Spammers vs. anti-spammers: 'nuclear' botnet attack bogs down Internet

A digital firefight is bogging down the entire Internet thanks to botnets – masses of hijacked computers – employed by spammers as digital cannons to attack an anti-spam group.

So-called “distributed denial of service” or DDoS attacks are nothing new and barely raise an eyebrow among cyberwarfare experts. This is different. In this case it’s the size of the attack that’s garnering the attention – about three times larger than the largest previously recorded DDoS attack.

The target is Spamhaus, a European group that tracks spammers on the Internet. Much to the annoyance of spammers, Spamhaus maintains a blacklist of bad actors that it distributes to spam-blocking services worldwide. Blacklisted sites have hit back before – but never this hard.

Arbor Networks, a cybersecurity company monitoring DDoS attacks, says Wednesday’s attack appears to be the biggest on record – about 300 billion bits (300 gigabits) per second. That’s big enough to have an impact on data intensive services like Netflix, which was among services reportedly slowed by the attack.

“Arbor has been monitoring DDoS for more than a dozen years and we’ve seen attack size peaking at around 100 Gbps in recent years,” says Dan Holden, director of ASERT, Arbor Network’s Security Engineering & Response Team. “Today’s attack appears to be significantly larger than that.”

The monster attack began after Spamhaus blacklisted a Netherlands based web-hosting group called Cyberbunker earlier this month. Soon the DDoS tide was rising from routine surge to tidal wave proportions. One impact of the attack: Spamhaus website is blocked, although the company is still reportedly able to send out its list.

But the other more noticeable impact is a slowdown on the whole Internet. That’s because the attackers have used a weakness that is part of the Internet’s architecture – exploiting the Internet’s core infrastructure, a computer directory called the Domain Name System, or DNS. The bots blasted their junk data – messages that appear to be from Spamhaus – at the DNS servers worldwide. That, in turn, sent a Niagara of data blasting back at Spamhaus, but bogged down the entire Internet, too, experts say.

“It is not surprising that DNS amplification was used in an attack of this size,” Mr. Holden says. “Just over one-quarter of respondents [to a company survey] experienced customer-impacting DDoS attacks on their DNS infrastructure in 2012, a 100 percent increase over the previous year.”

One indicator of scale compares Wednesday’s attacks with recent enormous DDoS attacks against US banks that began last fall – and are continuing. Those bank DDoS attacks had been notable for being in the range of 65-70 gigabits per second – about 15 to 30 times larger than usual for such cyberattacks and roughly equal to data contained in 250,000 books shot at a bank website each second.

By comparison, the December 2010 hacktivist-inspired "Operation Avenge Assange," DDoS attacks conducted by the hacktivist group Anonymous, now look miniscule – ranging in size from 2 gigabits per second to 4 gigabits, indicating perhaps 3,000 to 7,000 attackers at any one moment.

At 300 Gbps, there have even been hyperbolic comparisons made to nuclear detonations. Cyberbunker has not officially claimed responsibility for the attack, although some claiming to speak for the group said its members were attacking. Other cybersecurity experts concurred with that.

“These guys [Cyberbunker] are just mad,” Patrick Gilmore, chief architect at Aramaic Networks, a digital content provider, told The New York Times. “To be frank, they got caught. They think they should be allowed to spam.”