The Spamhaus Project

news

Answers about recent DDoS attack on Spamhaus

by The Spamhaus TeamMarch 28, 20134 minutes reading time

At this time The Spamhaus Project is getting more press enquiries than we can personally respond to. Below is a list with the most frequently asked questions, along with our answers. If you are in need of any additional information please do not hesitate to contact us but we cannot guarantee a quick response. Our staff are almost all investigators and engineers who focus on dealing with spam and malware issues.

Is this the biggest attack ever?

It certainly is the biggest attack ever directed at Spamhaus. Many organizations are not open about the fact that they are attacked at all, let alone about techniques or traffic volumes used in the attack. Spamhaus understands their business and security concerns. However, we feel it is in the best interest of the Internet as a whole to openly discuss the DDoS cyberthreat and ways to resolve it. For that reason, when our DDoS mitigation service provider CloudFlare asked for our permission to discuss the attacks, we consented.

Cloudflare wrote two very interesting blog articles about the attacks:

http://blog.cloudflare.com/the-ddos-that-knocked-spamhaus-offline-and-ho

http://blog.cloudflare.com/the-ddos-that-almost-broke-the-internet

The first is a few days old. As explained in the second blog, attack volumes increased in later attacks. The first blog provides an accurate and detailed explanation about this type of DNS amplification attack.

Can big attacks cause issues for other parties?

Certainly. Core internet infrastructure may be overwhelmed by the amount of traffic involved in an attack. When that happens, all traffic that passes through that part of the Internet is impacted. Compare it to a big highway: If a traffic jam gets big enough, the on-ramps will slow down and fill up, and then the roads to the on-ramps will fill up too. Attacks can be directed at core infrastructure precisely to inflict such collateral damage. With this attack, some collateral damage may have been seen locally, all depending on where you connect to the internet and when you look.

Is the attack still ongoing?

Like almost every piece of infrastructure on the internet, we are constantly under attacks of various scales. At this time, the attacks against our servers have subsided and the sizes are smaller. However, attacks do not just come and go. They also change in nature all the time. We try to be ready for the next attack so that we can ensure that our users will be protected and the networks that rely on our service will be kept safe.

How can attacks like these be prevented?

Preventing attacks like these depends on two key technical measures. First, all networks should ensure that they do not allow traffic to leave their network that has "spoofed" (forged) sending addresses. Without the ability to spoof traffic there would be no reflection attacks possible. Secondly, open DNS resolvers (or for that matter, any other open and abusable internet resource) should be locked down and secured.

These attacks should be a call-to-action for the Internet community as a whole to address and fix those problems.

Do you know who is attacking you?

A number of people have claimed to be involved in these attacks. At this moment it is not possible for us to say whether they are really involved.

How and to whom is Spamhaus accountable?

Some people have claimed that Spamhaus is not accountable and can just censor anything we want. That is not the case. Not only do we have to operate within the boundaries of the law, we are also accountable to our users. If we started advising our users not to accept email from senders whose email they actually want to receive, they would quickly stop using our data because it would not meet their needs. We take pride in the quality of our data, and the fact that the biggest ISPs and networks all over the world use our data is a testament to its quality. The Spamhaus Project has been providing anti-spam advisory data for over 12 years without interruption.

Media requests (only!) are handled at media-intl-ext@spamhaus.org


Additional technical reading: