Steve Elwart, P.E., Ph.D., is the executive research analyst with the Koinonia Institute and a subject matter expert for the Department of Homeland Security. He can be contacted at email@example.com.More ↓Less ↑
What started as a spat between a computer spam-fighting company and an Internet service provider has escalated into what apparently is the largest cyber attack in history – so large that it slowed down the entire Internet.
The attack apparently began on the evening of March 15 and appears to have ended March 26, but may still be ongoing. Internet police forces from five different countries are investigating the incident.
Spamhaus, a non-profit organization based in London and Geneva, is dedicated to helping e-mail service providers filter out spam messages with the use of what is called a “blacklist.”
A blacklist is a computer control program that looks at the origin of e-mail messages and websites (URLs) and blocks anything that comes from a site that has been reported as a malicious Internet server. The opposite of a blacklist is, naturally, a whitelist. The items on this list are let though whatever path is used. There is a third list, called a greylist, that contains sites that are temporarily blocked until they can be verified as safe.
A filtering company such as Spamhaus may be used to check e-mail messages coming into a company, to keep a list of software from running remotely, or to keep a website from accessing a computer.
Using a listing service has proven to be very effective in preventing viruses from attacking computers and unclogging a user’s inbox. In e-mail housekeeping alone, a listing service has proven its worth time after time.
In one company, for example, a listing service marked over 10.2 million incoming e-mail messages as spam in a single month. This represented 92 percent of the 11 million messages received. Without a listing service, one’s mailbox would have 10 times as many messages in it as it does now.
Listing services wield a lot of power in the Internet service community and to be inadvertently placed on its blacklist can mean a potential loss of hundreds of thousands of dollars in revenue. The website is essentially taken off the Internet.
Black or greylisting also means that a website is not reachable for days (7-10 days on average) until the offending malware is removed and a request is sent to the listing service for blacklist removal. The reputation to a business is also damaged. Customers do not want to visit an e-commerce site that infected their computer.
A blacklisting can also result in the loss of search engine rankings, known as the SEO or Search Engine Optimization. It can take weeks or even months to regain the lost search engine rankings.
So list services are playing in a high stakes game and blacklistings are not taken lightly.
Spammers, of course, hate the practice of blacklisting so it is not a surprise that listing services, such as Spamhaus are threatened on a regular basis. Those affected by what they regard as incorrect listings also object to Spamhaus’ alleged vigilante tactics.
While not taking credit for the attacks, Sven Olaf Kamphuis, who claims to be a spokesman for Cyberbunker, said, in a message, that Spamhaus was abusing its position, and that, “They think they’re the boss on the Internet, but we are the boss.”
Spamhaus has alleged that Cyberbunker, in cooperation with “criminal gangs” from Eastern Europe and Russia, is behind the attack.
Steve Linford, chief executive for Spamhaus, told the BBC that the scale of the attack was unprecedented. “We’ve been under this cyber-attack for well over a week,” he said.
The attackers used a tactic known as a Distributed Denial of Service (DDoS), which floods the target with large amounts requests for information, so many requests that the site is unavailable for legitimate requests.
Rather than aiming floods of traffic directly at Spamhaus’s servers – a well-known tactic that has become easy to defend against – the hackers went after the Internet’s domain name system (DNS) servers, which are like the Internet’s phone books that join domain names, such as www.wnd.com to its Internet Protocol or IP address (22.214.171.124).
The “inter” in Internet refers to the fact that it is actually a collection of networks connected to each other through what is called a “peering relationship.” When the Internet was just coming online, these networks communicated with each other through IP addresses. As more “civilians” came to use the Internet, a more user-friendly way of contacting other computers was needed. That is there the DNS servers come in.
These servers contain lists, called routing tables that take a domain name, such as WND.com and associate it with a corresponding IP address along with a path to that computer. A command called a “tracert” will “trace the route” of a packet from the user’s computer to the destination. When a website is typed into a web browser, it goes to a DNS server to find the IP addresses of all the computers it needs to contact to get to its destination. The tracert command will reveal the route and addressees of the computers that need to be contacted to reach their destination.
