Update: Spamhaus hit by biggest-ever DDoS attacks

Anti-spam service Spamhaus has been hit with what several security firms today described as the largest distributed denial of service (DDoS) attacks ever seen.

Some of the attacks have generated so much DDoS traffic that they actually slowed down sections of the Internet for brief periods of time, according to the firms.

Matthew Prince, CEO of CloudFlare, a San Francisco-based firm that has been helping Spamhaus over the past few days, today said that the attacks have been going on since March 19 and have generated up to 300Gbps of DDoS traffic.

That’s about three times bigger than the biggest DDoS attacks seen so far and several magnitudes greater than the 4Gbps to 10Gbps of traffic generated by typical DDoS attacks.

“We haven’t seen anything larger than this publicly,” Prince said. “Its hard to get an attack this large, because what you end up doing is congesting [portions of the Internet],” he said,

Spamhaus did not respond immediately to a request for comment. However, according to The New York Times, the attacks against the Geneva-based company began after the anti-spam service added Dutch hosting provider Cyberbunker to its global blacklist.

Cyberbunker, a hosting company that operates out of an abandoned NATO bunker in the Netherlands, is known for hosting an eclectic collection of websites — some of which are thought to be major spammers. The company prides itself on being willing to host almost any website, except those involved with terrorism and child pornography.

The company has done little to hide its dislike for Spamhaus, which it has characterized as a bully on its website. The Times quoted an alleged spokesman for the attackers as saying that Cyberbunker was retaliating because Spamhaus had abused its influence on the Internet.

According to Prince, the DDoS attacks against Spamhaus started off being fairly typical in bandwidth, but quickly grew much bigger. Between March 19 and March 22, the DDoS attacks went from 10Gbps of traffic to over 90Gbps.

When that wasn’t enough to knock Spamhaus offline, the attackers changed tactics and began going after CloudFlare’s upstream service providers. “As the attacks have increased, we’ve seen congestion across several major Tier 1s, primarily in Europe where most of the attacks were concentrated,” he said.

In DDoS attacks, perpetrators typically try to take down a target network by inundating it with useless traffic. The traffic is usually generated using large botnets of compromised computers.

With Spamhaus, the attackers employed a well-known, but infrequently used, method known as a DNS reflection attack to generate the massive streams of DDoS traffic seen over the past few days, Prince noted.

With DNS reflection, attackers basically send spoofed domain name requests to DNS servers in such a manner as to get the DNS servers to send a flood of responses to a targeted server or network.

Though the lookup requests are actually sent from one source, they appear to the DNS server to have come from a different place — in this case, Spamhaus. The responses to the DNS lookup requests are sent to the spoofed address instead of the actual source.

When the number of such requests is in the thousands, attackers can easily generate a multigigabit flood of DNS replies. The attacks are possible because a vast number of DNS servers on the Internet are “recursive” or configured in such a way that they accept DNS lookup requests even for addresses that belong to some other domain.

According to Prince, with the Spamhaus DDoS streams, the attackers amplified the traffic even more by crafting their DNS queries in such a manner as to cause the DNS servers to generate larger than normal amounts of data when responding. Using this technique, an attacker could send a relatively small 36-bit DNS lookup query and get the server to send back a response that is 3,600 bits long, he said.

“The vast majority of the traffic was caused by open DNS resolvers,” Prince said. “What’s spooky here is that only a tiny fraction of the 21.7 million open DNS resolvers on the Internet were used” to generate the traffic against Spamhaus, he said.

Dan Holden, director of the security and engineering response team at Arbor Networks, said the Spamhaus attacks are likely causing damage far beyond the intended target because they are so massive.

“The largest [such attack] we have seen is 100Gbps back in 2010 and 2011. So the jump is pretty drastic,” he said. “Given the size of the attacks, there is certainly probability for collateral damage,” he said.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at  @jaivijayan or subscribe to Jaikumar’s RSS feed . His e-mail address is jvijayan@computerworld.com.

See more by Jaikumar Vijayan on Computerworld.com.