So you thought the 100 Gbps distributed denial-of-service attacks against U.S. banks were big? Ongoing attacks against Spamhaus have three times the fury and have affected unrelated online services as collateral damage.

Attackers from Dutch webhost Cyberbunker are turning on a firehose of bad traffic in retaliation for being blacklisted by spam blacklist providers Spamhaus. Cyberbunker is taking advantage of thousands of open DNS resolvers to launch DNS amplification attacks that have made Spamhaus unreachable at times for the last week.

Spamhaus are a Swiss volunteer organization that pushes out via DNS a list of spam servers that organizations can use on their messaging infrastructure to block these IP addresses. CloudFlare, a network security and DNS provider, said Spamhaus filters up to 80 percent of daily spam messages. Cyberbunker, meanwhile, has been accused of hosting the infamous Russian Business Network, in addition to spam providers. An entry on the Cyberbunker Wikipedia page said the company hosts any web service “except child porn and anything related to terrorism.”

Experts are calling the attacks, that have spiked to as high as 300 Gbps per second some of the largest recorded against commercial targets.

“These are certainly the biggest I’ve heard go public,” said Carlos Morales, VP of global sales engineering and operations at Arbor Networks. “I’ve seen attacks almost this size in the Far East that I have had privileged access to that haven’t been public—intra-country attacks.”

These attacks, which are capitalizing on the availability of open DNS resolvers to spoof Spamhaus IP addresses to send them massive volumes of DNS requests, have also bottlenecked traffic elsewhere on the Internet. The New York Times reported yesterday that Netflix customers were reporting service disruptions. Other high-bandwidth streaming services were also impacted.

“An attack of this size is coming from a lot of different places in great volume to a lot of places on the Internet. There are going to be a lot of congestion points. Where you’re seeing this collateral damage is likely in links or exchanges where there is finite bandwidth,” Morales said. “[The attacks are] exceeding this bandwidth. Netflix may have some level of peering with providers in the same place as Spamhaus, so that may be affecting them. It’s like visiting a relative in the same town as a major sporting event; you may have no interest in the event, but you’re likely impacted by the traffic.”

The DDoS attack against Spamhaus began March 18. A day later, it contacted CloudFlare—which was eventually targeted in the attack as well—to help mitigate the attack. Initial numbers on the attacks indicated 10 Gbps of traffic that spiked within hours to more than 100 Gbps, similar to the volume of bad packets directed at U.S. banks in three separate attacks dating back to last September. Since the attacks on Spamhaus started, some surges closed in on 300 Gbps.

CloudFlare CEO Matthew Prince wrote in a blogpost that he put the blame on DNS amplification attacks and the availability of open DNS resolvers.

“Open DNS resolvers are quickly becoming the scourge of the Internet, and the size of these attacks will only continue to rise until all providers make a concerted effort to close them,” Prince said.

In a DNS reflection attack, an attacker may spoof the victim’s IP address and send a request for a large DNS zone file to open DNS resolvers. The resolvers will respond by sending the large zone files to the victim. The attacker can then request many larger zone file, amplifying the attack fairly quickly until the victim is overrun. The Spamhaus attackers were sending requests for DNS zone files for ripe.net to open DNS resolvers, CloudFlare said.

“The attacker spoofed the CloudFlare IPs we’d issued for Spamhaus as the source in their DNS requests. The open resolvers responded with DNS zone file, generating collectively approximately 75Gbps of attack traffic,” CloudFlare’s Prince wrote. “We recorded over 30,000 unique DNS resolvers involved in the attack. This translates to each open DNS resolver sending an average of 2.5Mbps, which is small enough to fly under the radar of most DNS resolvers. Because the attacker used a DNS amplification, the attacker only needed to control a botnet or cluster of servers to generate 750Mbps — which is possible with a small sized botnet or a handful of AWS instances.”

The Times also quoted Sven Olaf Kamphuis, spokesman for the attackers, who said Cyberbunker was retaliating because he said Spamhaus had abused its influence. “Nobody ever deputized Spamhaus to determine what goes and does not go on the Internet,” Kamphuis was quoted in the Times article. “They worked themselves into that position by pretending to fight spam.”

Categories: Web Security