back to article BIGGEST DDoS ATTACK IN HISTORY hammers Spamhaus

Anti-spam organisation Spamhaus has recovered from possibly the largest ‪DDoS‬ attack in history. A massive 300Gbps was thrown against Spamhaus' website but the anti-spam organisation was able to recover from the attack and get its core services back up and running. CloudFlare, the content delivery firm hired by Spamhaus last …

COMMENTS

This topic is closed for new posts.
  1. Thought About IT

    Spamhous must really be hurting those parasites

    Blimey! Spamhous must really be hurting those parasites. Good on em!

    1. LarsG
      Meh

      Re: Spamhous must really be hurting those parasites

      Parasites hey, and you know this for sure because Spamhous has told you this?

      It's raining gold coins outside, you know this for sure because I told you?

      Two sides to every story my friend.

      1. handle

        Re: Spamhous must really be hurting those parasites

        If they weren't parasites they would use legal means to get themselves off Spamhaus' block lists, would they not, "my friend"?

        1. moiety

          Re: Spamhous must really be hurting those parasites

          @handle - that's not necessarily the case. Spamhaus is the reason I can't use a desktop email server (which I started after an important ISP-server email disappeared into the blue costing me a large wad...with a desktop server, it gets delivered, or you get an error message...either way you know whether it got through).

          They do have a very high-handed attitude...it's basically "fuck you if you don't like it; but you're not sending emails from that (ISP's) IP range". And it's not just spammers who are effected. I admit that I'm probably a minority here; but they did put a serious spanner in my day-to-day operations.

          1. pierce
            WTF?

            Re: Spamhous must really be hurting those parasites

            your ISP's IP range gets listed if your ISP asks for it to be listed. or if the SPECIFIC IP has been used to spam repeatedly.

            which part of that is hard to understand?

            1. Bitbeisser
              Unhappy

              Re: Spamhous must really be hurting those parasites

              "your ISP's IP range gets listed if your ISP asks for it to be listed. or if the SPECIFIC IP has been used to spam repeatedly.

              which part of that is hard to understand?"

              Sorry, but that simply is not true. They will do blanket blacklists of IP ranges that THEY consider (based on outdated IP range lists) for example "dyncamic IP ranges". This is totally unrelated to any actual spam activity but they don't give a f'ing damn to adjust those lists to prevent from innocent/legitimate users being seriously effected by their listings. A lot of those ranges are not valid anymore because them have been re-assigned since "we are running out of IPv4 addresses"...

              But to make it also clear, I do not condone the actions that some people have taken to get back at them. But SpamHaus and a couple other vigilante black list distributors need to make sure they are actually targeting the real bad guys and not just everybody else in "the neighborhood" as well...

              1. itzman

                Re: Spamhous must really be hurting those parasites

                They may well do, but what is the alternative? white list every single person who parks on an IP address, sends 10,000 spans and then switches off and moves on, with very little traceability?

                The point is by REQUIRING email to go THROUGH a responsible authenticated relay someone is able to STOP ABUSE.

                Its a bit like saying 'I have a Porsche that is capable of driving 140mph in safety up the M1, why am I not allowed to do it?' and the simple answer is, because plenty of people who are not able to do it safely or at all, need to be restricted to what they can in fact handle. Get yourself a race track, or rent someone else's.

                And the answer for mail is the same, you wan run your own mail server? well get on a fixed IP address and run it. And preferably not with an ISP that is full of dorks sending penis enlargement pill adverts.

            2. Anonymous Coward
              Anonymous Coward

              Re: Spamhous must really be hurting those parasites

              As I understand it, Spamhaus adds IP space either because spam originates there, or because it hosts web sites that are being promoted by spam (which in many cases may come from elsewhere such as botnets). They call this 'spam support'. Responsible hosts will generally clear out such spam support services. Some are clueless, and some actively decide to take spammers money in return for 'bullet proof' services - i.e. not pulling the plug for abuse of the AUP.

              In such cases, Spamhaus can escalate blocks - effectively enlarging the range of IP space covered by a block to turn the screw on the host, because it starts to cover their legitimate business customers as well as the spammers on their network. The idea is that miscreant networks will find that they end up losing legitimate customers if they continue to provide service to illegitimate ones.

              One can argue about whether such actions are justified, but ultimately it's up to any network to decide whether it wants to use Spamhaus's lists or not.

              My personal opinion is that Spamhaus does an excellent job, and forcing networks to choose between legit business and spammers is fully justified. It's bad if it affects your company or personal email, but you should vent spleen at your network for whatever spam problem has caused Spamhaus to list them, rather than at Spamhaus.

          2. SleepGuy
            Alert

            Re: Spamhous must really be hurting those parasites

            It's difficult to run a mail server at home any more due to the lengths mail server administrators must go through to limit incoming spam. Dynamic IP? Sorry, my mail server won't accept your messages. R-DNS or MX doesn't resolve correctly? See ya. Listed on Spamhaus, SpamCop or Manitu? Not takin' your message. Oh yeah, send more messages my honeypots so my bayesian filter get even better....those addresses have been spread far and wide! Throw in a good dose of greylisting, backscatter protection and tarpitting and I manage to block *almost* all incoming spam (which currently makes up 57.5% of my servers' incoming messages). It really does make it rough for the "guy at home" trying to run a mail server though...nobody but the spammers to thank.

            As for getting de-listed from Spamhaus...I've done it, shortly after switching providers a few years ago. It was not a huge deal, I contacted my ISP (again, you probably won't get much help from them with a "consumer" account...I didn't have problems since I have a business-class service) and it was resolved within a day.

            1. Dave Robinson

              Re: Spamhous must really be hurting those parasites

              You forgot to mention DKIM and SPF :-)

              Difficult to get working, but can be done. Also, it helps if you choose an ISP which doesn't segregate its home and business IP addresses into different ranges. It's not supposed to be easy though.

              One ISP I used in the past would only open port 25 once it had tested the configuration of your mail server to make sure it wasn't an open relay.

