A massive cyberattack targeting an anti-spam watchdog group this month has sent ripples of disruption across the Internet as servers move a choking mountain of junk traffic back and forth, experts said Wednesday.
Spamhaus, a site that targets and blocks inbox ads like those for bogus weight loss pills and counterfeit Viagra, says it has been walloped by what’s called a “denial-of-service” attack since mid-March, and speculation directs blame to groups angry at being blacklisted by the Swiss-British anti-spam agency.
“It is a small miracle that we’re still online,” Spamhaus researcher Vincent Hanna said.
Denial-of-service attacks overwhelm a server with traffic — like hundreds of letters being jammed through a mail slot at the same time. Security experts measure those attacks in bits of data per second. Recent cyberattacks — like the ones that caused persistent outages at U.S. banking sites late last year — have tended to peak at 100 billion bits per second.
But the furious assault on Spamhaus has shattered the charts, clocking in at 300 billion bits per second, according to San Francisco-based CloudFlare Inc., which Spamhaus has enlisted to help it weather the attack.
“It was likely quite a bit more, but at some point measurement systems can’t keep up,” CloudFlare chief executive Matthew Prince wrote in an email.
Patrick Gilmore of Akamai Technologies said that was no understatement.
“This attack is the largest that has been publicly disclosed — ever — in the history of the Internet,” he said.
It’s unclear who exactly was behind the attack, although a man who identified himself as Sven Olaf Kamphuis said he was in touch with the attackers and described them as mainly disgruntled Russian Internet service providers who had found themselves on Spamhaus’ blacklists. There was no immediate way to verify his claim.
He accused the watchdog of arbitrarily blocking content that it did not like. Spamhaus has widely used and constantly updated blacklists of sites that send spam. The company’s Web site says it is “working to protect Internet networks worldwide” and that it “works with law enforcement to identify and pursue spammers worldwide.”
“They abuse their position not to stop spam but to exercise censorship without a court order,” Kamphuis said.
Gilmore and Prince said the attack’s perpetrators had taken advantage of weaknesses in the Internet’s infrastructure to trick thousands of servers into routing a torrent of junk traffic to Spamhaus every second.
The trick, called “DNS reflection,” works a little bit like mailing requests for information to thousands of different organizations with a target’s return address written across the back of the envelopes. When all the organizations reply at once, they send a landslide of useless data to the unwitting addressee.
“At a minimum there would have been slowness,” Prince said, adding in a blog post that “if the Internet felt a bit more sluggish for you over the last few days in Europe, this may be part of the reason why.”
At the London Internet Exchange, where service providers exchange traffic across the globe, spokesman Malcolm Hutty said his organization had seen “a minor degree of congestion in a small portion of the network.”
But he said it was unlikely that any ordinary users had been affected by the attack.
Hanna said his site had so far managed to stay online, but warned that being knocked off the Internet could give spammers an opening to step up their mailings — which may mean more fake lottery announcements and pitches for penny stocks heading to people’s inboxes.
About the Author