Members
  • Total Members: 12818
  • Latest: martin
Stats
  • Total Posts: 28535
  • Total Topics: 8240
  • Online Today: 980
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)












Author Topic: Largest DDoS attack ever recorded vs. Spamhaus ?!  (Read 1452 times)

0 Members and 1 Guest are viewing this topic.

Samker

  • SCF Administrator
  • *****
  • Posts: 7206
  • KARMA: 291
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum
Largest DDoS attack ever recorded vs. Spamhaus ?!
« on: 27. March 2013., 20:41:33 »


Anti-spam organisation Spamhaus has recovered from possibly the largest ‪DDoS‬ attack in history.

A massive 300Gbps was thrown against Spamhaus' website but the anti-spam organisation was able to recover from the attack and get its core services back up and running. CloudFlare, the content delivery firm hired by Spamhaus last week to guard against an earlier run of DDoS attacks, was also hit, forcing it into taking the highly unusual step of dropping London as a hub in its network - as a Twitter update by CloudFlare on Monday explained: https://twitter.com/CloudFlareSys/status/316284579247960064

    "Our peering in London has been dropped due to a large attack. Modifying routes to avoid degradation. Affecting location: London, GB"

Spamhaus supplies lists of IP addresses for servers and computers on the net linked to the distribution of spam. The blacklists supplied by the not-for-profit organisation are used by ISPs, large corporations and spam filtering vendors to block the worst sources of junk mail before other spam filtering measures are brought into play.

Spammers, of course, hate this practice so it's no big surprise that Spamhaus gets threatened, sued, and DDoSed regularly. Those affected by what they regard as incorrect listings also object about Spamhaus' alleged vigilante tactics.

The latest run of attacks began on 18 March with a 10Gbps packet flood that saturated Spamhaus' connection to the rest of the Internet and knocked its site offline: http://www.spamhaus.org/news/article/694/ddos-update-20-march-2013
Spamhaus's blocklists are distributed via DNS and widely mirrored in order to ensure that it is resilient to attacks. The website, however, was unreachable and the blacklists weren't getting updated.

The largest source of attack traffic against Spamhaus came from DNS reflection, launched through Open DNS resolvers rather than directly via compromised networks. Spamhaus turned to CloudFlare for help and the content delivery firm was able to mitigate attacks that reached a peak of 75Gbps, as explained in a blog post here: http://blog.cloudflare.com/the-ddos-that-knocked-spamhaus-offline-and-ho

Things remained calm for a few days before kicking off again with even greater intensity - to the extent that collateral damage was seen against services such as Netflix, the New York Times reports: http://www.nytimes.com/2013/03/27/technology/internet/online-dispute-becomes-internet-snarling-attack.html?pagewanted=all

Spamhaus' site remains available at the time of writing on Wednesday. Steve Linford, chief executive for Spamhaus, told the BBC that the scale of the attack was unprecedented: http://www.bbc.co.uk/news/technology-21954636

"We've been under this cyber-attack for well over a week.But we're up - they haven't been able to knock us down. Our engineers are doing an immense job in keeping it up - this sort of attack would take down pretty much anything else," he said.

Turning up the volume of DDoS attacks

A blog post by CloudFlare, written last week before the latest run of attacks, explains the mechanism of the attack against Spamhaus and how it can be usde to amplify packet floods.

    "The basic technique of a DNS reflection attack is to send a request for a large DNS zone file with the source IP address spoofed to be the intended victim to a large number of open DNS resolvers. The resolvers then respond to the request, sending the large DNS zone answer to the intended victim. The attackers' requests themselves are only a fraction of the size of the responses, meaning the attacker can effectively amplify their attack to many times the size of the bandwidth resources they themselves control.

    In the Spamhaus case, the attacker was sending requests for the DNS zone file for ripe.net to open DNS resolvers. The attacker spoofed the CloudFlare IPs we'd issued for Spamhaus as the source in their DNS requests. The open resolvers responded with DNS zone file, generating collectively approximately 75Gbps of attack traffic. The requests were likely approximately 36 bytes long (e.g. dig ANY ripe.net @X.X.X.X +edns=0 +bufsize=4096, where X.X.X.X is replaced with the IP address of an open DNS resolver) and the response was approximately 3,000 bytes, translating to a 100x amplification factor."


CloudFlare reckons 30,000 unique DNS resolvers have been involved in the attack against Spamhaus.

"Because the attacker used a DNS amplification, the attacker only needed to control a botnet or cluster of servers to generate 750Mbps - which is possible with a small sized botnet or a handful of AWS instances," it explains.