            2. AndrueC Silver badge
              Meh

              Re: Spamhous must really be hurting those parasites

              It's difficult to run a mail server at home any more due to the lengths mail server administrators must go through to limit incoming spam

              I manage it. I'm not running it on a souped up Cray either. Just a Fit-PC2. 1.1GHz of Intel Atom goodness(*) with 1GB of RAM and Windows 7. On a typical day it gets several dozen spam mails sent to it and sometimes a week or two of someone attempting a dictionary attack. Seems to run fine for me. I'll concede that since we use disposable addresses 99.9% of the spam is sent to the bit bucket without ever reaching a users inbox but since I'm filtering by RCPT TO it still has to be downloaded.

              Good old VPOP3.

              (*)Stop laughing at the back. It consumes less than 10w of power an hour.

              1. Anonymous Coward
                Anonymous Coward

                Re: Spamhous must really be hurting those parasites

                > but since I'm filtering by RCPT TO it still has to be downloaded.

                If you are filtering by RCPT TO then you don't have to download the message. You just send the "piss off and die" response before the DATA segment arrives.

                1. AndrueC Silver badge
                  Boffin

                  Re: Spamhous must really be hurting those parasites

                  You're right. I wonder why I'm using redirect to 'no-one' then. I know that I've tried both but had an issue of some kind with the rejection option.

              2. Nigel 11
                Headmaster

                (*)Stop laughing at the back. It consumes less than 10w of power an hour.

                You mean it runs on just ten Watts. A Watt is a unit for the rate of use of energy. What you pay for are units of energy. You could have said 0.01 kw/h per hour ... perverse but correct.

                BTW I run an Atom server as well, though I'm wondering if it should morph into a Rasberry Pi soon.

              3. Anthony Hegedus Silver badge

                Re: Spamhous must really be hurting those parasites

                Sounds good, do you use it to send outgoing mails too? I run an SME server linux distro at home and have absolutely no problems with spam - yes, we get a few, but no more than with other providers. Having said that, I won't even bother to let it send mail out directly, as I'm using a BT dynamic address. And yes, I use a dynamic DNS service.

                Don't you mean "it consumes less than 10w"? Sorry...

              4. Anonymous Coward
                Anonymous Coward

                Re: Spamhous must really be hurting those parasites

                "Stop laughing at the back. It consumes less than 10w of power an hour."

                Either your power consumption will soon rise to destroy us all, or your server uses 10W of power - full stop.

          3. jonathanb Silver badge

            Re: Spamhous must really be hurting those parasites

            My static ip from O2 was on the pbl, but I filled in the form to have it removed, and it was removed in about 30 mins.

          4. Franklin
            Thumb Down

            Re: Spamhous must really be hurting those parasites

            "@handle - that's not necessarily the case. Spamhaus is the reason I can't use a desktop email server (which I started after an important ISP-server email disappeared into the blue costing me a large wad...with a desktop server, it gets delivered, or you get an error message...either way you know whether it got through)."

            No, Spamhaus is not the reason you can't use a desktop email server. Spamhaus doesn't prevent you from doing so; it simply lists your desktop email server for what it is, and other folks choose not to accept email from it.

            Let's put the blame where it belongs. It is not Spamhaus' fault you can't do what you want; it's the SPAMMERS' fault you can't do what you want. I'm sure you're 100% legit and would never send unwanted commercial email, but for almost everyone else running desktop email servers--sometimes without their knowledge or consent--that is most decidedly not the case. The collective Internet has finally thrown up its hands and said "enough."

            Spammers are why we can't have nice things. Blame them. They're the villains here.

            1. Wayland Sothcott 1 Bronze badge

              Re: Spamhous must really be hurting those parasites

              It's about power and control. Spamhous have achieved a powerful position and can now effectively decide who can send email and who cannot. They must use this power responsibly. There used to be a time when SMTP was a system that forwarded email for anybody needing it. Those open SMTP servers have been secured due to abuse by spammers.

              1. launcap Silver badge
                FAIL

                Re: Spamhous must really be hurting those parasites

                >It's about power and control. Spamhous have achieved a powerful position and can now effectively decide >who can send email and who cannot. They must use this power responsibly. There used to

                Wrong on soooo many levels. Spamhaus publish an RBL. It's up to server owners and ISPs to decide whether they use it or not.

            2. launcap Silver badge
              Stop

              Re: Spamhous must really be hurting those parasites

              >Let's put the blame where it belongs. It is not Spamhaus' fault you can't do what you want; it's the SPAMMERS' >fault you can't do what you want. I'm sure you're 100% legit and would never send

              Indeed. And while we are at it - all those mailservers that don't bother checking the SPF entries to see if an IP address is allowed to send mail for a domain - well - you are the ones causing me to get hundreds of bounce messages to my home domain because the spamming scum are forging emails that look like they are coming from my domain. And no, my server isn't cracked. No, my home machines are not running any worms or trojans. If the mail servers bother to check the source IP, they'll find it's a US IP address (mostly) and NOT AUTHORISED TO SEND EMAILS PURPORTING TO BE FROM MY DOMAIN!

              Bah. It's almost enough to want to you nuke the source IP.

            3. itzman

              Re: Spamhous must really be hurting those parasites

              Exactly so.

              If you want to control your mail, do what I did: get a virtaul server on a fixed IP address that is yours and yours alone, and set it up as an SMTP receiverer and (authenticated) relay and use it.

              THEN when 70% of your incoming mail is from spambots, do what I also did, Configure it to use spamhaus and watch the spam reduce by a factor of 8.

              You might also do as I did and monitor its logs to see what us being junked. I never found after a weeks worth of logs were picked through line by line ONE SINGLE email that was valid, rejected.

              Compare and contrast google mail which routinely rejects mail I send to people on a mailing list t 'because there are too many recipients on the bcc: list' I.e. it is unable to tell whether a mail addressed to many people who are NOT mentioned in the To: line for privacy reason, is spam, or genuine desired mail.

