Spam fighter, spammer spat becomes massive DDoS attack
Spamhaus blacklisting of Dutch company results in cyberattack of historical proportions
By John P. Mello, Jr.
March 27, 2013 — CSO — A tiff between a Dutch company and Spamhaus, which blacklists spammers, has turned into a cyber attack of epic proportions.
The distributed denial of service attack (DDoS) spread from the Spamhaus website to the rest of the Internet, reportedly affecting millions of rank and file Internet users.
Spamhaus became the target of the attack after it blacklisted Cyberbunker, a Dutch company, as a source of spam, The New York Times reported. Cyberbunker appears to be a wide open hosting service that will allow anyone to set up a website on its servers, save for pornographers and terrorists.
Although little is known about the group behind the cyber foray, an Internet activist, Sven Olaf Kamphuis, who claimed to be a representative for the attackers, told The Times the assault was in retaliation for Spamhaus "abusing their influence."
Spamhaus did not respond to a request for comment for this story.
The DDoS attack, which may be the largest ever seen in cyberspace, exploits the architecture of the Internet to marshal enormous amounts of traffic that can be aimed at a website to disrupt service to it.
The culprits are servers that act as resolvers for the Internet's Domain Name System. That's the system that takes plain language URLs and turns them into the numbers of an IP address.
Millions of servers acting as resolvers on the Internet are open. That means anyone can access them. It also means they can be exploited by malcontents wanting to mount massive DDoS attacks.
"We have seen a problem with a rise in DDoS attacks using open resolvers that's been escalating for the last year," Matthew Prince, co-founder and CEO of Cloudflare, a network load management company based in San Francisco, said in an interview.
"This is the first one that's reached a scale that broke core Internet routing technology," he observed.
"A large amount of the traffic in the big DDoS attacks that recently knocked U.S. financial institutions offline was DNS amplification traffic using open resolvers," he noted. "Those attacks were significantly smaller," he added.
A DNS amplification attack is performed by using an open resolver to multiply the number of requests made by a DNS server to a website.
"If you have one resolver, that's not going to cripple anything, but when you scan the Internet looking for a large amount of resolvers, you can create big problems," Michael Smith, CSIRT director for Akamai Technologies.
When Spamhaus, which frequently has to protect itself from DDoS attacks, found its defenses being overwhelmed by packet marauders, it called on Cloudfire to deploy measures to counter the attack.
Those measures were so effective that the attackers peeled away from Spamhaus and began attacking sites affiliated with it and sites used by Cloudflare to spread out the attack traffic on the spamfighter's site.
Once that happened, the attack began to affect service across the Internet.
Addressing the open resolver problem would put major crimp in the ability of Black Hats to mount these kinds of attacks. A website that aims to do that was launched this week. Called the Open DNS Resolver Product, it is maintaining a list of open resolvers -- it has listed 27 million resolvers -- and asking anyone with a listed resolver to limit access to it.
"Hopefully the list will put a bit of pressure on anybody running an open resolver to close it down," Henry Stern, a threat researcher with Cisco told CSO. "No network administrator wants their resources being used to attack someone else."
Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.