BIGGEST DDoS in history FAILS to slash interweb arteries

Bombardment without collateral damage - amazing


'A minor amount of collateral congestion'

Spamhaus compiles lists of IP addresses of servers and other computers accused of distributing spam or promoted using junk mail. These blacklists are used by ISPs, businesses and spam-filtering firms to block the worst sources of unsolicited marketing mail before applying more computational intensive filtering techniques, such as analysing the actual content of messages.

Junk-mail distributors and the like regularly threaten, sue or DDoS Spamhaus. Some businesses also object to Spamhaus's alleged vigilante approach to tackling spam.

Spamhaus's blocklists are distributed via DNS and are widely mirrored in order to ensure the overall system is resilient to attacks. The blacklists were never affected and were even updated, with none of its core infrastructure going titsup, according to Spamhaus.

"Only the website and our email server were affected," Steve Linford, chief executive for Spamhaus, told the El Reg. "All Spamhaus DNSBL [DNS Block List] services continued to run unaffected throughout the attack. In fact Spamhaus DNSBLs have never once been down since we started them in 2001."

Linford praised the support of engineers at CloudFlare and Amazon, which supplied load balancing of DNS services, for ensuring its service remained available during the packet carpet bombing. He claimed the attack caused Netflix to slow down and caused congestion elsewhere on the web.

Netflix itself said that the attack had no impact on its service, while internet traffic exchanges in both London and Amsterdam - two of the top three peering hubs in Europe, the arteries of the internet - both played down the impact of the attack beyond CloudFlare and its customers.

Malcolm Hutty, head of public affairs at LINX, the London Internet Exchange, said: "Apart from CloudFlare we saw a minor amount of collateral congestion in a small portion of our network which may, or may not have, have affected some members. This would have been accommodated through their normal procedures."

Ordinary internet users would not have been affected because the DNS flood "only have affected CloudFlare and its customers", he added.

CloudFlare uses Anycast technology which spreads the load of a distributed attack across all 23 of its data centres. Even so it was left reeling from the weight of the assault, which prompted it to suspend its peering in London.

Overblown reports that the internet slowed down or ground to halt appear to be well wide of the mark. This is not to dismiss the significance of the attack, or take anything away from CloudFlare for helping Spamhaus to weather the storm. The simple fact is the attack amounted to nothing more severe than minor congestion, an assessment backed up by AMX-IX, the Amsterdam internet exchange as well as its counterpart in London.

"We have not experienced any disruptions related to our platform," a spokeswoman for AMX-IX told El Reg. "When we look at the amount of traffic some of our members and customers exchange we see some increases here and there, but they could easily manage it."

The New York Times claimed that the attacks against Spamhaus appear to be tied to a dispute with CyberBunker, a website hosting provider in the Netherlands. CyberBunker is accused by Spamhaus of being the world's most toxic haven of phishing and malware.

CyberBunker is quite open in running a bullet-proof anonymous hosting facility out of a Cold War bunker in the Netherlands where anything goes except child-abuse material and terror-related websites. "Customers are allowed to host any content they like, except child porn and anything related to terrorism," its online policy states.

The hosting provider told El Reg it denies any involvement in spamming. It declined to respond directly to the accusation in the NYT article that CyberBunker was retaliating against Spamhaus for “abusing its influence” and using vigilante tactics in the fight against spam:

The only thing we would like to say is that we (including our clients) did not, and never have been, sent any spam. We have no further comment. Thank you.

®

Similar topics

Broader topics


Other stories you might like

  • Cloudflare says it thwarted record-breaking HTTPS DDoS flood
    26m requests a second? Not legit traffic, not even Bill Gates doing $1m giveaways could manage that

    Cloudflare said it this month staved off another record-breaking HTTPS-based distributed denial-of-service attack, this one significantly larger than the previous largest DDoS attack that occurred only two months ago.