          5. ShelLuser
            Stop

            @moiety

            Spamhaus is the reason I can't use a desktop email server

            Uhm, and the fact that many MTA admins, myself included, have turned on the demand for an associated PTR record before incoming mail is accepted has nothing to do with that ?

            Sorry but I think you make a bogus argument; chances are very high your desktop MTA also wouldn't be able to drop mail to any of my servers, AOL's servers, Microsoft's Hotmail / Outlook servers (these also start to adopt the Sender Policy Framework btw) and most likely Verizon's.

            Even without the help from Spamhaus. Simply because your IP most likely doesn't meet quite a few demands.

          6. Anonymous Coward
            Anonymous Coward

            Re: Spamhous must really be hurting those parasites

            and it should be pointed out they are a commercial organisation. They have two companies registered, one is the charity, the other is the business - which is now very powerful and can dictate whoever remains online or not... ironically their profit-earning business (which is very lucrative) sends out huge data-streams, a lot of which are considered spam. :)

          7. Havin_it
            IT Angle

            Re: Spamhous must really be hurting those parasites

            @moiety, if were trusting your ISP to handle any part of the sending, receiving or even whispering loudly about your email, when said email could have an, er, "large wad" riding on it, then consider it a salutary lesson that I should think many of us here have learned to our cost in our early days. ISP-provided mail services, even down to outgoing relays, are a horrible liability.

            And WTF is a "desktop email server"? Serious question.

            1. Anonymous Coward
              Anonymous Coward

              "And WTF is a "desktop email server"? Serious question."

              It's an email server run on a desktop computer. The clue is in the name.

            2. Wayland Sothcott 1 Bronze badge

              Re: Spamhous must really be hurting those parasites

              Exactly his point. I run a 'desktop' email server. Actually a Linux box but to send to AOL I have to set my smarthost to my ISP SMTP. Email arrives at peoples inbox much quicker if I send it directly from my server. I just need a way of redirecting only those that must go through my ISP.

              1. Lyndon Hills 1
                Thumb Up

                Re: Spamhous must really be hurting those parasites

                I just need a way of redirecting only those that must go through my ISP.

                Functionality built into sendmail. I do the same thing, and I have a half-dozen domains that I regularly send to that go through my isp, the rest gets sent direct.

          8. PyLETS
            Boffin

            Desktop mail server

            You can certainly run a mail server on a desktop if you wish, but you'd do well to relay outgoing email from it through a smarthost which Spamhaus doesn't block, e.g. your ISP's smarthost, and which doesn't block you due to not knowing your address as one of theirs or if it can't authenticate you, or due to you sending more than the smarthost operator policy allows. It also helps greatly if you have a static IP address, or one which changes very, very infrequently for incoming mail. You'll have to ensure the incoming domain MX record is pointed at your IP address, preferably dynamically if you IP changes.

            I've done this experimentally and successfully for small volumes for years, but I put my production email server and services for non-experimental work on a £15/month hosted virtual machine which has a static IP. I use the production email server as my own smarthost, and use authenticated SMTP from my home system to relay outgoing.

          9. Anonymous Coward
            Anonymous Coward

            Re: Spamhous must really be hurting those parasites

            "Spamhaus is the reason I can't use a desktop email server"

            Bull. You can most certainly run your own server to accept mail for your domain - I don't think there is anybody using ANY DNS RBL to filter where they send mail TO.

            And for sending outbound email - if you cannot configure your email server to use a smart relay to another server, such as your ISP's server, then you probably aren't going to configure your mail server correctly in other areas, such as relaying spam.

      2. Turtle

        @LarsG: Re: Spamhous must really be hurting those parasites

        "Two sides to every story my friend."

        Well, let's hear your side.

        1. Slabfondler
          Coat

          Re: @LarsG: Spamhous must really be hurting those parasites

          I bet @LarsG's side starts with "Do you want to earn £££'s working from home?"

          Mines the one with no canned meat in the pocket.

      3. N2 Silver badge

        Re: Spamhous must really be hurting those parasites @ LarsG

        Tosser - that's all

      4. Shannon Jacobs
        Holmes

        Re: Spamhous must really be hurting those parasites

        The gold coins are closer to the nut than you apparently realize. I'm not saying that you can somehow remake the spammers into decent human beings. I'm saying that if you take away their "gold coins", then most of them would crawl under less visible rocks. That is why I think there should be a larger focus on breaking the spammers' business models at the downstream end, not upstream where Spamhous and Microsoft have been firing their big cannons.

        The usual numeric analysis focuses on the small return ratio of the spammers, but we should think of it differently. The key ratio is the LARGE number of people who hate spam versus the SMALL number of suckers who feed the spammers. What we need are better tools to allow the large number of spam-haters more actively cut the spammers away from their small number of suckers and victims. Given how much value it would add to their email systems (and Yahoo should be especially desperate for value these days), I really don't understand why they don't integrate such tools into their email systems.

        Let me pick a really trivial example, the spammers who are using link shorteners from LinkedIn and Twitter to route their suckers. They are obviously doing this because the links last long enough to reach some suckers, so the obvious countermeasure is to negate those links more quickly. (Actually, cutting the links would be less effective than redirecting them at some webpage that would educate or scare the suckers who have clicked on them.) The email system should have a mechanism to report the problem, perhaps even with an incentive if you're the first annoyed person to report the link.

        Am I the only person who would like to feel I am personally making the spammers' miserable lives even more miserable? I don't think so--but it wouldn't take too many people like me with better spam-fighting tools to really cut the spammers.

        1. PyLETS
          Boffin

          @Shannon Jacobs

          "That is why I think there should be a larger focus on breaking the spammers' business models at the downstream end, not upstream where Spamhous and Microsoft have been firing their big cannons."

          Fully agree with you there.

          What we need are better tools to allow the large number of spam-haters more actively cut the spammers away from their small number of suckers and victims."

