dslreports logo
site
spacer

spacer
 
   
spc
story category
Spam Feud Leads to Largest DDoS Ever
Spamhaus Attacked for Adding Cyberbunker to SBL
by Karl Bode 02:55PM Wednesday Mar 27 2013
A dispute between Spamhaus and and a Dutch hosting provider has resulted in one of the largest DDoS attacks in Internet history. According to somewhat hyperbolic bits at the BBC and BBC and New York Times, Spamhaus is being attacked in retaliation for the company's decision to add Cyberbunker to the SBL. Cyberbunker is actually housed in a cold-war decommissioned nuclear bunker in the Netherlands, and markets itself as a hosting provider that allows essentially anything, though they deny hosting spam operations and have been fighting with Spamhaus since 2011.

What started as an 10 gigabits per second attack last week quickly blossomed into a 120 gigabits per second storm, among the largest ever recorded. It has since ballooned into a 300 gigabits per second DDoS attack. There's a good read with technical specifics on the attack at the blog for security outfit CloudFlare, who was helping fight the attack but very quickly became a target for doing so:
quote:
The challenge with attacks at this scale is they risk overwhelming the systems that link together the Internet itself. The largest routers that you can buy have, at most, 100Gbps ports. It is possible to bond more than one of these ports together to create capacity that is greater than 100Gbps however, at some point, there are limits to how much these routers can handle. If that limit is exceeded then the network becomes congested and slows down.

Over the last few days, as these attacks have increased, we've seen congestion across several major Tier 1s, primarily in Europe where most of the attacks were concentrated, that would have affected hundreds of millions of people even as they surfed sites unrelated to Spamhaus or CloudFlare. If the Internet felt a bit more sluggish for you over the last few days in Europe, this may be part of the reason why.
"Nobody ever deputized Spamhaus to determine what goes and does not go on the Internet," claims Sven Olaf Kamphuis, who claims to be a spokesman for the attackers. "They worked themselves into that position by pretending to fight spam." Spamhaus has certainly seen its share of controversy for its tactics, and getting yourself delisted after false accusations can be a headache. Still, those who use Spamhaus filters do so voluntarily, and the outfit is most traditionally attacked for the simple reason that spammers got caught spamming.

view:
topics flat nest 
zed260
Premium
join:2011-11-11
Cleveland, TN

1 edit

the attacks probably gonna get bigger

i suspect that we shall see this attack only get bigger

maybe it gets big enough to trigger an international cyberwar treaty

more importantly what if it keeps growing could we possably see 1 or more tier 1 isps completly offline

Corehhi

join:2002-01-28
Bluffton, SC
Reviews:
·Hargray Cable

Re: the attacks probably gonna get bigger

said by zed260:

i suspect that we shall see this attack only get bigger

maybe it gets big enough to trigger an international cyberwar treaty

more importantly what if it keeps growing could we possably see 1 or more tier 1 isps completly offline

What makes you think governments aren't involved with this????? Could be just a test run for someone out there, think middle east countries are big fans of the internet???
zed260
Premium
join:2011-11-11
Cleveland, TN
Reviews:
·Charter

2 recommendations

Re: the attacks probably gonna get bigger

well the attack apparently is coming from cyberbunker they have the motive and the means to carry it out so i doubt its government backed atleast in this case i also doubt any major anti internet goverment would bother targeting spamhause go after twitter or maybe facebook or google.com even dont waste your time on such a tiny object that poses no major threat to your control of the net

heck target dslreports.com they pose a bigger threat then spamhause from the middle east goverment point of view
moonpuppy

join:2000-08-21
Glen Burnie, MD
said by Corehhi:

What makes you think governments aren't involved with this????? Could be just a test run for someone out there, think middle east countries are big fans of the internet???

A government or two might be bankrolling them but it is not the Mid-East. My guess is the Russian Federation and maybe elements of China with a dash of North Korea tossed in.
Expand your moderator at work

Metatron2008
Premium
join:2008-09-02
united state

1 recommendation

How dare you accuse of us providing spam SpamHaus!

We at cyberbunker will show how innocent we are by causing a 300 gbit DDOS using botnets!
axus

join:2001-06-18
Washington, DC

Re: How dare you accuse of us providing spam SpamHaus!

Yep, and even if Cyberbunker were innocent, Spamhaus can't bend to extortion or they wouldn't be credible.

