The last month has seen probably the largest distributed denial-of-service (DDoS) attack ever. A massive 300Gbps was thrown against Internet blacklist maintainer Spamhaus’ website but the anti-spam organisation , CloudFlare was able to recover from the attack and get its core services back up and running.
Spamhaus, a group based in both London and Geneva, is a non-profit organisation that aims to help email providers filter out spam and other unwanted content. Spamhaus is pretty resilient, as its own network is distributed across many countries, but the attack was still enough to knock its site offline on March 18.
Five national cyber-police-forces are investigating the attacks. A group calling itself STOPhaus, an alliance of hactivists and cyber criminals is believed to responsible for bombarding Spamhaus with up to 300Gbps.
The attacks on Spamhaus illustrate a larger problem with the vulnerability of systems fundamental to the architecture of the Internet, the Domain Name Servers (DNS). The high attack bandwidth is made possible because attackers are using misconfigured domain-name service (DNS) servers known as open recursive resolvers or open recursors to amplify a much smaller attack into a larger data flood.
Known as DNS reflection, the technique uses requests for a relatively large zone file that appear to be sent from the intended victim’s network. According to CloudFlare, it initially recorded over 30,000 DNS resolvers that were tricked into participating in the attack. There are as many as 25 million of these open recursive resolvers at the disposal of attackers
“In the Spamhaus case, the attacker was sending requests for the DNS zone file for ripe.net to open DNS resolvers. The attacker spoofed the CloudFlare IPs we’d issued for Spamhaus as the source in their DNS requests. The open resolvers responded with DNS zone file, generating collectively approximately 75Gbps of attack traffic. The requests were likely approximately 36 bytes long (e.g. dig ANY ripe.net @X.X.X.X +edns=0 +bufsize=4096, where X.X.X.X is replaced with the IP address of an open DNS resolver) and the response was approximately 3,000 bytes, translating to a 100x amplification factor.“
It now seems that the attack is being orchestrated by a Dutch hosting company called CyberBunker. As long as it’s not child porn and anything related to terrorism, CyberBunker will host it, including sending spam. Spamhaus blacklisted CyberBunker earlier in the month.
However, the DDoS attacks have raised concerns that further escalations of the retaliatory attacks could affect banking and email systems. DDoS attacks are typically carried out to extort money from targeted organisations or as a weapon to disrupt organisations or companies in pursuit of ideological, political or personal interests.