          I've worked on developing anti-spam tools for some time. A problem here is that the primary motivation for doing so is to get a cleaner message stream without losing wanted messages. Putting spammers out of business has to be secondary to this primary objective. Spamhaus have done excellent research here also, which has led to prosecutions and jail terms. But the need to have a very low false positive rate means some false negatives inevitably get through, enough probably for the small proportion of suckers to support the spammer business model.

          So I agree with what you are trying to achieve, but I think this probably needs to be recast as a social, educational and legal solution, because it probably can't be handled as a technical model without very major changes to the email model as it now exists. It might become possible to do more of the latter in the sense of requiring much higher authentication and reputation lookup standards when accepting SMTP over IPV6, and then everyone gradually letting IPV4 SMTP become marginalised before switching it off entirely.

          1. Turtle

            @PyLETS: A possible solution to the problem of spam.

            "I've worked on developing anti-spam tools for some time."

            I have another - possible - solution.

            The crux of the matter is that spam is basically cost-free to the sender. Imagine an ISP or email service that would let a user send out, say, 5,000 emails a month for free. (That's an arbitrarily-chosen number, used for the sake of illustration.) After that allowance is exhausted, the user must pay - again, using arbitrarily-chosen figure - a penny for each additional 100 emails.

            5,000 emails is a lot of email but many, many orders of magnitude less than what a spammer needs to send in order to make a profit.

            Now imagine if several such ISPs allowed its users the option to only accept email from similar ISPs/email services. Spam would no longer be cost-free to the spammer, and spam sent from non-participating ISPs/email services would be immediately rejected. (Not even returned to sender; just consigned to the bit bucket.)

            This is not a complete plan, obviously, (and Microsoft had the idea of charging a very nominal sum for sending emails quite a few years ago), but considering the huge number of spamming emails that must be sent in order to make any money for the spammer, I would think that this would seriously reduce and might even come close to eliminating spam.

      5. Grikath Silver badge

        Re: Spamhous must really be hurting those parasites @ LarsG

        let's see....

        A DDOS attack this size takes time, effort and $$.

        Spamhaus provides a service which hurts a rather infamous sector of the intarwebs, and seriously helps quite a number of operators to keep the headache down to a minimum.

        This sector, by all accounts over the last two decades, has proven to be very profitable for people with the proper mercenary attitude.

        Even the Big Ten of monopolists bad guys nowadays have not garnered enough ärger to get the fanatics up upon the Barricades for something this size. If Anonymous, or any other activist society could ever agree on [something] they might take a shot, but at the moment it simply isn't there.

        If it isn't the "Good Guys" , then it's the Opposition. Occam's Razor, a close shave every time.

      6. Anonymous Coward
        Anonymous Coward

        Re: Spamhous must really be hurting those parasites

        Back to your penis pills LarsG and let the adults talk

      7. boltar Silver badge
        FAIL

        @LarsG

        Looks like you're heading for the biggest downvote in history. Not quite up there with the biggest spam attack but nontheless , quite impressive.

      8. Ryan Kendall
        Facepalm

        Re: Spamhous must really be hurting those parasites

        To sides eh?

        You mean those spam emails really could make my member bigger ???

        :-)

      9. This post has been deleted by its author

      10. asdf Silver badge
        Trollface

        Re: Spamhous must really be hurting those parasites

        Wow triple digit downvotes. Impressive. Guess defending whatever shady ISP you work for wasn't the best of ideas.

  2. Anonymous Coward
    Anonymous Coward

    Hmmm...

    Can't say my Internet access is any slower than normal...

  3. mark 63 Silver badge
    Coat

    OUCH - beaten to it by the Daily mail

    Dailymail___ 16:57, 27th March 2013

    TheRegister_ 17:03, 27th March 2013

    1. koolholio
      FAIL

      Dave Lee of the BBC - last updated ... 27 March 2013 @ 13:03

      1. Psyx
        Pint

        Well, yeah... seeing as the article cited both the BBC AND the NYT., it's fairly safe to say that both were up first... or El Reg's hacks can see into the future. Which they can't because they'd be down the dog track if they could.

    2. Greg J Preece

      I'd rather have the better written article than the one slapped together fastest. Why exactly is being first to break the story important? The Beeb had it up before El Reg, but their tech reporting is usually spectacularly inept.

      1. petef

        Quite. The bbC reckon that a gigabit is spelt gb.

      2. Duffaboy
        FAIL

        This is how news works

        They all read each others sites and gather the stories from their or ignore the Hot stuff that gets sent to them e.g infected Ebay Ads a year or so ago cause that wasn't news was it El REg

    3. taxman
      Big Brother

      But

      both beaten by Auntie at 27 March 2013 Last updated at 13:03.

      But it just goes to show what is going on out there and probably a sign of things to come. I wonder if my boss will be glad I insisted our DDoS solution to give protection against R-DNS attacks in addition to the usual Layer 3/4 and 7 attacks.

      And there will have to be some re-writing of vendors material now. 300?! mighty big stuff.

      1. taxman
        Facepalm

        Re: But

        and beaten by koolholio myself ;)

      2. Anonymous Coward
        Anonymous Coward

        Re: But

        Crucially, does the solution you've chosen also protect against Layer 8 attacks?

        1. taxman

          Re: But

          Those will always be a problem, and always at the top of the pile! So many PICNICs

        2. Allan George Dyer Silver badge
          Headmaster

          Re: But

          Too many layer 8 devices have buggy software, and they are notoriously difficult to re-program.

      3. Destroy All Monsters Silver badge
        Paris Hilton

        Re: But

        > I insisted our DDoS solution to give protection against R-DNS attacks

        How do you do that? Warping to hyperspace?

        1. Greg J Preece

          Re: But

          How do you do that? Warping to hyperspace?

          No, silly. You re-align the deflector dish*, vent plasma from the nacelles** and, if all else fails, dump the warp core.***

          *Take a shot

          **Take another one

          ***Down the bottle

        2. itzman

          Re: But

          easy. don't run DNS servers..

    4. Senior Ugli

      Also the mails headline would be somehting like

      "CYBER TERRORISM SPAMMERS SEND AIDS OVER WIFI AND HAVE THE POWER TO CLOSE THE INTERNET, PANIC BUY NOW AND LOCK YOUR DOORS AND SHUT YOUR EYES"

  4. dz-015

    "The blacklists supplied by the not-for-profit organisation are used by ISPs, large corporations and spam filtering vendors"

    And small businesses, and individuals who run their own mail servers.

    1. Duffaboy
      Joke

      If only

      Hey I never get spam in my inbox, got to go iv'e got ton of email to delete.

  5. asdf Silver badge
    Thumb Up

    big picture

    In the scheme of human affairs there are great men who come along once a generation and change the course of history for the positive and then there is the human equivalent of gum stuck under a bus stop bench who peddle penis pills. The key function of society is to encourage the former and make life hell for the latter as much as possible. Keep up the good fight Spamhaus!

  6. Jop
    Black Helicopters

    Thought you had to have control of your own DNS server to pull off this type of amplification attack but that is trivial anyway. Cloudfare will be able to write a nice rule to protect against this in the future.

    Such a waste of a good attack, obviously someone got upset to the point of rage-ing hard!

    Standard DNS has done us well but its time to move on and get rid of some of the known issues.

    1. Dave Pickles

      "Standard DNS has done us well but its time to move on and get rid of some of the known issues."

      Spamhaus (and other RBL providers) are vulnerable to DNS attacks because they use a version of the DNS protocol. If I receive an smtp connection from 12.34.56.78 and want to know if this host is spamacious, I send a reverse-lookup request for that IP address to the Spamhaus servers; a positive response means that the address has been seen spreading spam so I can drop the connection without having to handle the message. Unfortunately because the protocol and ports are the same as DNS, the same attacks also work.

      1. Destroy All Monsters Silver badge
        Paris Hilton

        > I send a reverse-lookup request for that IP address to the Spamhaus servers;

        Why do you do that? You just need to ask spamhaus about whether the IP is smelly (doesn't work with the larger and evasible IPv6, I would think). Knowing the symbolic name for that IP is uninteresting. Maybe a traceroute would be of interesting. If the trace shows you are vectoring into the vicinity of NETHER.REGION.ZONE and the IP's address name is HOUSE.WITH.TASTY.BEER.COM, your trust levels should drop....

        > Spamhaus (and other RBL providers) are vulnerable to DNS attacks because they use a version of the DNS protocol.

        I think someone is confused, not sure it's me.

        1. Dave Pickles

          The point I am (maybe not perfectly) making is that the process of asking Spamhaus about the spamicity of an IP happens to use the DNS protocol, which unfortunately leaves it open to DOS tactics created to attack 'real' DNS servers. See for example http://en.wikipedia.org/wiki/DNSBL

        2. Malcolm Weir Silver badge
          Angel

          No, it is you.

          What the blacklists do is use the Reverse DNS request as a well-defined protocol for sending a query to obtain more information about the IP address. Under no circumstances does the RBL supplier actually provide Reverse DNS information, merely whether or not they have reason to believe the IP address is associated with spam.

          So rather than asking "who is 12.77.1.2?" expecting the answer "HOUSE.WITH.TASTY.BEER.COM", the DNS query to Spamhaus returns "Contains Processed Pork" or "dunno, never 'eard of 'im".

          1. Destroy All Monsters Silver badge
            Holmes

            I see.

            But that is not actually a "reverse DNS" (nor inverse DNS), it's just DNS, i.e. "interrogate a database at spamhaus, which happens to be a DNS database": You query some record (maybe a TXT) for e.g. "88.77.12.12.isbad.spamhaus.org", which is answered by the spamhaus DNS server exclusively.

            No delegation via the arpa domain or anything.

          2. Anonymous Coward
            Anonymous Coward

            > "Contains Processed Pork"

            Are you sure it's not horse?

            1. Anonymous Coward
              Coat

              "Are you sure it's not horse?"

              Neigh...

    2. ilmari

      How do you implement these kinds of rules? You need to get them far enough upstream so that your links don't get saturated, but the further up you go the more reluctant the admins become of doing any filtering.

      As for spamhaus itself using dns this or that, it's wholly irrelevant to whether they'd be vulnerable to this attack or not. They'd be just as vulnerable to this attack if they had 0 computers, 0 servers and 0 services on offer on their line.. their line would still get saturated by the traffic.

    3. Alan Brown Silver badge

      "Thought you had to have control of your own DNS server to pull off this type of amplification attack"

      Nope. Just send requests.

      Ir should be mentioned that running open DNS servers has been regarded as bad practice for as long as running open mail relays has. I locked mine down nearly 20 years ago when I found an organisation leeching off 'em instead of running their own one.

  7. ShelLuser
    Pirate

    I hope we can all agree...

    That actions such as these prove once again that DDoS attacks should never be recognized as free speech.

    Or perhaps someone can explain the protest aspect here, esp. given that we're dealing with a non-profit organisation here which most likely can now look forward to a massive increase in its monthly bill due to extra traffic.

    DDoS is lame IMO, plain and simple.

    1. asdf Silver badge
      Trollface

      Re: I hope we can all agree...

      >DDoS is lame IMO, plain and simple.

      And it points out the flaws in using a 30+ year old network protocol no matter who well designed it was originally. Still the successor is big pile of shit in many ways imho.

      1. Alan Brown Silver badge

        Re: I hope we can all agree...

        "And it points out the flaws in using a 30+ year old network protocol no matter who well designed it was originally. Still the successor is big pile of shit in many ways imho."

        As with ICMP attacks this can be mitigated by incorporating throttling into the NS server code. No legit IP wil be making more than 1 request per second for the same information for starters, and very few will be making hundreds of requests per second, thanks to long-established caching algorithms.

