The largest Distributed Denial of Service (DDoS) attack ever reported is affecting internet access around the world, according to several reports.
The DDoS attack, which began on around 15th March, is directed against Spamhaus, a non-profit organisation that provides blacklists of IP addresses alleged to be distributing spam messages. Spamhaus has accused a Dutch hosting service provider CyberBunker, of initiating the attacks along with eastern European cybercriminals, after Spamhaus listed CyberBunker as a source of spam.
Since the attacks began, DDoS attacks have peaked at 300 gigabits per second, six times greater volume than is seen in a normal high profile attack, and three times the previous largest recorded attack of 100 Gbps.
Spamhaus’ site was knocked offline on 18th March, but since then has been able to recover and keep its core services running, but the sheer volume of the attack is believed to have disrupted services such as Netflix, and the London Internet Exchange.
According to CyberBunker’s website: “Customers are allowed to host any content they like, except child porn and anything related to terrorism. Everything else is fine.”
The two companies were already in dispute since October last year, when Spamhaus, based in London and Geneva, blacklisted CyberBunker and Dutch ISP A2B Internet, who provided connectivity services to CyberBunker.
Spamhaus is directly or indirectly responsible for filtering as much as 80% of daily spam messages.
Spamhaus has employed content delivery company CloudFlare to help mitigate the attacks, and has also received technical support from a number of other companies including Google. CloudFlare reports that attackers were not able to overcome its servers, even with traffic of 120Gbps, so the attackers then began targeting the network providers CloudFlare uses for bandwidth, and core Internet Exchanges in Europe and Hong Kong.
In a post on a CloudFlare blog, the company explained how the attackers were able to create such a large volume of requests, using an ‘Open DNS Resolver’ method, which effectively amplifies the volume of DDoS attacks. Matthew Prince of CloudFlare wrote: “The basic technique of a DNS reflection attack is to send a request for a large DNS zone file with the source IP address spoofed to be the intended victim to a large number of open DNS resolvers. The resolvers then respond to the request, sending the large DNS zone answer to the intended victim. The attackers’ requests themselves are only a fraction of the size of the responses, meaning the attacker can effectively amplify their attack to many times the size of the bandwidth resources they themselves control.”
The attacks are now under investigation by five national cyber police authorities. Prince warned that hundreds of millions of people could have been affected by the general slowdown in Internet speeds: “Over the last few days, as these attacks have increased, we’ve seen congestion across several major Tier 1s, primarily in Europe where most of the attacks were concentrated, that would have affected hundreds of millions of people even as they surfed sites unrelated to Spamhaus or CloudFlare. If the Internet felt a bit more sluggish for you over the last few days in Europe, this may be part of the reason why.”
ShareMAR
2013