Anti-spam Spamhaus up again after 75Gbps DDoS attack

The website of non-profit spam fighter Spamhaus is online again after a huge DDoS attack knocked it offline on Sunday, but attackers are continue to target another anti-spam sites that help ISPs combat spam from infected IP addresses.

Spamhaus, which provides several anti-spam DNS-based blocklists and maintains the “register of known spam operations”, came under a huge DDoS attack on Sunday, which knocked its web server and mail server offline until Wednesday.

Spamhaus spokesperson Luc Rossini on Monday denied a report that Anonymous was behind the attack and pointed to a “Russian criminal malware gang” as the source.

On Tuesday Spamhaus sought cover from the attack with DDoS protection provider CloudFlare, which today reported the attack on Spamhaus reached a peak of about 75 gigabits per second.

The attackers used a cocktail of DDoS attack methods, but the primary one that helped generate that volume of traffic was a “reflection attack”, according to Matthew Prince, CloudFlare’s CEO.

“The basic technique of a DNS reflection attack is to send a request for a large DNS zone file with the source IP address spoofed to be the intended victim to a large number of open DNS resolvers,” Prince explained, noting that 30,000 open DNS resolvers were recorded in the attack, which used spoofed IP addresses CloudFlare had issued to Spamhaus.

“The resolvers then respond to the request, sending the large DNS zone answer to the intended victim. The attackers' requests themselves are only a fraction of the size of the responses, meaning the attacker can effectively amplify their attack to many times the size of the bandwidth resources they themselves control.”

The attack reached a peak of about 75 gigabits per second.
Image credit: Cloudfare

The DDoS appears to be one component of a multi-pronged attack on blocklist tools the anti-spam community uses to stop botnets sending spam.

The “CBL” or composite blocklist webserver at, which hosts a list of infected IP address used for spam, was responding slowly on Sunday, according to Laura Atkins of anti-spam consultancy Word to the Wise.

Several commenters who use Spamhaus lists also reported their websites suddenly being listed on CBL and Spamhaus’ Exploit Blocklist (XBL).

In a Wednesday update, Atkins said the CBL website was still down and under attack, which meant there were “no public channels for delisting from the CBL”.

Spamhaus spokesperson Quentin Jenkins on Wednesday announced the organisation’s website was up again, but not all its other public systems, such as sites on its DNS-based blocklists can lodge requests to have IPs and domains removed from the list.

“Due to the unpredictable nature of DDOS attacks, we can't provide an estimate of that progress, but we want those systems up as much as you do,” said Jenkins.

The attack on the sites appears to have prevented a key component of Spamhaus’ remediation processes.

“What we can tell you is that we are aware of the many people who have fixed their infected systems, and ISPs which have solved spam problems, and need to have IPs and domains removed from our lists (SBL, XBL/CBL, PBL and DBL),” said Jenkins.

“Those removal systems are being fixed as this is typed, and we will continue to provide updates as they come back online, in this blog article or in a newer one. Our best advice to you is to follow normal removal procedures, to re-try as needed (every hour or so) and to watch this blog for updates. Thanks for your cooperation as we ride out this attack.

Spamhaus had not responded to CSO’s request for comment at the time of publishing.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

Tags Spamhausddos

More about CSO

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place