A distributed denial-of-service (DDoS) attack of unprecedented scale that targeted an international spam-fighting organisation last week ended up causing problems for Internet users around the world, experts say.
The DDoS attack started more than a week ago and targeted the Spamhaus Project, an organisation based in Geneva, Switzerland, and London that maintains databases of IP (Internet Protocol) addresses, domain names and other Internet resources involved in spam, malware and other abusive online activities.
Spamhaus publishes the data in the form of block lists that are used by Internet and email service providers, corporations, universities and governments around the world to filter Internet traffic on their networks and servers.
In order to keep its services and website online Spamhaus enlisted the help of a San Francisco-based company called CloudFlare that runs a global content delivery network aimed at improving website performance.
CloudFlare said in a blog post last week that it had mitigated an attack against Spamhaus that peaked at 75Gbps. However, the attack significantly increased in scale since then, said Matthew Prince, CloudFlare's CEO, Wednesday via email.
Seeing that CloudFlare's network infrastructure allowed the company to mitigate the original attack, the attackers decided to move upstream and directly target CloudFlare's Internet service providers and then the upstream providers of those providers, Prince said Wednesday in a blog post.
The attackers ultimately targeted Tier 1 providers, which operate the networks at the core of the Internet, and Internet Exchanges (IX), critical nodes located around the world that connect large networks like those of Google, Facebook, Yahoo and pretty much every major Internet company.
"While we don't have direct visibility into the traffic loads they saw, we have been told by one major Tier 1 provider that they saw more than 300Gbps of attack traffic related to this attack," Prince said.
"We've seen congestion across several major Tier 1s, primarily in Europe where most of the attacks were concentrated, that would have affected hundreds of millions of people even as they surfed sites unrelated to Spamhaus or CloudFlare," Prince said. "If the Internet felt a bit more sluggish for you over the last few days in Europe, this may be part of the reason why."
"Given the 300Gbps number being reported, this would be the largest publicly acknowledged attack on record," said Patrick Gilmore, chief architect at Akamai Technologies, Wednesday via email. Akamai operates one of the world's largest content delivery networks.
In general, when an attack is very large, it can fill the Internet pipes and hurt infrastructure between the source of the attack and the intended victim, Gilmore said.
"We agree that the size of the attack was around 300Gbps," said Dan Holden, director of the security and engineering response team at Arbor Networks, a DDoS mitigation provider. "The largest attack we have previously seen was of around 100Gbps back in 2010."
The method of attack used in this case is known as DNS reflection and involves sending spoofed requests to so-called open DNS (Domain Name System) resolvers - DNS servers that can be queried by anyone on the Internet - that appear to originate from the intended victim's IP address. The attackers usually craft their requests so that the responses returned to the victim by the queried servers would be very large.
DNS reflection attacks are not new and there are millions of open DNS resolvers on the Internet that can be abused in this way.
This type of attack can be mitigated by the victim or the provider that is defending against the attack, but in this particular case, because of its size, the attack also stressed the rest of the Internet along the way, Holden said. "It was essentially stressful to the fabric of the Internet."
Holden hopes that the size of the attack and the attention it received will help speed up efforts to rid the Internet of open DNS resolvers. However, he agreed that in the short term it might actually encourage other attackers to use the same attack method because of its success.
A group called the Stophaus Movement has taken responsibility for the unprecedented attack. The group claims that Spamhaus is abusing its position of power to force hosting companies to end their business relationships with certain customers that are flagged as spammers without any court order or legal oversight.
The members of the Stophaus Movement are hosting companies and other parties that have been flagged by Spamhaus as spammers themselves because they refused to comply with Spamhaus' requests, said Sven Kamphuis, who claims to be a spokesman for the group, on Wednesday.
Kamphuis runs a network provider called CB3ROB that has been blacklisted by Spamhaus for hosting spam botnets and extortion scams. CB3ROB is a provider for a Dutch hosting company called CyberBunker.com that allows its customers to "host any content they like, except child porn and anything related to terrorism."
"I'm not a spammer and none of the Stophaus members are," Kamphuis said. If a company gets blacklisted by Spamhaus its bandwidth providers get blacklisted too, he said. This means that if CB3ROB gets blacklisted and this company has KPN as a bandwidth supplier, KPN's mail servers get blacklisted too, he said. Those suppliers then often decide to terminate the contract to keep themselves off the blacklist, he added.
Because of this and because so many providers use Spamhaus' blacklist, the organisation "acts like they are the de facto Internet police," Kamphuis said. "Everyone in the business has had more than enough of Spamhaus."
Kamphuis said that he didn't attack Spamhaus himself. The attacks came mainly from China and Russia, he said. "We have quite a few people in the group [Stophaus] that are in areas where it isn't such a problem to launch these kind of attacks."
CB3ROB and Cyberbunker did a "test" together to intercept traffic to Spamhaus' network, but that isn't a DDoS attack, Kamphuis said.
When CloudFlare was attacked, other websites went down too, but CloudFlare can't blame Stophaus for that, Kamphuis said. "They decided that it was a good idea to start hosting a company that is attacked by the biggest DDoS ever," he said.
"They can claim that we are destroying the Internet but we, the hosters, built the Internet," he said, adding that it is Spamhaus that is a "nuisance" for the Internet, not the other way around.
"Some people online claim that we are not accountable and can just 'censor' anything we want," said Vincent Hanna, a spokesperson for the Spamhaus Project, Wednesday via email. "This is obviously not the case. Not only do we have to operate within the boundaries of the law, we are also accountable to our users."
"If we started advising our users not to accept mail from certain places where they actually do want email from, they would be very quick to stop using our data because it's obviously not working right for them," he said. "We take pride in the quality of our data and the fact that the biggest ISPs and networks all over the world use our data is a big vouch to the quality of our data."
This was the biggest attack ever directed at Spamhaus, Hanna said. However, the organisation is constantly under attack and tries to ensure that its users will continue to have access to its data, he said.
The core Internet infrastructure may certainly get overwhelmed by the amount of traffic involved in a large-scale attack, Hanna said. "When this happens other traffic may get impacted too. Compare it to a big highway: If the traffic jam gets big enough the on-ramps will slow down and fill up, and the roads to the on-ramps will fill up too."
The Dutch Public Prosecution Service has launched a criminal investigation into the DDoS attacks targeting Spamhaus after being notified by the Team High Tech Crime (THTC) of the Dutch Police, said spokesman Paul van der Zanden. There is enough cause for an investigation, he said.
(With reporting by Loek Essers in Amsterdam.)