The Biggest DDoS War Ever is Slowing Down Internet

It's dubbed as the largest distributed denial of service (DDoD) attack in the history of the Internet, reportedly slowing down portions of the Web for brief periods of time across the globe. Anti-spam service Spamhaus is the target, suffering daily attacks since March 19 that have generated up to 300 Gbps of DDoS traffic.

The attacks reportedly began after Spamhaus added the Dutch company Cyberbunker to its blacklist. Cyberbunker is a five-story former NATO bunker in the Netherlands which hosts websites except for those related to porn and terrorism. Some of these sites have been labeled as "eclectic" and noted as alleged major spammers.

Sven Olaf Kamphuis, an Internet activist speaking for the attackers, said that Cyberbunker is virtually pounding Spamhaus for abusing its influence on the Internet. "We are aware that this is one of the largest DDoS attacks the world had publicly seen."

These attacks started small in bandwidth, but rose from 10 Gbps to over 90 Gbps between March 19 and March 22. Once the attackers discovered their onslaught wasn't enough to knock Spamhaus offline, they went after the upstream service providers.

"As the attacks have increased, we've seen congestion across several major Tier 1s, primarily in Europe where most of the attacks were concentrated," said Matthew Prince, CEO of CloudFlare, an Internet security firm based in San Francisco that has been helping Spamhaus over the past few days. The company first mentioned the attacks last week, and has thus become one of the targets.

"These things are essentially like nuclear bombs," he added. "It’s so easy to cause so much damage."

In the typical DDoS scenario, attackers take down a target network by bombarding it with useless traffic generated by large botnets. This attack essentially clogs up the virtual lanes and causes the server to either fall offline or prevent visitors from accessing the site.

In the case of Spamhaus, the attackers are using DNS reflection to generate massive streams of DDoS traffic. Fake domain name requests are sent to DNS servers, which in turn send a flood of responses to a target server or network. In this case, the DNS servers think the requests came from Spamhaus, but they really didn't; they got a flood of responses to the anti-spam firm anyway.

"The vast majority of the traffic was caused by open DNS resolvers," Prince said. "What's spooky here is that only a tiny fraction of the 21.7 million open DNS resolvers on the Internet were used [to generate the traffic against Spamhaus]."

Once Spamhaus came to CloudFlare requesting help, the attackers focused their efforts on both companies. In the process, millions of Internet users have complained of poor performance in Netflix and Hulu Plus, or they have been unable to access specific websites for a short time.

Patrick Gilmore, chief architect at Akamai Networks, told the New York Times that Spamhaus' role is to generate a list of Internet spammers. Cyberbunker got mad because it was added, and decided to retaliate. "To be frank, they got caught," he said. "They think they should be allowed to spam."

"Nobody ever deputized Spamhaus to determine what goes and does not go on the Internet,” added Cyberbunker rep Kamphuis. "They worked themselves into that position by pretending to fight spam."

Several Internet engineers told the New York Times that the big issue facing the Internet today is that ISPs have no way of confirming that traffic leaving their networks is actually coming from their own users.

Contact Us for News Tips, Corrections and Feedback