PDA

View Full Version : Massive DDOS attacks on Spamhaus threaten Internet connectivity



SeijiSensei
March 27th, 2013, 11:59 AM
The first I heard of this was on the front page of the online edition of the New York Times (http://www.nytimes.com/2013/03/27/technology/internet/online-dispute-becomes-internet-snarling-attack.html):

The dispute started when the spam-fighting group, called Spamhaus, added the Dutch company Cyberbunker to its blacklist, which is used by e-mail providers to weed out spam. Cyberbunker, named for its headquarters, a five-story former NATO bunker, offers hosting services to any Web site “except child porn and anything related to terrorism,” according to its Web site.

The so-called distributed denial of service, or DDoS, attacks have reached previously unknown magnitudes, growing to a data stream of 300 billion bits per second.

“It is a real number,” [Patrick Gilmore of Akamai] said. “It is the largest publicly announced DDoS attack in the history of the Internet.”

The spammers being protected by Cyberbunker make the usual claims that groups like Spamhaus are vigilantes trying to impose their will on freedom-loving types who want to send us more trash and phishing ploys designed to defraud the naive and unsuspecting. As someone who manages mail services for myself and a few clients, I've spent many many hours fighting spammers and welcome the existence of groups like Spamhaus. Whether to use a Spamhaus database, or the databases of other similar organizations, is entirely up to the mail provider. However Spamhaus has a wide-ranging effect since the default set for SpamAssassin uses some of Spamhaus's lists. Since the SA developers run tests of the validity of the rules they distribute, the data that Spamhaus provides must have shown their worth over time.

This is a rather different type of DDOS attack than simply trying to flood an entity's servers with traffic generated by botnets. Apparently it uses the method of sending queries to DNS servers with spoofed source address that makes the traffic appear to be coming from machines at Spamhaus. The DNS servers then send their replies to the Spamhaus machines.

If you are running a DNS server that is publicly visible, but not authoritative for a domain, you should check your logs to see if you have been inadvertently converted into an amplifier for this attack. My servers are authoritative so they have to accept queries from anywhere on the Internet. If you run a publicly-visible server that only needs to handle queries from a limited range of hosts, make sure you have locked down the configuration so the server will only reply to those hosts and no others.

evilsoup
March 27th, 2013, 12:09 PM
Cyberbunker brags on its Web site that it has been a frequent target of law enforcement because of its “many controversial customers.” The company claims that at one point it fended off a Dutch SWAT team.


“Dutch authorities and the police have made several attempts to enter the bunker by force,” the site said. “None of these attempts were successful.”


- HQ is a nuclear bunker
- Largest publicly-known DDOS attack
- Have fended off armed police
- Spammers

These guys are clearly supervillains

SeijiSensei
March 27th, 2013, 01:23 PM
There have been a couple of attempts to set up Internet service providers at sea beyond national jurisdictions. The first one I heard of was the now-defunct HavenCo (http://en.wikipedia.org/wiki/HavenCo) on the self-proclaimed Principality of Sealand (http://en.wikipedia.org/wiki/Principality_of_Sealand), formerly home to pirate radio broadcasters off the coast of Britain. Google owns a patent (http://www.datacenterknowledge.com/archives/2008/09/06/google-planning-offshore-data-barges/) for using ocean waves to power off-shore server farms. Depending on where these are moored they could operate outside territorial waters.

sandyd
March 27th, 2013, 03:54 PM
Moved to the brand new Ubuntu, Linux and OS Chat form.

lisati
March 27th, 2013, 06:45 PM
I first became aware of the problem well over a week ago, several days before the report in the Times, while investigating some emails that my mail server rejected.

Spamhaus have some information on their website: http://www.spamhaus.org/news/article/694/ddos-update-20-march-2013

sffvba[e0rt
March 27th, 2013, 09:11 PM
This is so wrong, Youtube is taking forever to load at the moment :evil:


404

lykwydchykyn
March 27th, 2013, 09:31 PM
Why enter the bunker? Seems like they can just cut the cable and be done with it.

buzzingrobot
March 27th, 2013, 10:34 PM
Why enter the bunker? Seems like they can just cut the cable and be done with it.

Agreed!

I have little tolerance for vigilantism. Self-appointed cops are little different from criminals.

Dutch residents (citizens, presumably) are currently interfering with the lives and livelihoods of people across the globe. The Dutch authorities have a responsibility to end this. Would they be so seemingly lackadaisical if Dutch citizens were interfering with telephone circuits or radio transmission all around the planet?

They should cut power to the bunker, cut water to the bunker, physically sever the bunker's internet connections, and prevent entrance or exit until people in the bunker surrender to the police.

mharv
March 30th, 2013, 10:10 PM
Why enter the bunker? Seems like they can just cut the cable and be done with it.
RF + generator maybe? I see no other way unless they're just stupid.

cariboo
March 30th, 2013, 11:38 PM
I found this (http://siliconangle.com/blog/2013/03/28/did-cloudfare-lie-to-us-about-the-spamhaus-cyberattack/), while searching for something else.