        The hard part is getting people to actually implement fixes/tweaks.

        1. Charles 9 Silver badge

          Re: I hope we can all agree...

          That won't work in this case as the attack was distributed. Even if you limit requests to 1 per second, the attack contacted SEVERAL THOUSAND of them at once in a barrage. Think of it like this. You tell a few of your buds you're having a party. Each of them tells a bunch of THEIR friends; next thing you know, you don't have a refrigerator (or perhaps house) big enough to accommodate the party.

          1. Anonymous Coward
            Anonymous Coward

            Re: I hope we can all agree...

            > That won't work in this case as the attack was distributed.

            The attack spoofed Spamhaus IP addresses so although the requests came from multiple sources, to the DNS servers it would appear that they all came from the same small group of IPs so response throttling would have worked.

      2. Turtle

        Re: I hope we can all agree...

        "And it points out the flaws in using a 30+ year old network protocol no matter who well designed it was originally. "

        Quite. In spite of what some people say, the internet is *already* broken.

        1. Destroy All Monsters Silver badge
          Trollface

          Re: I hope we can all agree...

          > 30+ year old network protocol

          Let me guess - you are younger than that and out to redo the world in your lifetime?

    2. Psyx

      Re: I hope we can all agree...

      "That actions such as these prove once again that DDoS attacks should never be recognized as free speech."

      Of course they can't. Any more than physically gagging someone could be.

      1. Destroy All Monsters Silver badge
        Trollface

        Re: I hope we can all agree...

        Not free speech, but loud speech.

        1. P. Lee Silver badge

          Re: I hope we can all agree...

          "Loud speech" as in someone repeatedly yelling, "spam, spam, spam..."

          I wonder if there might be a need for a list of open DNS servers which people could use to populate a block-list?

          I sometimes wonder at such silliness. A bank or shop might lose money in a DDOS event, but if you don't get an updated open-relay list for a few hours, are you really going to hurt, or change providers?

    3. Anonymous Coward
      Anonymous Coward

      Re: I hope we can all agree...

      It's not a not-for-profit outfit... they have a very lucrative business going, and hiding behind their not-for-profit marketing is great stuff for ignorant news outlets:

      Spamhaus Logistics Corp. - that's registered in the seychelles

      The Spamhaus Project Ltd - this is the not-for-profit one registered in the uK

      Spamhaus Technology Ltd. - a UK commercial company - this is the data services part

      The Spamhaus Whitelist Co. Ltd. - Jersey

      The Spamhaus Foundation - lichtenstein

      There's a reason the founder spends his time living in Monaco (a tax haven) and his companies are registered in countries which are also considered tax havens.

  8. nigel 15
    Stop

    cyberbunker

    For some reason this story omits the link to cyberbunker the rouge dutch host that spamhaus recently blacklisted.

    1. Anonymous Coward
      Anonymous Coward

      Re: cyberbunker

      hopefully they (?good guys) 'cut the cables' - internet and power!

      1. Will Godfrey Silver badge
        Thumb Down

        Re: cyberbunker

        All that would do would be to prevent them from cancelling the botnet command.

    2. Anonymous Dutch Coward
      Coat

      Re: cyberbunker

      Rouge. Dangerous stuff. You just never know how it looks on you until you put it on.

      And then perhaps the colour is not entirely to your taste and you feel you to buy more rouge.

      1. gollux
        Mushroom

        Re: cyberbunker

        And also really useful as a buffing wheel compound for producing a really high polish on metal!

  9. J.G.Harston Silver badge
    Mushroom

    But the whole point of the design of the Internet is that it does this sort of self-repairing rerouting. It was designed to survive chunks being taken out by a fricking nuclear bomb, for crissakes!

    1. Anonymous Coward
      Anonymous Coward

      Ah yes, the old trope

      I've heard this claim so many times, and yet, I can't convince myself that it is true. Let's say MAE-East gets vaporized. A whole bunch of BGP geeks feel a stirring in their trousers, and the network reconverges on new routes. Or does it? Have there been real, documented incidents where major chunks of the net infrastructure went offline and yet the Internet survived?

      1. Don Jefe

        Re: Ah yes, the old trope

        I don't really buy it either. All the testing is modeled so no one reallyknows what would happen. All I can say is things like the DDoS being discussed happen & it slows everyone down & all the infrastructure is still there. If significant portions were gone I can't imagine it would show well.

        That being said though, if significant portions of the infrastructure were gone there would be much larger things to concern oneself with than backups, games and cat videos....

      2. M Gale

        Re: Ah yes, the old trope

        I think a bunch of incidents involving ship anchors and nefarious divers have proven that the Internet does route around damage.

        Not saying the alternate routes won't get flooded, but the theory is proven and works.

    2. Anonymous Coward
      Anonymous Coward

      "But the whole point of the design of the Internet is that it does this sort of self-repairing rerouting. It was designed to survive chunks being taken out by a fricking nuclear bomb, for crissakes!"

      No, the Internet was not designed that way. The protocols were. You can build a very weak and dangerous building with the best quality steel.

  10. ratfox Silver badge
    FAIL

    Hey, Cyberbunker

    Thanks for proving our point!

    --Spamhaus

  11. Anonymous Coward
    Anonymous Coward

    What's reverse DNS got to do with it?

    What's reverse DNS got to do with it?

    This is reflected DNS which a UDP problem that fills your pipes and is nothing to do with someone killing your own DNS servers (although they may well be inaccessible as a result). It's a bitch to protect against and relies on poorly configured third-party DNS servers and really it's only a problem that either those server owners (fat chance) or carriers can do anything about unless you're a web monster with a large and distributed infrastructure.

    1. Anonymous Coward
      Anonymous Coward

      Re: What's reverse DNS got to do with it?

      The attack blocked Spamhous's pipes (as you say) by redirecting lots of DNS traffic (zone files) to them from open DNS servers. This blockage meant that Spamhaus were not able to respond to 'spam queries' from customers. The spam queries are in the form of a reverse dns (not used as a reverse dns but using the same protocol/structure etc). Hence the reference to reverse dns.

