DDoS attack against Spamhaus was reportedly the largest in history

The attack caused problems for the global Internet

A distributed denial-of-service (DDoS) attack of unprecedented scale that targeted an international spam-fighting organisation last week ended up causing problems for Internet users around the world, experts say.

The DDoS attack started more than a week ago and targeted the Spamhaus Project, an organisation based in Geneva, Switzerland, and London that maintains databases of IP (Internet Protocol) addresses, domain names and other Internet resources involved in spam, malware and other abusive online activities.

Spamhaus publishes the data in the form of block lists that are used by Internet and email service providers, corporations, universities and governments around the world to filter Internet traffic on their networks and servers.

In order to keep its services and website online Spamhaus enlisted the help of a San Francisco-based company called CloudFlare that runs a global content delivery network aimed at improving website performance.

CloudFlare said in a blog post last week that it had mitigated an attack against Spamhaus that peaked at 75Gbps. However, the attack significantly increased in scale since then, said Matthew Prince, CouldFlare's CEO, on Wednesday.

Seeing that CloudFlare's network infrastructure allowed the company to mitigate the original attack, the attackers decided to move upstream and directly target CloudFlare's Internet service providers and then the upstream providers of those providers, Prince said Wednesday in a blog post.

The attackers ultimately targeted Tier 1 providers, which operate the networks at the core of the Internet, and Internet Exchanges (IX), critical nodes located around the world that connect large networks like those of Google, Facebook, Yahoo and pretty much every major Internet company.

"While we don't have direct visibility into the traffic loads they saw, we have been told by one major Tier 1 provider that they saw more than 300Gbps of attack traffic related to this attack," Prince said.

"We've seen congestion across several major Tier 1s, primarily in Europe where most of the attacks were concentrated, that would have affected hundreds of millions of people even as they surfed sites unrelated to Spamhaus or CloudFlare," Prince said. "If the Internet felt a bit more sluggish for you over the last few days in Europe, this may be part of the reason why."

"Given the 300Gbps number being reported, this would be the largest publicly acknowledged attack on record," said Patrick Gilmore, chief architect at Akamai Technologies, Wednesday via email. Akamai operates one of the world's largest content delivery networks.

In general, when an attack is very large, it can fill the Internet pipes and hurt infrastructure between the source of the attack and the intended victim, Gilmore said.

"We agree that the size of the attack was around 300Gbps," said Dan Holden, director of the security and engineering response team at Arbor Networks, a DDoS mitigation provider. "The largest attack we have previously seen was of around 100Gbps back in 2010."

The method of attack used in this case is known as DNS reflection and involves sending spoofed requests to so-called open DNS (Domain Name System) resolvers -- DNS servers that can be queried by anyone on the Internet -- that appear to originate from the intended victim's IP address. The attackers usually craft their requests so that the responses returned to the victim by the queried servers would be very large.

DNS reflection attacks are not new and there are millions of open DNS resolvers on the Internet that can be abused in this way.

This type of attack can be mitigated by the victim or the provider that is defending against the attack, but in this particular case, because of its size, the attack also stressed the rest of the Internet along the way, Holden said. "It was essentially stressful to the fabric of the Internet."

Holden hopes that the size of the attack and the attention it received will help speed up efforts to rid the Internet of open DNS resolvers. However, he agreed that in the short term it might actually encourage other attackers to use the same attack method because of its success.

A group called the Stophaus Movement has taken responsibility for the unprecedented attack. The group claims that Spamhaus is abusing its position of power to force hosting companies to end their business relationships with certain customers that are flagged as spammers without any court order or legal oversight.

The members of the Stophaus Movement are hosting companies and other parties that have been flagged by Spamhaus as spammers themselves because they refused to comply with Spamhaus' requests, said Sven Kamphuis, who claims to be a spokesman for the group, on Wednesday.

Kamphuis runs a network provider called CB3ROB that has been blacklisted by Spamhaus for hosting spam botnets and extortion scams. CB3ROB is a provider for a Dutch hosting company called CyberBunker.com that allows its customers to "host any content they like, except child porn and anything related to terrorism."

"I'm not a spammer and none of the Stophaus members are," Kamphuis said. If a company gets blacklisted by Spamhaus its bandwidth providers get blacklisted too, he said. This means that if CB3ROB gets blacklisted and this company has KPN as a bandwidth supplier, KPN's mail servers get blacklisted too, he said. Those suppliers then often decide to terminate the contract to keep themselves off the blacklist, he added.

Because of this and because so many providers use Spamhaus' blacklist, the organization "acts like they are the de facto Internet police," Kamphuis said. "Everyone in the business has had more than enough of Spamhaus."

Kamphuis said that he didn't attack Spamhaus himself. The attacks came mainly from China and Russia, he said. "We have quite a few people in the group [Stophaus] that are in areas where it isn't such a problem to launch these kind of attacks."

CB3ROB and Cyberbunker did a "test" together to intercept traffic to Spamhaus' network, but that isn't a DDoS attack, Kamphuis said.

When CloudFlare was attacked, other websites went down too, but CloudFlare can't blame Stophaus for that, Kamphuis said. "They decided that it was a good idea to start hosting a company that is attacked by the biggest DDoS ever," he said.

"They can claim that we are destroying the Internet but we, the hosters, built the Internet," he said, adding that it is Spamhaus that is a "nuisance" for the Internet, not the other way around.

"Some people online claim that we are not accountable and can just 'censor' anything we want," said Vincent Hanna, a spokesperson for the Spamhaus Project, Wednesday via email. "This is obviously not the case. Not only do we have to operate within the boundaries of the law, we are also accountable to our users."

"If we started advising our users not to accept mail from certain places where they actually do want email from, they would be very quick to stop using our data because it's obviously not working right for them," he said. "We take pride in the quality of our data and the fact that the biggest ISPs and networks all over the world use our data is a big vouch to the quality of our data."

This was the biggest attack ever directed at Spamhaus, Hanna said. However, the organization is constantly under attack and tries to ensure that its users will continue to have access to its data, he said.

The core Internet infrastructure may certainly get overwhelmed by the amount of traffic involved in a large-scale attack, Hanna said. "When this happens other traffic may get impacted too. Compare it to a big highway: If the traffic jam gets big enough the on-ramps will slow down and fill up, and the roads to the on-ramps will fill up too."

The Dutch Public Prosecution Service has launched a criminal investigation into the DDoS attacks targeting Spamhaus after being notified by the Team High Tech Crime (THTC) of the Dutch Police, said spokesman Paul van der Zanden. There is enough cause for an investigation, he said.

(With reporting by Loek Essers in Amsterdam.)

Join the CSO newsletter!

Error: Please check your email address.

Tags arbor networksAkamai TechnologiessecurityCloudFlareinternet

More about Akamai TechnologiesAkamai TechnologiesArbor NetworksArbor NetworksFacebookGenevaGoogleHolden- General MotorsKPNSwitzerlandYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place