routing works just seems really flimsy to me (cf the way some buggy BGP advertisements in Indonesia and Pakistan were able to take down mostly unrelated parts of the net a few years ago). I guess this is another bit of the legacy of IPv4 and the chaotic way address blocks have been allocated - the resulting tables are just so large and haphazard that doing sensible things like source address filtering are practically impossible at the Tier 1 and 2 levels.

It IS insanity. There are ways to mostly secure this, but all an attacker has to do is figure out how to get a packet or two onto a network to cause a lot of damage. The amount of encapsulating and translation that happens to a packet along its journey is mindboggling.
posted by gjc at 5:35 AM on March 28, 2013 [3 favorites]

jepler: "Are DNSBLs still relevant to spam filtering? I have been using bayesian filtering (spambayes) since about 2005 and at the level of a site with about 2 recipients it's quite adequate."

Well, as I see it, it is all part of a nutritious, spam free breakfast.

When I used to do my own mail/web/blog/forum hosting, I used a combination of Bayesian analysis, DNSBLs, and a custom list I used to compile myself. It worked well enough.
posted by Samizdata at 6:25 AM on March 28, 2013

kithrater: "Hell, they've even resisted a number of direct police raids who have tried to pry open or bash down their blast doors... of a hardened Cold War era bunker designed to withstand up to a 20 megaton nuclear blast and EMP at several miles.

Their dad can also beat up anyone else's dad."

Hell, I bet their Mom could prolly beat up anyone else's dad, with that kind of lifestyle.
posted by Samizdata at 6:27 AM on March 28, 2013

dances_with_sneetches: "Okay, I'll buy the penis enlarger! Just let me keep the internet."

Well, now you still have the internet, you really don't need anyone to see the results of the enlarger. Unless, of course, you are a ChatRoulette junkie...
posted by Samizdata at 6:32 AM on March 28, 2013

vanar sena: "Is all the bogus traffic originating from within cyberbunker? I got the impression that it was just the C&C originating from there.

Sometimes the way large-scale routing works just seems really flimsy to me (cf the way some buggy BGP advertisements in Indonesia and Pakistan were able to take down mostly unrelated parts of the net a few years ago). I guess this is another bit of the legacy of IPv4 and the chaotic way address blocks have been allocated - the resulting tables are just so large and haphazard that doing sensible things like source address filtering are practically impossible at the Tier 1 and 2 levels.

Just my outsider impression. Maybe there's something I'm not understanding."

Yeah, well, I believe that all these specs were designed with openness/interoperability in mind, and that we could all play together in this giant supercool sandbox like civilized children.
posted by Samizdata at 6:39 AM on March 28, 2013

If you want / need them to use your DNS, shouldn't you have them on a VPN

Unfortunately, configuring and using a VPN is about 100 times more difficult for most people than configuring a DNS server. The RRL patch works, use it.
posted by pashdown at 8:18 AM on March 28, 2013

Does anyone have any info on Cyberbunker's pricing structure? Their sales site is still down, so I can't check for myself, and I'm really curious how much of a premium you would pay for such a hardened host over your run-of-the-mill Dreamhost NOC.
posted by I Havent Killed Anybody Since 1984 at 9:02 AM on March 28, 2013

Curiouser and curiouser - I just saw this bit of news: Egypt catches 3 divers cutting internet cable under the sea.

Is it related? Seems like it could be. And of course add in Dvorak's speculation and now I'm really wondering who these divers really are...

I find it weird that Dvorak is positing such things, I always thought he tried to be "sensible" and such whenever he would discuss tech. I often disagreed with him when I was more utopian. Has he suddenly become more "out there" or has he always been this way and my differences with him obscured some of that?
posted by symbioid at 12:42 PM on March 28, 2013

Thing is, tier 1 providers have a LOT of capacity - they have to have! Usually they see 1.5 to 2.5Tb of peak traffic at any given exchange, so even 300 Gb of traffic won't be a world ender for them - and of course, that traffic is split up and coming in from all over, and going all over rather than concentrated at one location, so I'm a bit sceptical that it's actually causing any significant issues for the tier 1 providers. Maybe other cloudflare customers, until they get new attack traffic blocked, but that would be about it.

As I understand the articles, individual IPs inside Tier 1 IXs were being targeted, and these IPs probably shouldn't have been visible in the first place. Even 50 Gb directed at a single port of a 100 gig router is going to be enough to potentially cause slowdowns.

If 300 Gb isn't big for a DDoS, what's big? And has it been documented?

That Gizmodo article is crap, in that it fundamentally misunderstands the initial reporting, then shows that their bad assumptions were wrong, and therefore, Gizmodo concludes, the whole story is crap. In reality, the Gizmodo writer just has reading comprehension or attention span issues. That an IX can be meaningfully targeted with double digit percentages of it's usual traffic is a story in itself, correct?
posted by Llama-Lime at 2:25 PM on March 28, 2013

Even 50 Gb directed at a single port of a 100 gig router is going to be enough to potentially cause slowdowns.

