A war between a loosely organized anti-spam group called Spamhaus and one of the Web hosts the group publicly identified as a spammer escalated last week, at times threatening some of the basic infrastructure of the Internet, according to a security firm’s account.
When Spamhaus identified Cyberbunker as a Web host that supports spam operations, the company and its supporters struck back with a sophisticated DDoS attack that escalated over a period of days, eventually threatening the basic functionality of the Internet, according to CloudFare, a security firm tapped by Spamhaus to help it recover from the attack.
A direct denial of service attack is one in which hackers, working together, flood a website with more traffic than it can handle. The hackers in this case used a clever twist on that approach, pinging domain name servers disguised as Spamhaus, sending amplified traffic back at the group’s own servers. At its peak, the attack drove roughly 300 Gbps of traffic, more than any attack in Internet history.
Cyberbunker hackers aren’t the first to say that Spamhaus lacks accountability for the influential blacklists of spammers it publishes. Cyberbunker claims to offer hosting for any website “except child porn and anything related to terrorism.”
As CloudFare helped Spamhaus distribute the traffic, becoming a target of the attack in the process, more and more traffic was routed upstream towards the Tier 1 Internet service providers. The traffic became increasingly concentrated on a few major communication routes.
“At the core of the Internet, if all else fails, it is these Tier 1 providers that ensure that every network is connected to every other network. If one of them fails, it’s a big deal,” CloudFare said blog post.
The domain name servers couldn’t simply be shut down because they also serve a basic function: They convert servers’ numerical addresses into URLs that users type.
“The No. 1 rule of the Internet is that it has to work,” security researcher Dan Kaminsky told the New York Times. “You can’t stop a DNS flood by shutting down those servers because those machines have to be open and public by default. The only way to deal with this problem is to find the people doing it and arrest them.”
Both Kaminsky and CloudFare have pointed out a core vulnerability of the DNS system: They are too powerful.
The Cyberbunker attackers were among the first to exploit that vulnerability.