Spammers vs. anti-spammers: 'nuclear' botnet attack bogs down Internet

A European group tracking spammers on the Internet maintains a blacklist of bad actors. Blacklisted sites are hitting back with masses of hijacked computers blasting digital junk at the anti-spam group.

Luke MacGregor/Reuters
A man passes Communications House, listed as containing an office of the Spamhaus Project Ltd, in London. One of the largest ever cyberattacks is slowing global Internet services after an organization blocking spam became a target, with some experts saying the disruption could get worse.

A digital firefight is bogging down the entire Internet thanks to botnets – masses of hijacked computers – employed by spammers as digital cannons to attack an anti-spam group.

So-called “distributed denial of service” or DDoS attacks are nothing new and barely raise an eyebrow among cyberwarfare experts. This is different. In this case it’s the size of the attack that’s garnering the attention – about three times larger than the largest previously recorded DDoS attack.

The target is Spamhaus, a European group that tracks spammers on the Internet. Much to the annoyance of spammers, Spamhaus maintains a blacklist of bad actors that it distributes to spam-blocking services worldwide. Blacklisted sites have hit back before – but never this hard.

Arbor Networks, a cybersecurity company monitoring DDoS attacks, says Wednesday’s attack appears to be the biggest on record – about 300 billion bits (300 gigabits) per second. That’s big enough to have an impact on data intensive services like Netflix, which was among services reportedly slowed by the attack.

“Arbor has been monitoring DDoS for more than a dozen years and we’ve seen attack size peaking at around 100 Gbps in recent years,” says Dan Holden, director of ASERT, Arbor Network’s Security Engineering & Response Team. “Today’s attack appears to be significantly larger than that.”

The monster attack began after Spamhaus blacklisted a Netherlands based web-hosting group called Cyberbunker earlier this month. Soon the DDoS tide was rising from routine surge to tidal wave proportions. One impact of the attack: Spamhaus website is blocked, although the company is still reportedly able to send out its list.

But the other more noticeable impact is a slowdown on the whole Internet. That’s because the attackers have used a weakness that is part of the Internet’s architecture – exploiting the Internet’s core infrastructure, a computer directory called the Domain Name System, or DNS. The bots blasted their junk data – messages that appear to be from Spamhaus – at the DNS servers worldwide. That, in turn, sent a Niagara of data blasting back at Spamhaus, but bogged down the entire Internet, too, experts say.

“It is not surprising that DNS amplification was used in an attack of this size,” Mr. Holden says. “Just over one-quarter of respondents [to a company survey] experienced customer-impacting DDoS attacks on their DNS infrastructure in 2012, a 100 percent increase over the previous year.”

One indicator of scale compares Wednesday’s attacks with recent enormous DDoS attacks against US banks that began last fall – and are continuing. Those bank DDoS attacks had been notable for being in the range of 65-70 gigabits per second – about 15 to 30 times larger than usual for such cyberattacks and roughly equal to data contained in 250,000 books shot at a bank website each second.

By comparison, the December 2010 hacktivist-inspired "Operation Avenge Assange," DDoS attacks conducted by the hacktivist group Anonymous, now look miniscule – ranging in size from 2 gigabits per second to 4 gigabits, indicating perhaps 3,000 to 7,000 attackers at any one moment.

At 300 Gbps, there have even been hyperbolic comparisons made to nuclear detonations. Cyberbunker has not officially claimed responsibility for the attack, although some claiming to speak for the group said its members were attacking. Other cybersecurity experts concurred with that.

“These guys [Cyberbunker] are just mad,” Patrick Gilmore, chief architect at Aramaic Networks, a digital content provider, told The New York Times. “To be frank, they got caught. They think they should be allowed to spam.”

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to