DDoS attack against Spamhaus was reportedly the largest in history

The attack caused problems for the global Internet

A distributed denial-of-service (DDoS) attack of unprecedented scale that targeted an international spam-fighting organisation last week ended up causing problems for Internet users around the world, experts say.

The DDoS attack started more than a week ago and targeted the Spamhaus Project, an organisation based in Geneva, Switzerland, and London that maintains databases of IP (Internet Protocol) addresses, domain names and other Internet resources involved in spam, malware and other abusive online activities.

Spamhaus publishes the data in the form of block lists that are used by Internet and email service providers, corporations, universities and governments around the world to filter Internet traffic on their networks and servers.

In order to keep its services and website online Spamhaus enlisted the help of a San Francisco-based company called CloudFlare that runs a global content delivery network aimed at improving website performance.

CloudFlare said in a blog post last week that it had mitigated an attack against Spamhaus that peaked at 75Gbps. However, the attack significantly increased in scale since then, said Matthew Prince, CouldFlare's CEO, on Wednesday.

Seeing that CloudFlare's network infrastructure allowed the company to mitigate the original attack, the attackers decided to move upstream and directly target CloudFlare's Internet service providers and then the upstream providers of those providers, Prince said Wednesday in a blog post.

The attackers ultimately targeted Tier 1 providers, which operate the networks at the core of the Internet, and Internet Exchanges (IX), critical nodes located around the world that connect large networks like those of Google, Facebook, Yahoo and pretty much every major Internet company.

"While we don't have direct visibility into the traffic loads they saw, we have been told by one major Tier 1 provider that they saw more than 300Gbps of attack traffic related to this attack," Prince said.

"We've seen congestion across several major Tier 1s, primarily in Europe where most of the attacks were concentrated, that would have affected hundreds of millions of people even as they surfed sites unrelated to Spamhaus or CloudFlare," Prince said. "If the Internet felt a bit more sluggish for you over the last few days in Europe, this may be part of the reason why."

"Given the 300Gbps number being reported, this would be the largest publicly acknowledged attack on record," said Patrick Gilmore, chief architect at Akamai Technologies, Wednesday via email. Akamai operates one of the world's largest content delivery networks.

In general, when an attack is very large, it can fill the Internet pipes and hurt infrastructure between the source of the attack and the intended victim, Gilmore said.

"We agree that the size of the attack was around 300Gbps," said Dan Holden, director of the security and engineering response team at Arbor Networks, a DDoS mitigation provider. "The largest attack we have previously seen was of around 100Gbps back in 2010."

The method of attack used in this case is known as DNS reflection and involves sending spoofed requests to so-called open DNS (Domain Name System) resolvers -- DNS servers that can be queried by anyone on the Internet -- that appear to originate from the intended victim's IP address. The attackers usually craft their requests so that the responses returned to the victim by the queried servers would be very large.

DNS reflection attacks are not new and there are millions of open DNS resolvers on the Internet that can be abused in this way.

This type of attack can be mitigated by the victim or the provider that is defending against the attack, but in this particular case, because of its size, the attack also stressed the rest of the Internet along the way, Holden said. "It was essentially stressful to the fabric of the Internet."

Holden hopes that the size of the attack and the attention it received will help speed up efforts to rid the Internet of open DNS resolvers. However, he agreed that in the short term it might actually encourage other attackers to use the same attack method because of its success.

A group called the Stophaus Movement has taken responsibility for the unprecedented attack. The group claims that Spamhaus is abusing its position of power to force hosting companies to end their business relationships with certain customers that are flagged as spammers without any court order or legal oversight.

The members of the Stophaus Movement are hosting companies and other parties that have been flagged by Spamhaus as spammers themselves because they refused to comply with Spamhaus' requests, said Sven Kamphuis, who claims to be a spokesman for the group, on Wednesday.

Kamphuis runs a network provider called CB3ROB that has been blacklisted by Spamhaus for hosting spam botnets and extortion scams. CB3ROB is a provider for a Dutch hosting company called CyberBunker.com that allows its customers to "host any content they like, except child porn and anything related to terrorism."

"I'm not a spammer and none of the Stophaus members are," Kamphuis said. If a company gets blacklisted by Spamhaus its bandwidth providers get blacklisted too, he said. This means that if CB3ROB gets blacklisted and this company has KPN as a bandwidth supplier, KPN's mail servers get blacklisted too, he said. Those suppliers then often decide to terminate the contract to keep themselves off the blacklist, he added.

Because of this and because so many providers use Spamhaus' blacklist, the organization "acts like they are the de facto Internet police," Kamphuis said. "Everyone in the business has had more than enough of Spamhaus."

Kamphuis said that he didn't attack Spamhaus himself. The attacks came mainly from China and Russia, he said. "We have quite a few people in the group [Stophaus] that are in areas where it isn't such a problem to launch these kind of attacks."

CB3ROB and Cyberbunker did a "test" together to intercept traffic to Spamhaus' network, but that isn't a DDoS attack, Kamphuis said.

When CloudFlare was attacked, other websites went down too, but CloudFlare can't blame Stophaus for that, Kamphuis said. "They decided that it was a good idea to start hosting a company that is attacked by the biggest DDoS ever," he said.

"They can claim that we are destroying the Internet but we, the hosters, built the Internet," he said, adding that it is Spamhaus that is a "nuisance" for the Internet, not the other way around.

"Some people online claim that we are not accountable and can just 'censor' anything we want," said Vincent Hanna, a spokesperson for the Spamhaus Project, Wednesday via email. "This is obviously not the case. Not only do we have to operate within the boundaries of the law, we are also accountable to our users."

"If we started advising our users not to accept mail from certain places where they actually do want email from, they would be very quick to stop using our data because it's obviously not working right for them," he said. "We take pride in the quality of our data and the fact that the biggest ISPs and networks all over the world use our data is a big vouch to the quality of our data."

This was the biggest attack ever directed at Spamhaus, Hanna said. However, the organization is constantly under attack and tries to ensure that its users will continue to have access to its data, he said.

The core Internet infrastructure may certainly get overwhelmed by the amount of traffic involved in a large-scale attack, Hanna said. "When this happens other traffic may get impacted too. Compare it to a big highway: If the traffic jam gets big enough the on-ramps will slow down and fill up, and the roads to the on-ramps will fill up too."

The Dutch Public Prosecution Service has launched a criminal investigation into the DDoS attacks targeting Spamhaus after being notified by the Team High Tech Crime (THTC) of the Dutch Police, said spokesman Paul van der Zanden. There is enough cause for an investigation, he said.

(With reporting by Loek Essers in Amsterdam.)

Join the PC World newsletter!

Error: Please check your email address.

Tags arbor networksAkamai TechnologiessecurityCloudFlareinternet

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?