  12. This post has been deleted by its author

  13. Tim Starling

    Source IP filtering

    Open resolvers are a problem. But so are the transit providers who are failing to filter the source IP addresses of traffic entering their network. If more providers did this, there would be fewer zombies capable of forging source IPs.

    1. Alan Brown Silver badge

      Re: Source IP filtering

      By the same token, spam is only going to start coming under control when more attention is paid overall to what's leaving the network than to filtering the crap that's coming in because nobody else bothers.

      Outfits like spamhaus are only the start of what's needed.

  14. Inachu
    Mushroom

    Only silly immature mama boys run mail servers in moms basements.

    The poor kids never leave the house.

    Hey mail spammers does your mom know you are sending porn spam to millions of people?

    1. Destroy All Monsters Silver badge
      Paris Hilton

      Re: Only silly immature mama boys run mail servers in moms basements.

      WUT?

    2. This post has been deleted by its author

  15. Dazed and Confused Silver badge

    Filtering spoofed packets

    I've never really understood why ISPs make it so easy to spoof packets. You generally know what blocks of IP addresses you should have coming in on what lines. If some miscreant is injecting packets with spoofed source IP addresses ISPs should block them.

    It wouldn't take much for the ISPs to filter out these packets coming in from their customers.

    Peering links might be more difficult, but if the packets weren't allowed in in the first place would be a start.

    The only downside I can see is overhead of filtering, which is surely insignificant compared with all the shit the government wants to add, and stopping people surreptitiously bonding multiple uplinks, which I wouldn't think was too common nor something most ISPs wanted to encourage.

    1. Tim Starling

      Re: Filtering spoofed packets

      There is a hint of an answer at http://mailman.nanog.org/pipermail/nanog/2013-March/057235.html

      1. Dazed and Confused Silver badge

        Re: Filtering spoofed packets

        Thanks Tim,

        That's a good posting, basically saying exactly what I've been saying for years.

        The difficulty isn't technical so much as getting all the players to act together. I, perhaps naively, wouldn't think the payback period for the investment in ingress filtering would be very long. When these things happen they cost the Internet industry a lot of money. The problem is no one has a stick to beat them into submission. I remember a discussion with an old colleague years ago about responding to attacks and he was saying the only time he'd been able to get ISP to respond quickly to problems was when he was running the networks covering the World Cup, he commented that all he had to do was threaten to throttle their connections and then publish which ISP were having their links slowed down, and all of a sudden the ISPs became extremely cooperative.

    2. Alan Brown Silver badge

      Re: Filtering spoofed packets

      It's been just over a decade since I gave up trying to get ISPs and NSPs to filter "wrong" packets from egressing their networks (or ingressing from customer ones)

      The uniform response was "our routers can't handle the load"

      I understand (from those still carrying the torch) that's still the uniform response.

      Companies have zero concience. They don't care if their customers are abusing the networks, as long as they get paid - and the only way to make them care is to make it hurt - a lot. In that respect it's actually easier to train an amoeba. At least those have some semblence of "memory"

  16. This post has been deleted by its author

  17. Jaymax
    Black Helicopters

    the Other Side of the Story

    Why is the CyberBunker website running about as successfully as if it were the target of an enormous DDoS, and Spamhaus's website loading almost instantly? Weird. I'd've thunk at least el Reg would do a quick check before pushing out the same PR everyone else is publishing so excitedly.

    Meanwhile, black helicopters en-route to www.pcmag.com/article2/0,2817,2417142,00.asp

    Also, background:

    webcache.googleusercontent.com/search%3Fq%3Dcache:3mqT64NVF2AJ:cyberbunker.com/web/spamhaus.php%2B%26cd%3D1%26hl%3Den%26ct%3Dclnk

    1. This post has been deleted by its author

    2. Anonymous Coward
      Anonymous Coward

      Re: the Other Side of the Story

      Fixeded the linkses did I?

      http://webcache.googleusercontent.com/search?q=http://cyberbunker.com/web/spamhaus.php

      Also:

      http://webcache.googleusercontent.com/search?q=cache:http://cyberbunker.com/web/cityhall.php

      http://webcache.googleusercontent.com/search?q=cache:http://cyberbunker.com/web/swat.php

      Don't click on all three at one, or Google will lock you out of the cache for a while :-(

  18. Anonymous Coward
    Anonymous Coward

    Does spam actually have a purpose?

    That is, are people still trying to sell things via unsolicited email? Or is all spam now full of malware?

    Just curious. If it's the first, who the f**k is buying these penis pills?

    1. Maty

      Re: Does spam actually have a purpose?

      Buggered if I know.

      We run a forum where people can post queries. With spammers in mind, the board is set to block anything that looks like a URL within the message.

      So we get posts that read something like this

      WKXRPFL asks

      Penis pills I to agree with your postabilityness penis pills

      ... which posts are deleted before anyone but our moderator sees them. Apart from being a pita, WTF is the point?

      1. Anonymous Coward
        Anonymous Coward

        Re: Does spam actually have a purpose?

        Gaming search engines, maybe? Inverse bayesian filtering, or something? IE, instead of putting normal text in your spam to make the filters think it's legit, you put spam in everyone else's normal text to make the filters think that *spam* is legit?

        I'm pretty sure I've seen spamvertisments for 'SEO' services which work by pumping massive numbers of comments with certain keywords out into the wild, and thereby skew the results of relevancy results. But that's really not much more than a chin-scratching "I wonder if this does this..." supposition.

        I have to assume there's some purpose for it; people craven enough to achieve things by those methods are rarely industrious enough to do the work without some kind of financial gain in the offing.

        1. Alan Brown Silver badge

          Re: Does spam actually have a purpose?

          There's a school of thought that says it may be used as stegenographic cover for various activities.