FFH
Premium
join:2002-03-03
Tavistock NJ
kudos:5

1 edit
said by Metatron2008:

We at cyberbunker will show how innocent we are by causing a 300 gbit DDOS using botnets!

Netherlands police should break in to the Cyberbunker data center; arrest everyone inside; shut down all systems and padlock the place.

djrobx
Premium
join:2000-05-31
Valencia, CA
kudos:2
Reviews:
·Time Warner Cable
·VOIPO

Re: How dare you accuse of us providing spam SpamHaus!

said by FFH:

Netherlands police should break in to the Cyberpunker data center; arrest everyone inside; shut down all systems and padlock the place.

Cyberbunker is literally a bunker, so that's easier said than done.

»cyberbunker.com/web/swat.php
--
AT&T U-Hearse - RIP Unlimited Internet 1995-2011
Rethink Billable.

Mike
Premium,Mod
join:2000-09-17
Pittsburgh, PA
kudos:1

1 recommendation

Re: How dare you accuse of us providing spam SpamHaus!

US can sell them a few bunker buster bombs. Free delivery!

Metatron2008
Premium
join:2008-09-02
united state

2 recommendations

Re: How dare you accuse of us providing spam SpamHaus!

Just cut off the nearest fiber cable that runs to cyberbunker..

ropeguru
Premium
join:2001-01-25
Mechanicsville, VA

1 recommendation

Re: How dare you accuse of us providing spam SpamHaus!

said by Metatron2008:

Just cut off the nearest fiber cable that runs to cyberbunker..

And power..
MaynardKrebs
Heave Steve, for the good of the country
Premium
join:2009-06-17
kudos:4

1 recommendation

All they need is one drunk construction worker and a backhoe.

mikesterr

join:2008-04-18
Atco, NJ

Re: How dare you accuse of us providing spam SpamHaus!

They need that Armenian woman with her metal detector and shovel. She took down her whole countries internet a few years ago. Lets put her to work.
Kearnstd
Space Elf
Premium
join:2002-01-22
Mullica Hill, NJ
kudos:1

1 recommendation

cut the fiber lines, cut the power and stuff rags in the exhaust pipes for the generators.

Smoke em out with their own generator fumes.
--
[65 Arcanist]Filan(High Elf) Zone: Broadband Reports
dra6o0n

join:2011-08-15
Mississauga, ON

Re: How dare you accuse of us providing spam SpamHaus!

You can destroy even a fortress, with the handy help of the earth itself!

Drill holes around the surface of the bunker and start filling it in with water.

Give time and watch the Bunker slowly watch away into the nearest lake or ocean.
Tobester

join:2000-11-14
San Francisco, CA
Reviews:
·SONIC.NET

2 recommendations

said by djrobx:

said by FFH:

Netherlands police should break in to the Cyberpunker data center; arrest everyone inside; shut down all systems and padlock the place.

Cyberbunker is literally a bunker, so that's easier said than done.

»cyberbunker.com/web/swat.php

Why can't Dutch authorities simply turn off electrical power?

Even if they have on-site generators, eventually, they will need more fuel, water, etc.
moonpuppy

join:2000-08-21
Glen Burnie, MD
Actually, a few stray bullets to the upper echelons of Cyberbunker would be move effective.

Trust me, if they were going after any target in Eastern Europe, this would have been over far quicker.
dra6o0n

join:2011-08-15
Mississauga, ON
The majority of the internet probably doesn't care what Cyberbunker or Spamhaus is, and instead would love to attack both of them if they had the motivation to eliminate the bad factors of the internet.

IllIlIlllIll
EliteData
Premium
join:2003-07-06
Hampton Bays, NY
kudos:7

1 edit

zombie botnet ?

that would be an awfully lot of zombie infected computers on high speed internet to pull this off if that was the case.
zed260
Premium
join:2011-11-11
Cleveland, TN
Reviews:
·Charter

2 edits

Re: zombie botnet ?

said by IllIlIlllIll:

that would be an awfully lot of zombie infected computers on high speed internet to pull this off.

not quite seems there using a diffrent method sending fake packets to dns servers tricking them into sending large amounts of internet traffic to spamhause "cloudflare now"so it acts as an amplifier you only need a small amount of bandwith from the attacker for this method to generate hundreds of times more traffic then the attacker themselves used

for every 10 bytes of data you send to a dns server you get around 100 bytes back that is a huge attack that means that assuming the owner of the dns server didnt figure something was wrong or my isp you could in theory turn my 100 megabit charter connection into a 1 gigabit attack on a website but because of how quick that be blocked its not possible

