Dutch Web host, Cyberbunker has launched a massive and escalating distributed denial of service (DDoS) attack against volunteer organisation Spamhaus, a company that polices the Internet and provides blacklists of spammers to e-mail providers.
The attacks, which appear to be retaliation for Cyberbunker being blacklisted by Spamhaus, have caused the latter to be unreachable at times over the last week.
DDoS attacks use botnets, essentially a network of thousands of remotely controlled infected machines. In this instance, the botnet initially sent large volumes of traffic to Spamhaus' Web site, and following this, to the company's hosting provider, CloudFlare, which it had employed to mitigate the attacks.
The New York Times reported that the attacks resulted in pervasive congestion and jamming, effectively clogging essential infrastructure around the world and resulting in delays for millions of Internet users.
CloudFlare says it was contacted on 18 March in connection with the original attack, which it quickly mitigated. In a recent blog post, CloudFlare said it employs Anycast technology, which spreads the load of a distributed attack across its data centres. In this way, the attack can be mitigated, with no ill consequences for its other customers.
Following this, CloudFlare says the attacks ceased temporarily. However, the attacks flared up again the next day, and increased in size - from 10Gbps, to a peak of 90Gbps on 21 March.
Again, the attackers quietened off for a day, but the following day, increased their efforts to 120Gbps. According to threatpost, the attacks spiked to an alarming 300Gbps.
CloudFlare described the attack as one of the largest it has seen, but said, besides its size, the attack was not unusual in nature.
However, what was unusual was that the attackers then stopped attacking CloudFlare's customers directly, and focused instead on CloudFlare's network providers.
Spamhaus, in a statement on its Web site, said that, as with practically "every piece of infrastructure on the Internet", it is constantly under some sort of attack. "At this time, the attacks against our servers have subsided and the sizes are smaller. However, attacks do not just come and go. They also change in nature all the time. We try to be ready for the next attack so that we can ensure our users will be protected and the networks that rely on our service will be kept safe."
The company added that preventing such attacks needs two "key technical measures". Firstly, it says, all networks must not permit traffic that has 'spoofed' sending addresses to leave their network, because, if traffic could not be spoofed, reflection attacks would not be possible.
Secondly, open DNS resolvers need to be locked down and secured. CloudFlare CEO Matthew Prince described Open DNS resolvers as the 'scourge of the Internet' in a blogpost, and said "the size of these attacks will only continue to rise until all providers make a concerted effort to close them".
Share