          This usually comes from the same school of thought whih suggests Robert McNamara, Alex Plutonium and Serdar Argic's(*) rant-filled missives may have contained coded messages to intelligence operatives.

          And which also suggests that all those pictures of Claudia Schiffer in alt.binaries.pictures.erotica contained encrypted text files detailing a lot of nazi-linked information the West German government would have preferred wasn't public.

          (*)It's been a couple of decades. I may have mixed the names up.

          1. TeeCee Gold badge
            Joke

            Re: Does spam actually have a purpose?

            And which also suggests that all those pictures of Claudia Schiffer in alt.binaries.pictures.erotica contained encrypted text files detailing a lot of nazi-linked information the West German government would have preferred wasn't public.

            Oh come on! Everyone knows that rumour was started by some blokes in the CIA to give themselves an excuse to download the lot and study them very carefully, while getting paid to do it.

      2. Havin_it
        Holmes

        @Maty Re: Does spam actually have a purpose?

        Buggered if I know.

        Hell of a way to find out the answer. So, er, did they work?

  19. Terry Kiely
    Holmes

    all fine here, no slowdown???

    Netflix fine and Lovefilm too, At the same time!!!

    Call me cynical but seems like a great publicity stunt for all involved???

    but well done to the hard working admins slaving to fix everything, thanks guys and gals

    don't SPAM me over this :-D

    coat already taken and left the building

  20. daztheladd

    This sounds like yet another perfect opportunity to tighten up the net.

    So the ddos will have provided a huge list of vulnerable dns servers to the spamhaus. Block them...

    Out of adversity comes opportunity

  21. Justin Clements
    Thumb Down

    Can't say I'm surprised.

    Fuck em. With any luck they'll be getting some massive bandwidth bills as well. These guys used to be the bane of the life of an administrator at ISPs years ago.

  22. JaitcH
    FAIL

    If Spamhaus was accurate ...

    were accurate in their listings, or responded quickly to complaints about incorrect Black Listings, I might feel sorry.

    BUT, since they don't, neither do I.

  23. Anonymous Coward
    Anonymous Coward

    It's all good

    You know that some scumbags are going to prison as a result of this pointless DDoS. Cyberbunker is about to become DOA.

  24. adam payne Silver badge

    Whether you agree or not with how anti-spam organisations operate, blocklists are a necessary evil.

  25. AJames

    Couldn't happen to a more deserving target

    Well, I don't want to condone DDoS as a tactic under any circumstances, but....

    Spamhaus is famous for their high-handed and arrogant attitude in blocking whole IP address ranges for the most trivial of reasons. If this DDoS attack exposes how many cheapskate hosting services rely blindly on their spam-and-a-lot-of-other-legitmate-traffic filtering services, then it has actually done the internet a service.

  26. Mr Templedene

    Gizmodo are claiming this attack was very over-hyped, possibly non-existent and certainly exaggerated for marketing effect.

    http://gizmodo.com/5992652/that-internet-war-apocalypse-is-a-lie

  27. Shane Kent

    I have been blacklisted before....

    as I can't be on top of things all the time, and have twice had client PCs with virus/botnet get me blacklisted. Clean the virus/botnet off and submitted to be delisted and within no time back to emailing. The slight headache it caused was nothing compared to the headache of spam and other crap filling up my users' inboxes. Sure it is painful/impossible to create an inhouse outgoing mail server on my ip address because of anti-spam, but once again not painful enough to have no anti-spam at me end. As well, it was nice to have the email blocked at the other end when the PCs were infected, as it would have been more of an embarrassment having our customers getting lots of crap email from our PCs (that and both time it tipped me off that a PC on my network had a virus/botnet running on it).

    Thanks spamhaus, spamassassin, and the other anti-spam I have layered on my incoming server to stop the crap coming in.

  28. Ben Burch

    Can we just put the hackers in a gibbet?

    I think we should not JAIL these guys when we catch them. We should re-instate the Gibbet.

  29. mprd

    Spurious EC2 example

    The last bit about how one could do this with a few AWS EC2 instances... Not true: you can't send packets with fake reply addresses out of EC2, the NAT devices at the edge of the EC2 network will blackhole your traffic.

  30. Anonymous Coward
    Anonymous Coward

    Spamhaus

    Got to be said that in the world of RBLs Spamhaus is by far the most reasonable to deal with.

    Because to be fair accidents happen -- clients provide mailing lists that are pure junk; some ISPs have junk filters on hair triggers -- and when the rules change.. god help us. Our provider moved the main mail server to a new machine one weekend, same name, new IP. Everything bounced -- a tried and trusted internet machine with a long history of not supplying crap changed.

    No longer could I send emails with the clients email addresses in the from like I'd done for the previous 7 years without issue. It was then I discovered that interesting league of gentlemen who promised to "sort it"

    These are not the real vigiiantes who will never lift the block, regardless. These guys are the "trusted mail" providers whose sales pitch is along the lines of a protection racket.

    Dealing with these services the conversations about getting the block lifted get positively threatening:

    "Well if you subscribed to our service your mail would never be blocked -- we wouldn't want it to happen again would we sir."

  31. Anonymous Coward
    Anonymous Coward

    Supposedly there are anonymous hackers who did this

    Some members on the forum http://www.anon-hackers.com/r/1 were planning this attack and carried it out, go over there if you want to find out more information but i do know that there are some guys over there who are really clever and their attacks are very powerful.

  32. doubting thomas
    Thumb Down

    Lazy journo's, this whole thing is bogus ! The only people aware of the attack (allegedly the worlds largest by some distance) were the three media seeking companies named. Just stop, pause for breath and engage your brain, if this attack was as described don't you think someone else, somewhere would have been affected ? The CEO of media darling Cloudflare reckoned it was nuclear in its size and power, well when was the last time someone let off a nuclear weapon/bomb without it being detected ????

    Its all self serving nonsense and it reflects badly on the companies behind it and the chimps simply regurgitating the same nonsensical propaganda.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019