Lessons to learn from the Spamhaus-Cyberbunker battle

Believe some media sources and yesterday saw the entire Internet ground to a crawl by a spectacular cyberfight. It’s a story that’s been overhyped, but the incident does highlight a technical flaw that’s very open to abuse.

The story involved a sustained attack of Spamhaus, an organization that maintains a blacklist of servers believed to be used for spam and supplies this list to companies to use to filter mail. It fell out with Cyberbunker, a Dutch web hosting firm.

Cyberbunker in turn is believed to be on good terms with Stophaus, a group that objects in principle to the activities of Spamhaus and its effective power to block websites from communicating.

The dispute looks to be the cause of a series of DDoS attacks on Spamhaus, followed today by similar attacks on Cyberbunker. No party has admitted responsibility for any of the attacks at the time of writing.

Yesterday several mainstream media outlets described this as the biggest ever attack on the Internet and blamed it for a global slowdown in connection speeds. With little evidence the attacks on Spamhaus had any significant widespread effects, it appears the story has been overhyped with the eager assistance of CloudFlare, a company hired by Spamhaus to protect against DDoS attacks.

The reports have an element of truth but also a degree of misunderstandings. It appears that at one stage the bogus requests to Spamhaus involved a combined 300Mbps of data. That’s about six time the level you’d expect on a “normal” major attack and three times the highest figure previously seen by CloudFlare. That’s the source of the “biggest attack ever” element of the story.

However, as others have pointed out, the sheer scale and design of the Internet itself means that although the attacks caused some serious local difficulties, the net is perfectly able to cope with 300MBps of traffic unexpectedly going to a single location. There also seems to have been a degree of confirmation bias, with many people seeing or reporting the story having had a slowed connection at some point for one reason or another in the past few days and falsely assuming this makes a logical explanation.

The real story however is the nature of the DDoS attacks. They didn’t consist of attackers directly connecting to the Spamhaus website itself, but rather involved exploiting DNS servers, which are effectively the phone directory of the web and translate web addresses into IP addresses.

As ComputerWorld’s Jaikumar Vijayan explains, DNS servers are supposed to only respond to requests from their virtual neighbourhood, a bit like a library only letting locals in to check the phone directory. However, an estimated 27 million DNS servers are set up incorrectly and will accept requests from anywhere.

In this situation, it appears the attackers made bogus requests and spoofed their details to make it appear as if the requests came from Spamhaus. The DNS servers then sent the requested details to Spamhaus in high enough quantities to knock it offline.

There’s a large cry of “I told you so” from people who’ve been warning that this flaw is wide open to such abuse for many years. Hopefully this incident will encourage DNS server operators to sort their systems out and limit the chances of such attacks in future.