Network Security, Incident Response, Network Security, TDR

Alleged fight between anti-spam group and blacklisted company incites massive DDoS

A Netherlands-based web host has been accused of launching distributed-denial-of-service (DDoS) attacks against an anti-spam group that blacklisted it – a reprisal that eventually grew to become the largest attack of its kind, affecting internet users around the world.

On Tuesday, The New York Times reported on the “squabble” between CyberBunker, a Dutch company, and international nonprofit Spamhaus, which maintains databases of companies deemed spammers.

The DDoS attacks, which grew to 300 gigabytes per second of traffic being sent by attackers, affected web access for millions of internet users, including access to sites like Netflix, according to the Times.

Sven Olaf Kamphuis, an internet activist claiming to be a spokesman for CyberBunker, told the Times via an online message that CyberBunker was lashing out because of Spamhaus “abusing their influence.”

“We are aware that this is one of the largest DDoS attacks the world has publicly seen,” Kamphuis said.

The incident began when Spamhaus announced on its site last Wednesday that it had been experiencing a “large-scale” DDoS attack for days. The nonprofit soon hired CloudFlare, a San Francisco-based security and site performance service provider, to mitigate the attacks.

After CloudFlare set up a line of defense last Tuesday to protect Spamhaus' site, the attackers' disruption efforts escalated to its current record-breaking status.

In a Wednesday blog post, Matthew Prince, CloudFlare's CEO, wrote that attacks peaked at around 90 Gbps on March 19 – without managing to take Spamhaus offline. Attackers' tactics soon changed, leading to a DDoS attack of global proportions.

“Rather than attacking our customers directly, they started going after the network providers CloudFlare uses for bandwidth,” Prince wrote. He later explained that once these efforts also proved unsuccessful, attackers began aiming for network providers further up the hierarchy.

“Once the attackers realized they couldn't knock CloudFlare itself offline – even with more than 100Gbps of DDoS traffic – they went after our direct peers,” Prince wrote. "In this case, they attacked the providers from whom CloudFlare buys bandwidth. We, primarily, contract with what are known as Tier 2 providers for CloudFlare's paid bandwidth. These companies peer with other providers and also buy bandwidth from so-called Tier 1 providers."

In an interview with SCMagazine.com on Wednesday, Prince said that the influx of traffic was eventually filtered up to Tier 1 networks, where several became congested, affecting hundreds of millions of people browsing the web, particularly users in Europe where most of the DDoS attacks were aimed.

“They are using open resolvers, a misconfigured DNS [domain name system],” Prince said. "It allows an attacker with a small amount of resources to amplify the attacks they launch."

He added that the last large wave of DDoS attacks had been 24 hours ago, but that CloudFlare is inclined to believe “something else is on the way.”

SCMagazine.com reached out to Spamhaus and CyberBunker, but did not immediately hear back from the companies.

CyberBunker has a web page on its site accusing Spamhaus of unfair blacklisting practices:

“According to Spamhaus, CyberBunker is designated as a 'rogue' host and has long been a haven for cybercrime and spam,” said CyberBunker's site. “Of course Spamhaus has not been able to prove any of these allegations. Spamhaus deals with this common situation by adding 'rogue' hosts to its SBL [Spamhaus Block List] and contacting upstream providers to encourage them to kick 'bad actors' off their network.”  

In the past, one blacklisted company took legal measures against Spamhaus. In 2006, e360, a now-defunct marketing services firm that claimed it was defamed and lost customers after Spamhaus listed it as a spammer, initiated a years-long court battle with the nonprofit organization. E360 initially won an $11.7 million judgment against Spamhaus, but in 2010, an Illinois judge reduced the award to $27,000.

The following year, another appeal brought e360's award down to $3. The court said it was making an example of the company for exaggerating the magnitude of its losses.

UPDATE: In an Thursday email to SCMagazine.com, Jordan Robson, a CyberBunker spokesman, said the company had "no further comment" other than to say, "we, including our clients, did not, and never have...sent any spam." 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.