Posted on Leave a comment

Largest DDoS attack in history clogs Internet and emphasizes the need to correct Open DNS resolvers [UPDATE]

image thumb231

CyberBunker hosting operates from abandoned nuclear bunker

A 300 Gigabit per second denial of service attack has been crowned the biggest DDoS operation to date.  For over a week, European spam-blocking service Spamhaus has been subjected to a brutal Denial of Service attack that has been so large, it has threatened to slow down the entire Internet infrastructure.

“In some places it’s been mounted, it has had some collateral damage, for example Netflix, although these are transient effects… The thing that got people talking is that it’s a DNS amplification attack. The point is, if you’re targeting something and the target has a 10Gbps switch, you only have to throw 11Gbps at it and you’ve pole-axed the system. If it is at 300Gbps, then potentially some of the main infrastructure is being affected, though I’m not sure how much it’s really affecting it.”

When the attack started, on March 18, it measured around 10 Gb/s. On March 19, it climbed to 90 Gb/s, and by March 22 it had reached 120 Gb/s. This still wasn’t enough to knock CloudFlare, who is currently assisting Spamhaus in their battle against the attack, or Spamhaus offline. So the attackers escalated. Today, CloudFlare wrote that one of the Internet’s big bandwidth providers is seeing 300 gigabits per second of traffic related to this attack, making it one of the largest ever reported.  300 Gb/s is the kind of scale that threatens the core routers that join the Internet’s disparate networks.

Spamhaus, who runs its operations across a network distributed across many different countries and has no shortage of enemies, was knocked offline briefly on March 18.  Spamhaus says that the attack is coming from thousands of computers around the Internet which makes it difficult to counter.  The security firm CloudFlare explained the DDoS attack in detail:

“The largest source of attack traffic against Spamhaus came from DNS reflection… [This method has] become the source of the largest Layer 3 DDoS attacks we see (sometimes well exceeding 100Gbps). Open DNS resolvers are quickly becoming the scourge of the Internet and the size of these attacks will only continue to rise until all providers make a concerted effort to close them… The basic technique of a DNS reflection attack is to send a request for a large DNS zone file with the source IP address spoofed to be the intended victim to a large number of open DNS resolvers. The resolvers then respond to the request, sending the large DNS zone answer to the intended victim. The attackers’ requests themselves are only a fraction of the size of the responses, meaning the attacker can effectively amplify their attack to many times the size of the bandwidth resources they themselves control.”

The Open DNS Resolver Project reports that there are about 25 million of these open DNS servers, and hence 25 million servers that can be used to generate enormous quantities of traffic. Making this worse is the fact that, unlike DDoS attacks using hijacked home PCs, these DNS servers typically have fast Internet connections.

According to Gigaom, Dutch hosting firm CyberBunker appears to be the top suspect at this point.  CyberBunker, an “anything goes” host that operates from a former nuclear bunker and prides themselves on hosting anything except terrorist sites and child pornography, was recently embroiled in a skirmish with Spamhaus.  Spamhaus lists CyberBunker (or CB3ROB, as it is also known) as the world’s number-one offender when it comes to hosting spam gangs, and around 18 months ago it blacklisted the host’s ISP, A2B Internet. A2B responded by reporting Spamhaus to the Dutch police as DDoS offenders.  The New York Times echoed the accusation noting that CyberBunker was retaliating against Spamhaus with assistance from Eastern European and Russian cyber gangs.

As for CyberBunker, the company boasts that although “Dutch authorities and the police have made several attempts to enter the bunker by force, none of these attempts were successful.” Even a Dutch SWAT team failed to get in.

Update (3/31/13): CyberBunker still lists its address as the bunker. But Joost Verboom, a Dutch businessman, says the address is occupied by his own company, BunkerInfra Datacenters, which is building a subterranean Web hosting center at the site. Mr. Verboom said CyberBunker and Mr. Kamphuis left the site a decade ago. It is not clear where the servers of CyberBunker and CB3ROB are now.

Sources: Gigaom, Ars Technica, Rueters News, BBC, New York Times
Leave a Reply

Your email address will not be published. Required fields are marked *