    In April, the biz said it mitigated an HTTPS DDoS attack that reached a peak of 15.3 million requests-per-second (rps). The flood last week hit a peak of 26 million rps, with the target being the website of a company using Cloudflare's free plan, according to Omer Yoachimik, product manager at Cloudflare.

    Like the attack in April, the most recent one not only was unusual because of its size, but also because it involved using junk HTTPS requests to overwhelm a website, preventing it from servicing legit visitors and thus effectively falling off the 'net.

    Continue reading
  • Man gets two years in prison for selling 200,000 DDoS hits
    Over 2,000 customers with malice on their minds

    A 33-year-old Illinois man has been sentenced to two years in prison for running websites that paying customers used to launch more than 200,000 distributed denial-of-services (DDoS) attacks.

    A US California Central District jury found the Prairie State's Matthew Gatrel guilty of one count each of conspiracy to commit wire fraud, unauthorized impairment of a protected computer and conspiracy to commit unauthorized impairment of a protected computer. He was initially charged in 2018 after the Feds shut down 15 websites offering DDoS for hire.

    Gatrel, was convicted of owning and operating two websites – DownThem.org and AmpNode.com – that sold DDoS attacks. The FBI said that DownThem sold subscriptions that allowed the more than 2,000 customers to run the attacks while AmpNode provided customers with the server hosting. AmpNode spoofed servers that could be pre-configured with DDoS attack scripts and attack amplifiers to launch simultaneous attacks on victims.

    Continue reading
  • Cloudflare menaces virtual desktops with isolated browser access to internal networks
    Gives cloudy email a kicking, too – but VDI should be safe in its bastions

    Cloudflare has added the ability to access private networks to its browser isolation service, and suggests the combo represents an alternative to virtual desktop infrastructure.

    Browser isolation requires organizations to have a Cloudflare Zero Trust account, and to install a client on users' devices. Cloudflare runs a browser in its cloud and users browse as usual – but Cloudflare intervenes so that users don't make it to whichever web server they intend to visit.

    Cloudflare browses to the server and then redraws the web page on the client browser. The user's device therefore never touches the web server, so anything nasty on a page is snuffed out by Cloudflare in its cloud instead of poisoning a local PC.

    Continue reading
  • Google, EFF back Cloudflare in row over pirate streams
    Ban akin to 'ordering a telephone company to prevent a person from having conversations' over its lines

    Google, EFF, and the Computer and Communications Industry Association (CCIA) have filed court documents supporting Cloudflare after it was sued for refusing to block a streaming site.

    Earlier this year, a handful of Israel-based media companies took Israel.tv to court, accusing it of streaming TV and movie content it had no right to distribute. The corporations — United King Film Distribution, D.B.S. Satellite Services, HOT Communication Systems, Charlton, Reshet Media and Keshet Broadcasting — won the lawsuit after Israel.tv's creators failed to show up to their hearings, and the judge ordered Israel-tv.com, Israel.tv and Sdarot.tv each pay $7,650,000 in damages. 

    In a more surprising move, however, the media outfits also won an injunction [PDF] in the United States in April against a slew of internet companies, among others, banning them from aiding Israel.tv in its piracy.

    Continue reading
  • Cloudflare explains how it managed to break the internet
    'Network engineers walked over each other's changes'

    A large chunk of the web (including your own Vulture Central) fell off the internet this morning as content delivery network Cloudflare suffered a self-inflicted outage.

    The incident began at 0627 UTC (2327 Pacific Time) and it took until 0742 UTC (0042 Pacific) before the company managed to bring all its datacenters back online and verify they were working correctly. During this time a variety of sites and services relying on Cloudflare went dark while engineers frantically worked to undo the damage they had wrought short hours previously.

    "The outage," explained Cloudflare, "was caused by a change that was part of a long-running project to increase resilience in our busiest locations."

    Continue reading
  • Cloudflare's outage was human error. There's a way to make tech divinely forgive
    Don't push me 'cos I'm close to the edge. And the edge is safer if you can take a step back

    Opinion Edge is terribly trendy. Move cloudy workloads as close to the user as possible, the thinking goes, and latency goes down, as do core network and data center pressures. It's true  – until the routing sleight-of-hand breaks that diverts user requests from the site they think they're getting to the copies in the edge server. 

    If that happens, everything goes dark – as it did last week at Cloudflare, edge lords of large chunks of web content. It deployed a Border Gateway Protocol policy update, which promptly took against a new fancy-pants matrix routing system designed to improve reliability. Yeah. They know. 

    It took some time to fix, too, because in the words of those in the know, engineers "walked over each other's changes" as fresh frantic patches overwrote slightly staler frantic patches, taking out the good they'd done. You'd have thought Cloudflare of all people would be able to handle concepts of dirty data and cache consistency, but hey. They know that too. 

    Continue reading
  • Malaysia-linked DragonForce hacktivists attack Indian targets
    Just what we needed: a threat to rival Anonymous

    A Malaysia-linked hacktivist group has attacked targets in India, seemingly in reprisal for a representative of the ruling Bharatiya Janata Party (BJP) making remarks felt to be insulting to the prophet Muhammad.

    The BJP has ties to the Hindu Nationalist movement that promotes the idea India should be an exclusively Hindu nation. During a late May debate about the status of a mosque in the Indian city of Varanasi – a holy city and pilgrimage site – BJP rep Nupur Sharma made inflammatory remarks about Islam that sparked controversy and violence in India.

    Continue reading
  • Cloudflare stomps huge DDoS attack on crypto platform
    At 15.3 million requests per second, the assault was the largest HTTPS blitz on record lasting 15 seconds

    Cloudflare this month halted a massive distributed denial-of-service (DDoS) attack on a cryptocurrency platform that not only was unusual in its sheer size but also because it was launched over HTTPS and primarily originated from cloud datacenters rather than residential internet service providers (ISPs).

    At 15.3 million requests-per-second (rps), the DDoS bombardment was one of the largest that the internet infrastructure company has seen, and the largest HTTPS attack on record.

    It lasted less than 15 seconds and targeted a crypto launchpad, which Cloudflare analysts in a blog post said are "used to surface Decentralized Finance projects to potential investors."

    Continue reading
  • Let's play everyone's favorite game: REvil? Or Not REvil?
    Another day, another DDoS attack that tries to scare the victim into paying up with mention of dreaded gang

    Akamai has spoken of a distributed denial of service (DDoS) assault against one of its customers during which the attackers astonishingly claimed to be associated with REvil, the notorious ransomware-as-a-service gang.

    REvil was behind the JBS and Kaseya malware infections last year. In January, Russia reportedly dismantled REvil's networks and arrested 14 of its alleged members, theoretically putting an end to the criminal operation. 

    Beginning in late April, however, the same group of miscreants — or some copycats  — appeared to resume their regularly scheduled ransomware activities with a new website for leaking data stolen from victims, and fresh malicious code.

    Continue reading
  • Verizon: Ransomware sees biggest jump in five years
    We're only here for DBIRs

    The cybersecurity landscape continues to expand and evolve rapidly, fueled in large part by the cat-and-mouse game between miscreants trying to get into corporate IT environments and those hired by enterprises and security vendors to keep them out.

    Despite all that, Verizon's annual security breach report is again showing that there are constants in the field, including that ransomware continues to be a fast-growing threat and that the "human element" still plays a central role in most security breaches, whether it's through social engineering, bad decisions, or similar.

    According to the US carrier's 2022 Data Breach Investigations Report (DBIR) released this week [PDF], ransomware accounted for 25 percent of the observed security incidents that occurred between November 1, 2020, and October 31, 2021, and was present in 70 percent of all malware infections. Ransomware outbreaks increased 13 percent year-over-year, a larger increase than the previous five years combined.

    Continue reading

Biting the hand that feeds IT © 1998–2022