These core routers are capable of Tbs throughput. So 300 Gbs is noticeable but probably not really fatal.
posted by GuyZero at 2:26 PM on March 28, 2013

Right, but I said "single port," which is going to be at most 100 Gb. So depending on how they've done link bonding, or more specifically, not done link bonding, this is potentially an issue.
posted by Llama-Lime at 2:32 PM on March 28, 2013

Quoting Ars Technica's Peter Bright here:

The capacity of the "global Internet" is basically irrelevant. Traffic doesn't go over "the global Internet" as if it were some single aggregated network. It goes over a whole bunch of point-to-point links. LINX, the IX that suffered serious problems (but conveniently prior to the 24 hours that Gizmodo looked at) uses predominantly 10gigE connections between peers (100gigE is out there, but for most people, prohibitively expensive). Saturating these connections, thereby functionally breaking the routes between various parts of the Internet, is within reach of DDoS attacks like this.

Indeed, it seems that's exactly what happened on Saturday, when LINX's connectivity and routing plummeted.

Of course, there are generally other routes available; that's a big part of the Internet's design. "routing around failure" and all that. But breaking IXes is a big deal.

posted by Holy Zarquon's Singing Fish at 2:33 PM on March 28, 2013 [2 favorites]

arstechnica.com: downvotes Gizmodo article into deletion territory, Ars writer directly refutes it

metafilter.com: Gizmodo article is fourth most-favorited comment

This is an unexpected result! Never trust Gizmodo, unless you're looking for sensationalism.
posted by Llama-Lime at 2:59 PM on March 28, 2013 [1 favorite]

I'm betting a movie script is in the making.

Conveniently, rollerblades are the best mode of transportation in an underground concrete bunker.

Wrong, it's a mine caaaaaaart!
posted by A dead Quaker at 7:04 AM on March 29, 2013

That an IX can be meaningfully targeted with double digit percentages of it's usual traffic is a story in itself, correct?

Happens all the time. We dealt with ddos's that saturated major city to city links at the regional clec I worked at least once a month.
posted by empath at 7:35 AM on March 29, 2013

Were those DDoSs targeted at IPs that should not have been routable from the general Internet? I.e. was that traffic "meaningfully targeted" at your local exchange, such that many unintended targets were affected through disruption of their network?

The interesting thing here is that the attack was a large one, that it involved SpamHaus and therefore we can all despise the attackers all the more, and that details have been shared with the public, when usually all this stuff is kept silent. All the superlatives that I saw we're about it being the largest reported attack, which in a secretive industry, makes it news. Also, that it potentially affected a large number of smaller networks that were not direct intended targets. It doesnt have to be the end of the Internet, or the biggest DDos of all time to be a story of general interest.
posted by Llama-Lime at 8:06 AM on March 29, 2013

Yes, ddos's often impact people besides the intended target.
posted by empath at 1:41 PM on March 29, 2013

OK, I heard over lunch that the Gizmodo article isn't responding to the NY Times article that they claim to be responding to, rather that Gizmodo is responding to supposed news outlets on TV that claimed ridiculous things such as US Netflix viewing being impaired or "maybe internet hackers are slowing down your computer." It excuses Gizmodo they'd mention the ridiculous red herrings like Netflix slowdowns if they were first raised by mass media.

If that's what Gizmodo is responding to, rather than the far more sensible NY Times that they claim to be refuting, than I can understand how it could be considered insightful, and far better "journalism" than the TV news. But whomever was making up the ridiculous claims in the first place wasn't a journalist, it was an entertainer.

The NY Times report is, by all accounts, accurate, and generally useful as long as mouthbreathing lunkheads don't start making up ridiculous stuff. I also soften my harsh Gizmodo criticism, and claim that they are just going after totally the wrong people with their article.
posted by Llama-Lime at 2:56 PM on March 29, 2013

In other DDoS news: “Funded hacktivism” or cyber-terrorists, AmEx attackers have big bankroll. "Cyber-fighters of Izz ad-Din al-Qassam" launch wave of attacks on US banks.
posted by homunculus at 10:32 AM on March 30, 2013

As far as I can tell, Cyberbunker hasn't been running in a secure bunker for quite a while, stopping after a fire in 2002, which possibly involved an MDMA lab. I'll cite Wikipedia and new tenants Bunkerinfra.
posted by Pronoiac at 1:07 AM on April 1, 2013

The pastebin press release calling for Kamphuis' release is kind of entertaining. To paraphrase: "He's not involved in the ddos! He's our dear friend! Let him go or we will unleash epic ddos!" And also, they number in the millions.
posted by Pronoiac at 4:33 PM on April 26, 2013 [2 favorites]