1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Spamhaus hit by biggest-ever DDoS attacks

Discussion in 'BlackHat Lounge' started by Tensegrity, Mar 27, 2013.

  1. Tensegrity

    Tensegrity Jr. VIP Jr. VIP Premium Member

    Joined:
    Apr 22, 2009
    Messages:
    1,823
    Likes Received:
    968
    http://www.computerworld.com/s/article/9237938/Update_Spamhaus_hit_by_biggest_ever_DDoS_attacks

    From page 1:

    "Anti-spam service Spamhaus has been hit with what several security firms today described as the largest distributed denial of service (DDoS) attacks ever seen. Some of the attacks have generated so much DDoS traffic that they actually slowed down sections of the Internet for brief periods of time, according to the firms. Matthew Prince, CEO of CloudFlare, a San Francisco-based firm that has been helping Spamhaus over the past few days, today said that the attacks have been going on since March 19 and have generated up to 300Gbps of DDoS traffic.


    That's about three times bigger than the biggest DDoS attacks seen so far and several magnitudes greater than the 4Gbps to 10Gbps of traffic generated by typical DDoS attacks.


    "We haven't seen anything larger than this publicly," Prince said. "Its hard to get an attack this large, because what you end up doing is congesting [portions of the Internet]," he said,


    Spamhaus did not respond immediately to a request for comment. However, according to The New York Times, the attacks against the Geneva-based company began after the anti-spam service added Dutch hosting provider Cyberbunker to its global blacklist.


    Cyberbunker, a hosting company that operates out of an abandoned NATO bunker in the Netherlands, is known for hosting an eclectic collection of websites -- some of which are thought to be major spammers. The company prides itself on being willing to host almost any website, except those involved with terrorism and child pornography.


    The company has done little to hide its dislike for Spamhaus, which it has characterized as a bully on its website. The Times quoted an alleged spokesman for the attackers as saying that Cyberbunker was retaliating because Spamhaus had abused its influence on the Internet.
    According to Prince, the DDoS attacks against Spamhaus started off being fairly typical in bandwidth, but quickly grew much bigger. Between March 19 and March 22, the DDoS attacks went from 10Gbps of traffic to over 90Gbps.


    When that wasn't enough to knock Spamhaus offline, the attackers changed tactics and began going after CloudFlare's upstream service providers. "As the attacks have increased, we've seen congestion across several major Tier 1s, primarily in Europe where most of the attacks were concentrated," he said. In DDoS attacks, perpetrators typically try to take down a target network by inundating it with useless traffic. The traffic is usually generated using large botnets of compromised computers.


    With Spamhaus, the attackers employed a well-known, but infrequently used, method known as a DNS reflection attack to generate the massive streams of DDoS traffic seen over the past few days, Prince noted."
     
    • Thanks Thanks x 1
  2. phirex

    phirex Power Member

    Joined:
    Nov 17, 2009
    Messages:
    514
    Likes Received:
    258
    Yeah i think there are more threads on this issue than packets that are being sent to spamhaus now...
     
  3. IamNRE

    IamNRE Jr. VIP Jr. VIP Premium Member

    Joined:
    Aug 18, 2010
    Messages:
    4,663
    Likes Received:
    7,108
    Occupation:
    Generate Leads With FB Ads For Just $1
    Home Page:
     
    Last edited by a moderator: May 18, 2016
  4. IamNRE

    IamNRE Jr. VIP Jr. VIP Premium Member

    Joined:
    Aug 18, 2010
    Messages:
    4,663
    Likes Received:
    7,108
    Occupation:
    Generate Leads With FB Ads For Just $1
    Home Page:
     
    • Thanks Thanks x 1
    Last edited by a moderator: May 18, 2016
  5. 12040

    12040 Junior Member

    Joined:
    Dec 16, 2011
    Messages:
    106
    Likes Received:
    54
    I hope they will never stop.
     
  6. Ibeefaaa

    Ibeefaaa Regular Member

    Joined:
    Apr 24, 2010
    Messages:
    365
    Likes Received:
    683
    Occupation:
    Part time IM and part time unemployed :))
    Location:
    Chasing the Smoosh !
    CyberBunker's headquarters, in a former NATO building in the Netherlands. Photo: CyberBunker

    [​IMG]

    A squabble between a group fighting spam and a Dutch company that hosts websites said to be sending spam has escalated into one of the largest computer attacks on the internet, causing widespread congestion and jamming crucial infrastructure around the world.


    Millions of ordinary internet users have experienced delays in services like Netflix or could not reach a particular website for a short time.



    [​IMG]
    CyberBunker's data centre, at its headquarters, in a former NATO building. Photo: CyberBunker





    However, for the internet engineers who run the global network the problem is more worrisome. The attacks are becoming increasingly powerful, and computer security experts worry that if they continue to escalate people may not be able to reach basic internet services, like email and online banking.
    Advertisement

    The dispute started when the spam-fighting group, called Spamhaus, added the Dutch company Cyberbunker to its blacklist, which is used by email providers to weed out spam.