The hackers “spoofed” requests for these IP addresses from the DNS servers so they seemed to come from Spamhaus; the servers responded with huge floods of responses, all aimed back at any of the over 80 Spamhaus server sites.
The switchboxes that control IP requests are called routers. The largest routers that you can buy can handle, at most, 100 billion bits per second of traffic through their data ports. (With some programming, ports can be joined together to increase traffic, but there is a physical limit to how much data these ports can handle.) If that limit is exceeded then the network becomes overloaded and network performance suffers.
If the DNS servers are flooded with random requests, legitimate requests for directions to a server cannot get through. It is like trying to get a thimble full of information out of a deluge of random bits the size of Niagara Falls. (Recent cyberattacks – like the ones that caused persistent outages at U.S. banking sites in 2012 – tend to peak at 50 billion bits per second. The attack on Spamhaus clocked in at 300 billion bits every second.)
The latest series of attacks began on 18 March with a relatively small (10 gigabit per second) data flood that overwhelmed Spamhaus’ connection to the rest of the Internet and brought their servers down. Spamhaus’ blacklists are distributed via the DNS system and with the “mother” website down, the blacklists were not getting updated.
The recent attacks reported by Spamhaus seemed to be concentrated on the DNS servers located primarily in Europe and have affected hundreds of millions of people as they surfed sites that were unrelated to Spamhaus or CloudFlare. The result was a certain sluggishness in the response users were getting when they would type in a web address or send out a command for their mail.
The Internet security company, CloudFlare, estimates 30,000 DNS servers have been involved in the attack against Spamhaus.
An attack of this magnitude is powerful enough to take down an entire country’s Internet infrastructure.
“Normally when there are attacks against major banks, we’re talking about 50 billion bits per second.”
Prof Alan Woodward, a cybersecurity expert at the University of Surrey, likened the attacks to an electronic traffic jam. “If you imagine it (the Internet) as a motorway, attackers try to put enough traffic on there to clog up the on and off ramps,” he told the BBC.
“With this attack, there’s so much traffic it’s clogging up the motorway itself.”
In terms of the Internet itself, there is so much traffic hitting the DNS servers that the backlog is clogging the Internet itself.
So far, Spamhaus is weathering the electronic data storm and several Internet service companies, such as Google, had made their resources available as needed to help “absorb all of this traffic”. (The attacks are not coming in a steady stream, making detection of the source easier, but are coming intermittently in massive amounts.)
The list of suspects that may have reason to attack Spamhaus is a long one of which Cyberbunker is only one. Spamhaus has “made plenty of enemies”, according to one expert, and the cyber-attack appeared to be retaliatory in nature.
“Spamhaus has made plenty of enemies over the years. Spammers aren’t always the most lovable of individuals, and Spamhaus has been threatened, sued and [attacked] regularly,” noted Matthew Prince of Cloudflare, a hosting company that helped the London business survive the attack by diverting the traffic.
The botnets that the spammers used in the attacks were not the usual home computers that are usually turned into “zombie units” that could be ordered to join in the DNS attack; these were large servers with a much great capacity. It was the equivalent of using an AK-47 for an attack instead of a pellet gun.
The use of these large scale DNS attacks has experts worried. “The No 1 rule of the Internet is that it has to work,” said Dan Kaminsky, a security researcher who pointed out the inherent vulnerabilities of the DNS years ago.
“You can’t stop a DNS flood by shutting down those [DNS] servers because those machines have to be open and public by default. The only way to deal with this problem is to find the people doing it and stop them.”
The collateral damage from the attack is varied. Mainly, those Internet users who have grown accustomed to high-speed connections may have seen response times slow down. For example, some people accessing the online streaming site Netflix have reported a slowdown.
The bigger concern now is the question, “Are the attacks over?” Once the genie is let out of the bottle, it can be difficult to put it back in. Security analysts are concerned that these attacks are not over and while today Netflix may be affected, tomorrow it could be a nation’s banking system.