Spamhaus, an unofficial non-governmental and unaccountable organization, generates a list of IP addresses it believes to be involved in spam. This list is then used by both companies and ISPs to blacklist those addresses. For the last week Spamhaus itself has been targeted with a DNS reflection DDoS attack so large that the internet itself has suffered 'collateral' damage.
The background seems to be a squabble between Spamhaus and the Dutch hosting company Cyberbunker. Cyberbunker boasts that it will accept any customer other than those involved in child pornography or terrorism; so spammers are acceptable. Last month Spamhaus decided that Cyberbunker was involved in spam and added it to its blacklist. The effect for users of the Spamhaus blocklist is that any spam originating from Cyberbunker is blackholed before it gets through to users' inboxes; the effect for Cyberbunker customers is that large parts of the internet world cease to be available.
According to the New York Times, internet activist Sven Olaf Kamphuis– describing himself as a spokesman for Cyberbunker – "said Cyberbunker was retaliating against Spamhaus for 'abusing their influence'.” This seems to be the basis for the belief that Cyberbunker is ultimately behind the attack. Yesterday, however, Kamphuis denied this in a Skype conversation with RT, saying that "quotes attributed to him by the New York Times were part of a campaign of 'misinformation' against Cyberbunker, which he says is not currently carrying out DDoS attacks against Spamhaus."
Kamphuis suggested that "if they are still under attack which I think they are because I get news feeds that they are still under attack then it’s now other people attacking them.” This is quite possible since there are reports that five separate national cyber-police forces are currently investigating the attacks. The identity of those police forces has not been disclosed for fear that they themselves might become targets; but one inference is that multiple botnets are now attacking Spamhaus.
In reality, neither the cause nor target of these attacks is the most worrying aspect – it is the sheer size of the attack and its effect on the internet as a whole. A DNS reflection attack uses the internet's network of over 21.7 million DNS servers that "are misconfigured," says Chester Wisniewski of security firm Sophos, "to allow anyone to query them for name services without any filtering or rate-throttling." Attackers can manipulate these DNS servers to reflect and magnify the attack, making it seem as if Spamhaus is attacking itself.
The huge volumes of traffic that have been generated have overwhelmed the pipes between the DNS servers and Spamhaus, causing collateral damage to other parts of the internet along the way – and this is causing concern. "It illustrates the collateral damage that can be felt by individuals trying to access sites and businesses like Netflix for whom the web is the cornerstone of their business," comments Marty Meyer, president of Corero Network Security. "It also raises a worrying red flag," he adds, "that if an organization like Cyberbunker could allegedly unleash this much damage, could a cyber-terrorist or state sponsored attacker use similar tactics to disrupt the communication and business channels of its enemies that rely on the internet?”
The problem is that you cannot just shut down the DNS servers to cut off the attack – they are a necessary part of the internet. "The only way to deal with this problem is to find the people doing it and arrest them,” security researcher Dan Kaminsky told the New York Times. Last year, research from Cambridge University's Ross Anderson came to a similar conclusion: the cyberworld would be a safer place if a greater proportion of security resources was spent on catching criminals rather than just defending boxes.