    Cyberbunker, named for its headquarters, a five-storey former NATO bunker, offers hosting services to any website ''except child porn and anything related to terrorism,'' according to its website.
    A spokesman for Spamhaus, which is based in Europe, said the attacks began on March 19 but had not stopped the group from distributing its blacklist.

    Patrick Gilmore, chief architect at Akamai Networks, a digital content provider, said Spamhaus' role was to generate a list of internet spammers. Of Cyberbunker, he added: ''These guys are just mad. To be frank, they got caught. They think they should be allowed to spam.''


    Gilmore said that the attacks, which are generated by swarms of computers called botnets, concentrate data streams that are larger than the internet connections of entire countries. He likened the technique, which uses a long-known flaw in the internet's basic plumbing, to using a machine gun to spray an entire crowd when the intent is to kill one person.

    The attacks were first mentioned publicly last week by Cloudflare, an internet security firm in Silicon Valley that was trying to defend against the attacks and as a result became a target.

    ''These things are essentially like nuclear bombs,'' said Matthew Prince, chief executive of Cloudflare. ''It's so easy to cause so much damage.''
    The so-called denial of service, or DDoS, attacks have reached previously unknown magnitudes, growing to a data stream of 300 billion bits per second.

    ''It is a real number,'' Gilmore said. ''It is the largest publicly announced DDoS attack in the history of the internet.''

    Spamhaus, one of the most prominent groups tracking spammers on the internet, uses volunteers to identify spammers and has been described as an online vigilante group. In the past, blacklisted sites have retaliated against Spamhaus with denial-of-service attacks, in which they flood Spamhaus with traffic requests from personal computers until it falls offline.
    But in recent weeks, the attackers hit back with a far more powerful strike that exploited the internet's core infrastructure, called the Domain Name System, or DNS. That system functions like a telephone switchboard for the internet. It translates the names of websites like Facebook.com or Google.com into a string of numbers that the internet's underlying technology can understand.
    Millions of computer servers around the world perform the actual translation. In the latest incident, attackers sent messages, masquerading as ones coming from Spamhaus, to those machines, which were then amplified drastically by the servers, causing torrents of data to be aimed back at the Spamhaus computers. When Spamhaus requested aid from Cloudflare, the attackers began to focus their digital ire on the companies that provide data connections for both Spamhaus and Cloudflare.
    Questioned about the attacks, Sven Olaf Kamphuis, an internet activist who said he was a spokesman for the attackers, said in an online message, ''We are aware that this is one of the largest DDoS attacks the world had publicly seen.''
    Kamphuis said Cyberbunker was retaliating against Spamhaus for ''abusing their influence.''

    ''Nobody ever deputised Spamhaus to determine what goes and does not go on the internet,'' Kamphuis said.


    ''They worked themselves into that position by pretending to fight spam.''


    A typical denial-of-service attack tends to affect only a small number of networks. But in the case of a DNS flood attack, data packets are aimed at the victim from servers all over the world. Such attacks cannot easily be stopped, computer security experts say, because those servers cannot be shut off without halting the internet.


    ''The No.1 rule of the internet is that it has to work,'' said Dan Kaminsky, a security researcher who pointed out the inherent vulnerabilities of the Domain Name System years ago.


    ''You can't stop a DNS flood by shutting down those servers because those machines have to be open and public by default. The only way to deal with this problem is to find the people doing it and arrest them.''


    The heart of the problem, according to several internet engineers, is that many large internet service providers have not set up their networks to make sure that traffic leaving their networks is actually coming from their own users. The potential security flaw has long been known by internet security specialists, but it has only recently been exploited in a way that threatens the internet infrastructure.

    An engineer at one of the largest internet communications firms said the attacks in recent days have been as many as five times larger than what was seen recently in attacks against major US banks. He said the attacks were not large enough to saturate the company's largest routers, but they had overwhelmed important equipment. Cyberbunker brags on its website that it has been a frequent target of law enforcement because of its ''many controversial customers'.'

    The company claims that at one point it fended off a Dutch SWAT team.
    ''Dutch authorities and the police have made several attempts to enter the bunker by force,'' the site said. ''None of these attempts were successful.''


    Read more: http://www.smh.com.au/it-pro/securi...n-history-of-the-internet-20130327-2gtw1.html
     
    • Thanks Thanks x 4
  7. Tensegrity

    Tensegrity Jr. VIP Jr. VIP Premium Member

    Joined:
    Apr 22, 2009
    Messages:
    1,823
    Likes Received:
    968
    Tee-hee.
     
