Anti-spam Spamhaus up again after 75Gbps DDoS attack

The website of non-profit spam fighter Spamhaus is online again after a huge DDoS attack knocked it offline on Sunday, but attackers are continue to target another anti-spam sites that help ISPs combat spam from infected IP addresses.

Spamhaus, which provides several anti-spam DNS-based blocklists and maintains the “register of known spam operations”, came under a huge DDoS attack on Sunday, which knocked its web server and mail server offline until Wednesday.

Spamhaus spokesperson Luc Rossini on Monday denied a report that Anonymous was behind the attack and pointed to a “Russian criminal malware gang” as the source.

On Tuesday Spamhaus sought cover from the attack with DDoS protection provider CloudFlare, which today reported the attack on Spamhaus reached a peak of about 75 gigabits per second.

The attackers used a cocktail of DDoS attack methods, but the primary one that helped generate that volume of traffic was a “reflection attack”, according to Matthew Prince, CloudFlare’s CEO.

“The basic technique of a DNS reflection attack is to send a request for a large DNS zone file with the source IP address spoofed to be the intended victim to a large number of open DNS resolvers,” Prince explained, noting that 30,000 open DNS resolvers were recorded in the attack, which used spoofed IP addresses CloudFlare had issued to Spamhaus.

“The resolvers then respond to the request, sending the large DNS zone answer to the intended victim. The attackers' requests themselves are only a fraction of the size of the responses, meaning the attacker can effectively amplify their attack to many times the size of the bandwidth resources they themselves control.”


The attack reached a peak of about 75 gigabits per second.
Image credit: Cloudfare

The DDoS appears to be one component of a multi-pronged attack on blocklist tools the anti-spam community uses to stop botnets sending spam.

The “CBL” or composite blocklist webserver at http://cbl.abuseat.org, which hosts a list of infected IP address used for spam, was responding slowly on Sunday, according to Laura Atkins of anti-spam consultancy Word to the Wise.

Several commenters who use Spamhaus lists also reported their websites suddenly being listed on CBL and Spamhaus’ Exploit Blocklist (XBL).

In a Wednesday update, Atkins said the CBL website was still down and under attack, which meant there were “no public channels for delisting from the CBL”.

Spamhaus spokesperson Quentin Jenkins on Wednesday announced the organisation’s website was up again, but not all its other public systems, such as sites on its DNS-based blocklists can lodge requests to have IPs and domains removed from the list.

“Due to the unpredictable nature of DDOS attacks, we can't provide an estimate of that progress, but we want those systems up as much as you do,” said Jenkins.

The attack on the sites appears to have prevented a key component of Spamhaus’ remediation processes.

“What we can tell you is that we are aware of the many people who have fixed their infected systems, and ISPs which have solved spam problems, and need to have IPs and domains removed from our lists (SBL, XBL/CBL, PBL and DBL),” said Jenkins.

“Those removal systems are being fixed as this is typed, and we will continue to provide updates as they come back online, in this blog article or in a newer one. Our best advice to you is to follow normal removal procedures, to re-try as needed (every hour or so) and to watch this blog for updates. Thanks for your cooperation as we ride out this attack.

Spamhaus had not responded to CSO’s request for comment at the time of publishing.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Tags: Spamhaus, ddos

Review: Linux Security Distributions

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]

Comments

False_Positives_are_worse_than_Spam

1

What comes around, goes around. Spamhaus takes down a botnet ( http://www.scmagazineuk.com/rsa-conference-botnet-takedowns-require-people-police-and-products/article/282827/ ) and then a botnet takes down Spamhaus.

Personally, I think Spamhaus has a major conflict of interest: Spamhaus is trusted by millions of people to filter email from spammers - those recipients and ISPs have *not* endorsed Spamhaus to play anti-botnet vigilantes (nor does Spamhaus policy permit such acts), and for all that time when the spamhaus web site was down, it was serving incorrect blacklist results to tons of recipients all while the victims were unable to remove the incorrect false listings. It was highly negligent to leave the blacklist live all that time, while having no means for wrongly blacklisted senders to repair their reputations.

AND - while I'm on that subject - when is it ever ethical to list any IP without informing the victim at all, and also to never produce any evidence, not even when asked? - how does anyone know these guys aren't maliciously listing non-spam senders, or listing people for non-spam reasons, and how are ISPs supposed to find and track down any spam problems when nobody tells them what the problem was?...

Non-profit is all well and good, except when it's also non-responsibility and non-ethics

Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

ZENworks® Endpoint Security Management

Get Powerful Protection for All of Your Mobile Devices

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.