In the last couple of days here in my place, and for nearly a week in Europe, the Americas, etc., people have been experiencing a slower Internet connection. I was indeed surprised and thought up other reasons, like my ISP doing some maintenance, or some applications within the computer using the connection, for software updates and stuff. Only yesterday, the things were clear.
It was a distributed denial of service attack (DDoS) that was happening, essentially on the Internet itself. This is widely regarded to be the largest ever cyber security attack in the history of the Internet.
The Beginnings and the Parties Involved
Here are the main companies and organizations that were involved in this cyber attack. You probably Spamhaus, don’t you? It is an international non-profit organization that fights spam in email, web, etc. The organization, with offices in London and Geneva, publishes lists of spammers, called SBL (Spamhaus Block List), IP addresses of verified, known spammers; DBL (Domain Block Lists), a list of known spamming domains; etc. More information can be found in the Spamhaus website. Spamhaus provides these lists to the other companies to effectively fight spam.already know about
Spamhaus came under a series of DDoS attacks on , and Luc Rossini of Spamhaus tweeted it.
Spamhaus is currently under a DDoS attack against our website which we are working on mitigating. Our DNSBLs are not affected. #spamhaus
— Luc Rossini (@LucRossini) March 17, 2013
Before that, many of us had an idea that something fishy was going on, as Spamhaus website was not available for an extended period of time.
Spamhaus’s hosting partner that makes the website reachable at difficult times, is Cloudflare. At the time of attack, the organization sought help from Cloudflare, which later told us an idea of the extent of the attack.
What is DDoS
Distributed Denial of Service is a type of denial of service attack, which targets a service and makes it unavailable to its legitimate customers. This is not essentially a hacking kind of attack, in that it probably will not compromise the data. It’s a way the hackers make sure “If I ain’t getting it, you ain’t either”.
That was denial of service, what does ‘distributed’ mean? That word makes the attack somewhat special and extreme. It is the power of the crowd that makes this attack distributed. In distributed attacks, the hacker is not working directly, but through a huge number of compromised computers all over the world. These compromised computers may be yours or mine, and it could be anywhere on the planet. This network of compromised computers is known as a botnet.
Botnets are simply enormous; examples include BredoLab with 30 million computers, capable of 3.6 billion spams a day, Cutwail with over 1.5 million computers, and Zeus with nearly 3.5 million compromised systems.
These enormous networks can work together in bringing down any organization with a sheer volume of traffic.
What Happened With Spamhaus
Soon after it identified the attack details, Cloudflare posted this on its blog. That post gives us some ideas of what happened with Spamhaus. The attack simply sent a huge number of visitors to Spamhaus website, which is used to distribute its major spam blacklists to partnering organizations.
Once the website is down, the spam blacklists become unavailable and the spammers can win. However, since Spamhaus is an important entity in the inner workings of the Internet, many partnering organizations keep a copy of its most current blacklists. Hence, even if Spamhaus goes down on an attack, the blacklists should be available for a brief period of time. But that is not quite enough, and Spamhaus should stay online.
Briefly for a period on 18 March, Spamhaus website did go down as noted above. The volume of traffic that made that happen was in the order of 100 Gbps (up from about 10 Gbps). Let’s see what this means.
While I am writing this post, Spamhaus website is offline, with Cloudflare serving up a snapshot of the website.
100 Gbps of traffic is equivalent to about 131,072 people visiting Spamhaus website every second, if we assume the total size of the website is 100 KB and a visitor doesn’t go to any internal pages. If you expand it to a day’s visits, it should be around 11 billion visits. That kind of traffic aimed at Spamhaus and its hosting partners would cause extreme consequences.
Let’s compare that traffic to the normal, organic web traffic. By the end of last year, Google’s daily searches average at about 4.72 billion. That means, the rest of the web is getting much fewer visits than that. You can get an idea by looking at this statistic published by USA Today, based on data from ComScore. All websites get visits in millions, and not anywhere close to billions.
These top websites still have to have great infrastructure and traffic load balancing methods to stay online all the time, even when a peak in traffic occurs. In most cases, a peak in traffic is a few hundred thousand more visitors, not a few billion within a day’s time. That kind of traffic can break even top websites.
That is what happened with Spamhaus.
Who Attacked Spamhaus?
Although in its FAQ, Spamhaus doesn’t say exactly who attacked them, they have later revealed that the attack came from Cyberbunker, a Dutch unethical hosting firm. This company, according to their website (currently down), “keeps your servers online no matter what!”
You cannot look at the company’s website at this time. They probably took it down or were made to. But you can get an idea of its business practices from an Internet archive snapshot made on . Here it is:
A notable thing is that Cyberbunker published a hateful blog post about Spamhaus accusing that the non-profit considers Cyberbunker and its business practice, a spam. The blog post, just as Cyberbunker website, is offline now, but there is a Google cache copy available, which we uploaded to Scribd. Here is the post.
However, Cyberbunker’s Sven Olaf Kamphuis has posted (probably not in person) in Facebook, denying that the attack was initiated from Cyberbunker. Also, the Stophaus website (that works for removing Spamhaus) is down now. If you check out their twitter account (@stophaus), you can see a number of conversations happening.
Cyberbunker's rogue hosting service did come to the attention of a number of spam fighting organizations in the past. The company makes sure that the websites it hosts stay online at all times, even if they are spamming others or are engaged in other type of illegal activities. Apparently, they tolerate anything other than child pornography and terrorism. Such ethics are sure to come under fire, and that is what happened in this case.
In Conclusion
Cloudflare's account that I linked to at the top does have quite detailed statistics of the attack. Also, the way in which the attack is progressing (still is), makes many people think this is not yet over. The internet community should not let this sort of attacks happen, and should help in fighting spam more effectively. We may update the details of this attack in the coming days. Keep coming back.
[Image: Aecdn, Xanga, Cisco]