Last night I was at the keyboard preparing the next post in this notebook when my mail client started filling with messages from regulars. Yahoo had been off the air for an hour. By the time I refreshed the news, it was reportedly back, with confirmation that the cause was a distributed denial of service attack of unprecedented scale.
This morning I have woken to reports that eBay is now experiencing similar trouble. Buy.com is reportedly off-air. The pattern is becoming a sequence rather than an isolated incident.
I want to write about what we know in the early hours, before the noise overwhelms the signal. There will be analyses for weeks; the immediate observations are sometimes the clearest.
What is being reported
The public reporting is sparse but consistent. Yesterday — Monday the 7th of February — Yahoo's main pages became inaccessible to most of the internet for approximately three hours, starting at around 13:00 Eastern. The cause, according to Yahoo's network operations team and corroborated by other sources, was a distributed flood of network traffic from many sources directed at Yahoo's infrastructure.
The scale described is in the range of gigabits per second of aggregate flood traffic. This is roughly an order of magnitude larger than the Minnesota DDoS of last August, which was at the time the largest such attack on public record. Yahoo runs significantly more capacity than the University of Minnesota; the attack still saturated their connections.
This morning, the attacks have spread. eBay is reportedly seeing similar traffic. Buy.com is reportedly affected. The pattern of consecutive same-shape attacks against well-known commercial sites strongly suggests the same actor — or at least the same toolkit, possibly being used by multiple coordinated parties.
What this looks like
In the absence of detailed public technical reporting, my best read of the shape from the descriptions:
Multiple attack types in the mix. The reports mention SYN flood, ICMP flood, and UDP flood traffic. This is consistent with Stacheldraht or a derivative — a toolkit that supports multiple flood types and that the attacker is mixing in real time.
Source addresses spoofed. The sheer volume of traffic — gigabits per second from what would otherwise need to be tens of thousands of distinct sources — implies that source spoofing is in active use. The receiver cannot meaningfully filter on individual source addresses because the addresses are randomised on every packet.
Targeted at specific high-profile sites. This is not random-target scanning. The targets are deliberately chosen for press impact. The attacker wants the consequences to be visible.
The combination is consistent with a Stacheldraht-style toolkit running across hundreds (probably thousands) of compromised hosts, with the attacker rotating attack types and targets to maximise disruption.
What is not yet clear
A few things that the early reporting is silent on, which will matter for understanding what happened.
Who is the attacker. No claim of responsibility yet. The attack is high-impact and high-visibility, which suggests someone seeking attention — but "seeking attention" describes a very wide population.
Where the controlling masters are. Stacheldraht-style architecture has a small number of master hosts that command the daemons. Identifying those masters is the highest-leverage piece of investigative work. If the masters can be taken offline, the attack stops, regardless of how many daemons remain.
What the response involved. Yahoo's traffic returned after about three hours. How did it return? Did the attacker stop? Did Yahoo's upstream apply emergency filters? Was there a coordinated response across multiple ISPs? The answer will be informative.
Whether this is the start or the middle. With eBay and Buy.com hit this morning, the attack appears ongoing. The duration matters — if this stops in the next 24 hours, it is a high-intensity incident. If it continues for days, it is a sustained campaign.
Why this matters more than the previous public DDoS incidents
A few reasons.
The targets are commercial. Yahoo, eBay, Buy.com — these are companies whose entire revenue depends on being reachable. The cost of an outage at this scale is not measured in administrative inconvenience; it is measured in direct lost revenue plus the much larger reputational and stock-price impact. The Minnesota incident was a university; the cost was inconvenience and a research disruption. This is a different category.
The targets are visible. Anyone who uses the internet knows what Yahoo is. The attack does not need to be explained to the public. The press coverage will be enormous and will largely set the political agenda for the response.
The defensive response was clearly inadequate. Yahoo presumably had whatever DDoS mitigation was commercially available. They were down for three hours. The consensus that "the existing defences are insufficient" is now front-page rather than research-paper.
The scale validates the trajectory. Anyone who had been reading the analyses I have been writing about all year was warned that this scale of attack was approaching. The arrival on schedule means that more, and bigger, are likely.
What I expect over the next weeks
A short list of things I will be watching for, written down so I can score myself later.
Coordinated industry response. Several US carriers will probably announce some form of cooperative DDoS-mitigation programme within weeks. The economic incentive is finally large enough to overcome the coordination friction.
Hardware vendors will release new products. Cisco, Juniper, and the dedicated firewall vendors will all have new "DDoS protection" announcements before the end of the quarter. Some will be substantive; some will be repackaging.
The legal and regulatory conversation will accelerate. Senators and MPs will hold hearings. Computer-misuse legislation will be re-examined. Some jurisdictions will pass new laws specifically about denial-of-service attacks. The international cooperation aspect — attacks crossing borders — will get attention.
The attacker will eventually be identified. Operations of this scale leave traces. Some of those traces will lead, eventually, to whoever is behind it. I would not be surprised to see arrests within months. The attacker, on the available evidence, is probably young, technically capable, and has not yet appreciated how visible their actions will become.
The protocol-level conversation will finally accelerate. BCP 38 will go from a quiet recommendation to a public policy demand. Adoption will still be slow but the pressure will be visibly different.
What I am doing personally
Nothing different at home — my own infrastructure is no more at risk today than yesterday. Most importantly, my hosts continue to not be part of the problem.
For the friends I administer for, I am sending a short note this morning reminding them to verify their backup contact procedures. If their primary connectivity goes down, who do they reach? How? With what authentication? The answers tend to be unsatisfactory until the moment they are needed.
More on this as the picture clarifies. The week ahead is going to be informative.