  8. acomoney

    acomoney Registered Member

    Joined:
    Nov 14, 2009
    Messages:
    99
    Likes Received:
    44
    Location:
    Amsterdam
    Proud to be a dutchie right now! Spamhaus can go fuck themselves
     
  9. iglow

    iglow Elite Member

    Joined:
    Feb 20, 2009
    Messages:
    2,081
    Likes Received:
    856
    Home Page:
    and thats very good - fuck this loosers
     
  10. Tensegrity

    Tensegrity Jr. VIP Jr. VIP Premium Member

    Joined:
    Apr 22, 2009
    Messages:
    1,823
    Likes Received:
    968
    Interesting stuff!

    http://arstechnica.com/information-...turned-dns-into-a-weapon-of-mass-destruction/



    "There are two ways for a resolver to get the authoritative IP address for a domain name that isn't in its cache: an iterative request and a recursive request. In an iterative request, the resolver pings the top-level domain's DNS servers for the authoritative DNS for the destination domain, then it sends a DNS request for the full hostname to that authoritative server. If the computer that the request is seeking is in a subdomain or "zone" within a larger domain—such as www.subdomain.domain.com—it may tell the resolver to go ask that zone's DNS server. The resolver "iterates" the request down through the hierarchy of DNS servers until it gets an answer.
    But on some networks, the DNS resolver closest to the requesting application doesn't handle all that work. Instead, it sends a "recursive" request to the next DNS server up and lets that server handle all of the walking through the DNS hierarchy for it. Once all the data is collected from the root, domain, and subdomain DNS servers for the requested address, the resolver then pumps the answer back to its client.


    To save time, DNS requests don't use the "three-way handshake" of the Transmission Control Protocol (TCP) to make all these queries. Instead, DNS typically uses the User Datagram Protocol (UDP)—a "connectionless" protocol that lets the server fire and forget requests.


    That makes the sending of requests and responses quicker—but it also opens up a door to abuse of DNS that DNS amplification uses to wreak havoc on a target. All the attacker has to do is find a DNS server open to requests from any client and send it requests forged as being from the target of the attack. And there are millions of them.


    The "amplification" in DNS amplification attacks comes from the size of those responses. While a DNS lookup request itself is fairly small, the resulting response of a recursive DNS lookup can be much larger. A relatively small number of attacking systems sending a trickle of forged UDP packets to open DNS servers can result in a firehose of data being blasted at the attackers' victim.
     
    • Thanks Thanks x 1
  11. Nigel Farage

    Nigel Farage BANNED BANNED

    Joined:
    Feb 8, 2012
    Messages:
    563
    Likes Received:
    1,495
    Until 5 days ago, I had never heard of Spamhaus. Monday, the client calls and says he can receive emails in Outlook, but cannot send them. So I go onsite and find an error message that basically says that his IP Address has been placed by Spamhaus on a list of known spammers.

    So, I went to Spamhaus, entered his IP and verified that he was blocked, then entered the IP again to request removal from the list. Within minutes it was removed.

    Despite that, he still was unable to send emails. Fortunately I happened to have purchased a 3 month subscription to StrongVPN, so I installed it on his computer, gave him my U/N & P/W and PRESTO!, he was back to sending & receiving emails.

    I mention this in case someone else gets blocked by Spamhaus in a "group setting". In this case, it was a group of lawyers sharing a common IP Address, and even though Spamhaus lifted the block, the "Server" had to be reset (they said it was the Server, I suspect it was the router. Lawyers are dumb.) in order for the block to be completely gone. How a block from Spamhaus can prevent sending emails on a local network even after the block has been lifted is the big burning question I still have.

    This was a grand moment of supernatural brilliance for me, and I'm quite proud of it. I hope to expand my glory by bestowing this god-like insight to you mortals on the chance that it might help get your ass out of a crack at some point in the future. It's another reason to have a VPN. They are cheap; mine is only $7.00 / month.

    As far as the negative comments about Spamhaus, meh. It's a good system, and it worked. Finding out you are on the list is simple, and getting off of the list is fast. (They warn you about getting on the list multiple times; eventually you don't get taken off.) So from the User perspective, YAY! Spamhaus kicks those shitty spammers right in the testicle. (They only have one.)

    From the Blackhat perspective, well. I can tell you that one little ol' IP block on Spamhaus caused a whole rat's nest of attorneys to shit themselves for 2 days, and the only thing worse than a spammer is an attorney. And if someone wanted to cause FUD, hate, discontent, disruption and acid reflux, finding a blackhat way to finagle an IP block at Spamhaus would be a really good way to fuck with someone, because most IT guys aren't as brilliant as I am, and would probably do something stupid like reinstall Windows (which was the attorney's suggestion. He said his friend had "the exact same problem" and reinstalling Windows was the only fix for it.)

    Did I mention that Lawyers are stupid?