(ElReg)

Samker's Computer Forum - SCforum.info

Largest DDoS attack ever recorded vs. Spamhaus ?!
« on: 27. March 2013., 20:41:33 »




devnullius

  • SCF VIP Member
  • *****
  • Posts: 3507
  • KARMA: 152
  • Gender: Female
    • SCForum.info
Re: Largest DDoS attack ever recorded vs. Spamhaus ?!
« Reply #1 on: 28. March 2013., 19:48:45 »
smart :(
More information about bitcoin, altcoin & crypto in general? GO TO  j.gs/7385484/btc

Cuisvis hominis est errare, nullius nisi insipientis in errore persevare... So why not get the real SCForum employees to help YOUR troubled computer!!! SCF Remote PC Assist http://goo.gl/n1ONa9

Fintech

  • SCF Advanced Member
  • ***
  • Posts: 329
  • KARMA: 41
  • Gender: Male
Re: Largest DDoS attack ever recorded vs. Spamhaus ?!
« Reply #2 on: 30. March 2013., 09:20:16 »
This hasn't been however so bad as it initially was held! fortunately  :)
I'm old man but still alive as well :)

Samker

  • SCF Administrator
  • *****
  • Posts: 7206
  • KARMA: 291
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum
Re: Largest DDoS attack ever recorded vs. Spamhaus ?!
« Reply #3 on: 31. March 2013., 09:20:14 »
Provocateur Comes Into View After Cyberattack

Sven Olaf Kamphuis calls himself the “minister of telecommunications and foreign affairs for the Republic of CyberBunker”: http://cyberbunker.com/web/index.php Others see him as the Prince of Spam.

Mr. Kamphuis, who is actually Dutch, is at the heart of an international investigation into one of the biggest cyberattacks identified by authorities. He has not been charged with any crime and he denies direct involvement. But because of his outspoken position in a loose federation of hackers, authorities in the Netherlands and several other countries are examining what role he or the Internet companies he runs played in snarling traffic on the Web this week.

More: http://www.nytimes.com/2013/03/30/business/global/after-cyberattack-sven-olaf-kamphuis-is-at-heart-of-investigation.html?pagewanted=all&_r=1&

devnullius

  • SCF VIP Member
  • *****
  • Posts: 3507
  • KARMA: 152
  • Gender: Female
    • SCForum.info
Re: Largest DDoS attack ever recorded vs. Spamhaus ?!
« Reply #4 on: 01. April 2013., 19:00:01 »
FROM: http://www.newscientist.com/article/dn23334-huge-online-attack-exposes-internets-vulnerability.html

Copy Paste:

Huge online attack exposes internet's vulnerability

22:35 29 March 2013 by Hal Hodson
It was the largest online attack ever reported. Over the course of the past week, servers belonging to an international non-profit company called The Spamhaus Project, which fights email spammers, were inundated with up to 38 gigabytes of traffic each second. That's about 10 DVDs' worth of data. The company ground to a halt, and another firm that tried to come to Spamhaus's online aid was also drawn into the battle. News reports suggested the onslaught was so big that the internet itself slowed down during the worst of it. Such accounts may have been overblown, but in the aftermath it has become clear that the attackers can exploit vulnerabilities in just about anything – from software to the infrastructure of the internet itself – to devastating effect.

In the case of the Spamhaus ambush, the attackers exploited open domain name server (DNS) resolvers, the address books of the internet. The majority of internet users only ever ask these internet address books to handle simple requests like, "Take me to www.google.com". But a lot of DNS software comes with default settings that call for it to answer many other questions, like making sure that a website is what it says it is. Such requests can massively boost the amount of traffic that the DNS resolver returns. "If you make a request for DNS security labels or extensions, the response is very large," says Jared Mauch of NTT America, who is based in Ann Arbor, Michigan .

The attackers query DNS resolvers en masse. In the process, they fake their own IP addresses, replacing them with the address of the target. This technique, called IP spoofing, results in a torrent of the DNS responses all flooding into the target at once.

Next big thing

There are fixes, but networks have been slow to adopt them. One initiative, the Open DNS Resolver Project is set up to encourage people to make the adjustments: simply changing the settings on software and equipment is enough. But even if operators do shore up DNS resolvers, there are signs that attackers are already moving on to the next big exploit.

Mike Smith, director of the customer security internet response team at Akamai in Cambridge, Massachusetts, says he has been dealing with a hole in web-based content-management systems like Wordpress and Joomla which lets attackers use other companies' hosting platforms to launch their attacks.