IllIlIlllIll
EliteData
Premium
join:2003-07-06
Hampton Bays, NY
kudos:7

Re: zombie botnet ?

said by zed260:

said by IllIlIlllIll:

that would be an awfully lot of zombie infected computers on high speed internet to pull this off.

not quite seems there using a diffrent method sending fake packets to dns servers tricking them into sending large amounts of internet traffic to spamhause "cloudflare now"so it acts as an amplifier you only need a small amount of bandwith from the attacker for this method to generate hundreds of times more traffic then the attacker themselves used

for every 10 bytes of data you send to a dns server you get around 100 bytes back that is a huge attack that means that assuming the owner of the dns server didnt figure something was wrong or my isp you could in theory turn my 100 megabit charter connection into a 1 gigabit attack on a website but because of how quick that be blocked its not possible

oh, i know, i was just picturing this happening with zombie botnet computers instead of the DNS exploit, thinking about how many millions of computers it would take to reach 300GB of bandwidth, that would be one hell of an "infection" to spread around.
--
Suffolk County NY Police Feed - »www.scpdny.com
PS3 Gaming Feed - »www.livestream.com/elitedata
axus

join:2001-06-18
Washington, DC

Re: zombie botnet ?

Yup. I think the article said that exploiting the "open DNS resolvers" was 100 times more effective than exploiting botnet computers. So, they would have needed 100 times more zombies to pull off the same attack.
dra6o0n

join:2011-08-15
Mississauga, ON

Re: zombie botnet ?

But then they wouldn't be able to cover their tracks as decently enough.
More bots and proxies = harder to trace.

Less bots with higher damaging bytes, means easier to narrow down attacks.

dslcreature
Premium
join:2010-07-10
Seattle, WA
said by axus:

Yup. I think the article said that exploiting the "open DNS resolvers" was 100 times more effective than exploiting botnet computers. So, they would have needed 100 times more zombies to pull off the same attack.

If you think normal DNS amplification is a lot of fun just wait till secure DNS picks up steam and actually sees deployment.

I find it particularly amusing the same solution (ingress filtering) which effectively prevents these kinds of amplification attacks also does away with much practical need for DNSSEC.

I have not made up my mind as to which is more ridiculous:

1. Attempting to replace broken protocols (DNS) with something much MUCH MUCH worse (DNSSEC) when these attack vectors have been well known to all concerned for years.

2. Operators sitting on their hands pretending filtering does not exist while at the same time offering DDOS mitigation services to their customers.

cdru
Go Colts
Premium,MVM
join:2003-05-14
Fort Wayne, IN
kudos:7
said by IllIlIlllIll:

thinking about how many millions of computers it would take to reach 300GB of bandwidth, that would be one hell of an "infection" to spread around.

Not really. 10-30mbit fiber connections aren't uncommon these days. At 10mbit, it would take 30k computers. At 30mbit, that number drops to 10k. Add in corporate networks that have 100 or gigabit connections and it's not that hard to get to 300gigabits. The hard part is doing it without people noticing it.
TechGuy99
Premium
join:2003-09-15
Flushing, NY
This attack had an amplification size which was around 100x. That means for every 10 bytes of data sent 1,000 bytes were sent to the target IP!
silbaco
Premium
join:2009-08-03
USA
Infect a few users with Gbps speeds and it doesn't take many.

NOYB
St. John 3.16
Premium
join:2005-12-15
Forest Grove, OR
kudos:1

Open DNS Resolvers

And OpenDNS is near the top of the list.

»dns.measurement-factory.com/surv···est.html
voxframe

join:2010-08-02

Laughing

Interesting DDOS method!

I don't care much for Spamhaus, so I'm laughing at them. They were a horrible spam list back when we didn't have dedicated spam filter hardware.

They were the absolute bane of our existence at the time because of so many false positives, and the fact that the company was absolutely impossible to reach contact with.

So for them I have nothing but a laugh and a "f*** you".

But it is a bit of a piss off for the traffic produced and the issues it's caused.

•••••••

Elite

join:2002-10-03
Orange, CT

PWNED!

One word... well, two.

Fucking pwned!
--
QUAD!!!!

Probitas

@teksavvy.com

spamming is no different...

Than a pushy salesman forcing his way into your home.

If you want information, you can normally look it up yourself. SPAMMERS should be shut down the moment they are detected. And that's not even addressing the likelihood that they are spamming phishing emails and such, aiding and abetting fraud.

They got a lot of nerve, and this should be considered a terrorist attack.

newview
Ex .. Ex .. Exactly
Premium
join:2001-10-01
Parsonsburg, MD
kudos:1

1 edit

1 recommendation

The proof is in the pudding

The fact that this is even happening just underscores the contention that Cyberbunker is a spam friendly operation.
I hope they go the way of Cyber Promotions.

doz911

@comcast.net

Re: The proof is in the pudding

I like to see what the scumbags do when the military gets involved!

NOYB
St. John 3.16
Premium
join:2005-12-15
Forest Grove, OR
kudos:1

1 edit

1 recommendation

Disingenuous

"Nobody ever deputized Spamhaus to determine what goes and does not go on the Internet," claims Sven Olaf Kamphuis, who claims to be a spokesman for the attackers.

uh wrong!
1) Spamhaus does not determine what goes and does not go on the Internet. Those who chose to utilize Spamhaus lists determine who they are willing to communicate with.
2) Those who use Spamhaus lists have "deputized" them as their watch dog (sheriff).

"They (Spamhaus) worked themselves into that position by pretending to fight spam."

uh and Cyberbunker worked themselves into their position by what? Being spammer friendly and lying about it?

"Spamhaus has certainly seen its share of controversy for its tactics, and getting yourself delisted after false accusations can be a headache. Still, those who use Spamhaus filters do so voluntarily, and the outfit is most traditionally attacked for the simple reason that spammers, like many Cyberbunker customers, got caught spamming."

--
Be a Good Netizen - Read, Know & Complain About Overly Restrictive Tyrannical ISP ToS & AUP »comcast.net/terms/ »verizon.net/policies/
Say Thanks with a Tool Points Donation

Elector

join:2000-05-25
Albany, NY

Re: Disingenuous

You see back then when Stanford Wallace or Spamford Wallace was hitting you with spam drek, Steve Lindford was providing a service that any good isp welcomed with open arms. Having your system used to send spam was thought to make an isp money, with the RBL other isp's decided you making money off the backs of others had to be stopped.

I agree with this sort of action, I have fought spammers and spam from the start. I have personally spoke to spam isp's to turn them around, I was often told to mind my own business and when these spam friendly came out to the newsgroups saying some of their custo mers could not do this or do that my reply was always "to bad-you were warned"

spammers no matter what they try will be purged from the internet.

And Spamhaus has been attacked before and stayed alive. Stupid spammers!
--
Knowledge is a terrible thing to waste. That is why I post when I can.

Elector

join:2000-05-25
Albany, NY

Re: Disingenuous

Sanford Wallace sorry for the "t"

cpsycho

join:2008-06-03
HarperLand

My first static.

When I got my first static IP I checked it and it was on a list. Was not to hard to remove it, just sent them a email. I generally use spamhaus, does a pretty good job.

Packeteers
Premium
join:2005-06-18
Forest Hills, NY
kudos:1
Reviews:
·Time Warner Cable

something was really happening out there

i leave pinggraph running all the time comparing my last mile latency to url's around the USA and noticed problems from late March 20th till early March 27th. i even wasted hours on the phone with my ISP trying to get the ear of a tier-3 networking tech i could email my data to. thankfully it ended before a premise visit was to take place so i cancelled the appointment. but it was just annoying my ISP would not admit anything was going on - that may effect stable routing and latency beyond my region as i'm sure someone at TWCable saw what was happening on with the World's internet traffic and elected to leave it's customers oblivious to it.

CamtheCat

@sbcglobal.net

Fucking Abhorr Spam

It's really quite fucking simple: e-mail spam is a scourge unto the Internet & society itself. Anyone who condones the legitimate endorsement of spam is furthering the corruption of the Web & demoralizing the entire purpose of the Internet. There are few things in this world which I truly loathe, but I believe that those who choose to promote & propagate spam should either repent their ways & apologize, or mercilessly burn & rot in hell, or whichever nearest smoldering bunker. This isn't an issue of "freedom of speech", it's about making the Internet a clean, safe, & efficient place for the betterment of mankind.
Wyngs

join:2010-02-20
Coos Bay, OR

Spamhaus

I have no love for Spamhaus. Every so often I get a notice from them about a bug in my email. But their notice doesn't come in the email. It appears at my phBB forum, and doesn't allow me to post.

I have never done what's supposedly required to get rid of it, and after a few hours it goes away.

Very irritating. Who decided these jokers could come and mess with me like this?