SeijiSensei
March 27th, 2013, 11:59 AM
The first I heard of this was on the front page of the online edition of the New York Times (http://www.nytimes.com/2013/03/27/technology/internet/online-dispute-becomes-internet-snarling-attack.html):
The dispute started when the spam-fighting group, called Spamhaus, added the Dutch company Cyberbunker to its blacklist, which is used by e-mail providers to weed out spam. Cyberbunker, named for its headquarters, a five-story former NATO bunker, offers hosting services to any Web site “except child porn and anything related to terrorism,” according to its Web site.
The so-called distributed denial of service, or DDoS, attacks have reached previously unknown magnitudes, growing to a data stream of 300 billion bits per second.
“It is a real number,” [Patrick Gilmore of Akamai] said. “It is the largest publicly announced DDoS attack in the history of the Internet.”
The spammers being protected by Cyberbunker make the usual claims that groups like Spamhaus are vigilantes trying to impose their will on freedom-loving types who want to send us more trash and phishing ploys designed to defraud the naive and unsuspecting. As someone who manages mail services for myself and a few clients, I've spent many many hours fighting spammers and welcome the existence of groups like Spamhaus. Whether to use a Spamhaus database, or the databases of other similar organizations, is entirely up to the mail provider. However Spamhaus has a wide-ranging effect since the default set for SpamAssassin uses some of Spamhaus's lists. Since the SA developers run tests of the validity of the rules they distribute, the data that Spamhaus provides must have shown their worth over time.
This is a rather different type of DDOS attack than simply trying to flood an entity's servers with traffic generated by botnets. Apparently it uses the method of sending queries to DNS servers with spoofed source address that makes the traffic appear to be coming from machines at Spamhaus. The DNS servers then send their replies to the Spamhaus machines.
If you are running a DNS server that is publicly visible, but not authoritative for a domain, you should check your logs to see if you have been inadvertently converted into an amplifier for this attack. My servers are authoritative so they have to accept queries from anywhere on the Internet. If you run a publicly-visible server that only needs to handle queries from a limited range of hosts, make sure you have locked down the configuration so the server will only reply to those hosts and no others.
The dispute started when the spam-fighting group, called Spamhaus, added the Dutch company Cyberbunker to its blacklist, which is used by e-mail providers to weed out spam. Cyberbunker, named for its headquarters, a five-story former NATO bunker, offers hosting services to any Web site “except child porn and anything related to terrorism,” according to its Web site.
The so-called distributed denial of service, or DDoS, attacks have reached previously unknown magnitudes, growing to a data stream of 300 billion bits per second.
“It is a real number,” [Patrick Gilmore of Akamai] said. “It is the largest publicly announced DDoS attack in the history of the Internet.”
The spammers being protected by Cyberbunker make the usual claims that groups like Spamhaus are vigilantes trying to impose their will on freedom-loving types who want to send us more trash and phishing ploys designed to defraud the naive and unsuspecting. As someone who manages mail services for myself and a few clients, I've spent many many hours fighting spammers and welcome the existence of groups like Spamhaus. Whether to use a Spamhaus database, or the databases of other similar organizations, is entirely up to the mail provider. However Spamhaus has a wide-ranging effect since the default set for SpamAssassin uses some of Spamhaus's lists. Since the SA developers run tests of the validity of the rules they distribute, the data that Spamhaus provides must have shown their worth over time.
This is a rather different type of DDOS attack than simply trying to flood an entity's servers with traffic generated by botnets. Apparently it uses the method of sending queries to DNS servers with spoofed source address that makes the traffic appear to be coming from machines at Spamhaus. The DNS servers then send their replies to the Spamhaus machines.
If you are running a DNS server that is publicly visible, but not authoritative for a domain, you should check your logs to see if you have been inadvertently converted into an amplifier for this attack. My servers are authoritative so they have to accept queries from anywhere on the Internet. If you run a publicly-visible server that only needs to handle queries from a limited range of hosts, make sure you have locked down the configuration so the server will only reply to those hosts and no others.