"These content-management systems are basically not managed," Smith says. "People often have Wordpress and Joomla installed on their servers, and they don't even know that they have it. Attackers are taking over these applications."

Because company servers have faster internet connections than home computers, the infected software – which forms a network known as the BroBot – can be taken over and made to launch highly powerful attacks. "Those servers have 100 megabits of internet capacity each. They can send a lot of traffic very quickly," he says.

Karma!

devnullius
More information about bitcoin, altcoin & crypto in general? GO TO  j.gs/7385484/btc

Cuisvis hominis est errare, nullius nisi insipientis in errore persevare... So why not get the real SCForum employees to help YOUR troubled computer!!! SCF Remote PC Assist http://goo.gl/n1ONa9

Pez

  • SCF VIP Member
  • *****
  • Posts: 723
  • KARMA: 116
  • Gender: Male
  • Pez
Re: Largest DDoS attack ever recorded vs. Spamhaus ?!
« Reply #5 on: 02. April 2013., 09:08:52 »
I use Spamhaus as one of my spam filter server. But offcaus I use other site also so make this effect me they need to attack more of the spam filter sites. Ther are 100 of site thay need to attack simulanusly tha make this kind of attack to work or that need to know witch site I use to filter my e-mail in. So a good way is to always use multiple site to protect your mailservers from spam and have a service avable if some one attack a spamfilter site. Offcause you should not configure (if possible) to tell a spamer that you do not allow mail due to it is blocket from a spam site and what site it is.

Her is some list of useble spam list sites:
http://spamlinks.net/filter-bl.htm


and other spam tools:
http://www.rahul.net/falk/
Their is two easy way to configure a system!
Every thing open and every thing closed.
Every thing else is more or less complex.

Start Turfing ! http://scforum.info/index.php/topic,8405.msg21475.html#msg21475

devnullius

  • SCF VIP Member
  • *****
  • Posts: 3507
  • KARMA: 152
  • Gender: Female
    • SCForum.info
Re: Largest DDoS attack ever recorded vs. Spamhaus ?!
« Reply #6 on: 02. April 2013., 20:48:49 »
I do not like opendns or anything that blocks access - unless in very very very urgent cases.

I read a Dutch article explaining this well, but you don't read Dutch? Couldn't find a real good English article, but I did find this (SOURCE: http://www.techrepublic.com/blog/security/ddos-strike-on-spamhaus-highlights-need-to-close-dns-open-resolvers/9296)

"However, it also has a lot of enemies, and is the center of many controversies. The reason is that they have final say on which sites appear in their database. If they decide one particular business is sending spam, and they add their server to the blacklist, that will greatly affect the company’s ability to do business. The site does offer ways to get a case reviewed and potentially get removed from the list, but many still feel that Spamhaus is acting as judge, jury and executioner. So as a result, Spamhaus is often the victim of attacks."

devnullius
More information about bitcoin, altcoin & crypto in general? GO TO  j.gs/7385484/btc

Cuisvis hominis est errare, nullius nisi insipientis in errore persevare... So why not get the real SCForum employees to help YOUR troubled computer!!! SCF Remote PC Assist http://goo.gl/n1ONa9

Pez

  • SCF VIP Member
  • *****
  • Posts: 723
  • KARMA: 116
  • Gender: Male
  • Pez
Re: Largest DDoS attack ever recorded vs. Spamhaus ?!
« Reply #7 on: 03. April 2013., 10:26:38 »
As I say in my singature.
"Their is two easy way to configure a system!
Every thing open and every thing closed.
Every thing else is more or less complex."

I feal that good DNSBL is good but it need som work and maintenace to mak a secure site realy secure. If you find some importent costumer blocked thay probebly have some securety problem in ther site or IP range and thay need to know it to take care of the problem. Under the time that fix ther problem and get ther site whitelistad you can always whitlist ther site and IP in your own server!
So this is only regular maintenace if you want to secure a mailserver/site. If you want to have a more less secure site and more risk to get spam then it is just that you don't implement the DNSBL. The chois is always a company policy and security. Good securety always have a cost but it can be a higer cost for the company to not have a secure enviroment.
Think of the cost for every user in a company with about 2000 employees that handel let us tell 10 spam a day in average. Every spam for unexperanse user can take 1 minutes and you probebly have 10% unexperanse users. That give you 200 minutes/day (3 houer/day and in a year about 900 houer that give you a halfe time employ in work for noting) in lost work time.
Their is two easy way to configure a system!
Every thing open and every thing closed.
Every thing else is more or less complex.

Start Turfing ! http://scforum.info/index.php/topic,8405.msg21475.html#msg21475

 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.scforum.info:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising