Avatar

Around 12:00 GMT March 16, 2013, a distributed denial of service (DDoS) attack took offline both the spamhaus.org website and a portion of its e-mail services. SpamHaus was able to restore connectivity by March 18; however, SpamHaus is still weathering a massive, ongoing DDoS attack. The DDoS attacks have also had less severe but measurable consequences for the Composite Block List (CBL) as well as Project Honey Pot.

The attackers appear to have hijacked at least one of SpamHaus’ IP addresses via a maliciously announced BGP route and subsequently used a Domain Name System (DNS) server at the IP to return a positive result for every SpamHaus Domain Name System-based Block List (DNSBL) query. This caused all SpamHaus customers querying the rogue nameserver to erroneously drop good connections.

According to the New York Times, Sven Olaf Kamphuis is acting as a “spokesman for the attackers.” Kamphuis is allegedly associated with hosting provider “the CyberBunker,” which is housed in an old, five-story NATO bunker located in the Netherlands. CyberBunker has a reputation for “bulletproof hosting,” not only because of the physically fortified infrastructure, but also for their permissive terms of use, stating “Customers are allowed to host any content they like, except child porn and anything related to terrorism. Everything else is fine.” Kamphuis is also allegedly affiliated with the StopHaus group, which publicly claimed responsibility for the BGP hijack attack via Twitter. 

Attacks on networks at the London Internet Exchange (LINX), German Internet Exchange (DE-CIX), Amsterdam Internet Exchange (AMS-IX), and most recently, the Hong Kong Internet Exchange (HKIX) are reportedly causing Internet delays across the world. The DDoS is perpetrated via open DNS resolvers using a DNS reflection attack. The current volume of the DDoS is reported to be quite large, topping 140Gbps in some instances, while other reports suggest it may have been as high as 300+ Gbps. The DDoS appears largely directed at SpamHaus’ website, e-mail servers, and DNS IPs, or other connectivity. Reliable sources from within SpamHaus inform Cisco that the blacklist data and infrastructure where it is stored has not come under significant attack.

Other anti-spam organizations have been targeted, though none as heavily as SpamHaus. Both CBL and Project Honey Pot were affected by these same DDoS attacks, but their services appear to be operating normally once again.

DNS Reflection

DNS reflection attacks use open DNS resolvers. In a DNS reflection or amplification attack, the attacker issues a request to an open DNS resolver for some large set of data and spoofs the source IP of the victim. The DNS server responds by sending a large amount of data back to the victim’s IP. These types of DDoS attacks will only get worse until the open DNS resolvers around the Internet are closed. Cisco has some resources for how to protect against DDoS attacksmitigate them with anycast, and secure DNS infrastructure, as well as those on protecting BGP and anti-spoofing countermeasures. Enabling IPS signatures for DNS flooding can also help prevent an organization from becoming an unwitting participant in the flood of traffic bound for the target.

The StopHaus group has set up a website and Twitter account where they have publicly expressed their dislike for SpamHaus and have claimed a role in the attacks.

sh1_

A post from the StopHaus Twitter account on March 24  reads, “@cloudfare if you truely wanna stop DDoS attacks, routers all need to evenly spread cap on out interface. takes a few tb of ram for stats.”  That tweet sounds strikingly similar to an e-mail sent by Kamphuis to the North American Network Operators Group (NANOG) mailing list in February 2012 discussing DDoS attacks where Kamphuis states, in part, “there is a fix for it, it’s called ‘putting a f***ton of ram in -most- routers on the internet’ and keeping statistics for each destination… keyword here, is terabytes of ram.”  That same post made to the NANOG mailing list links the cb3rob moniker with Sven Olaf Kamphuis. This link is further strengthened by a public Facebook page which also reflects the linkage with the CyberBunker. This moniker correlates with a StopHaus website page that seems to have a transcript of the interview with the New York Times.

SH2

No Cisco customers should be directly affected by the DDoS attack; however, network slowdowns or blockages may occur over some links as a result of competing with the DDoS traffic for limited bandwidth. Additionally, at no time were Cisco security devices affected by the BGP injection attack.

Timeline
March 27, 2013 09:30 – DDoS attacks continue, SpamHaus weathers storm
March 22, 2013 18:00 – DDoS at SpamHaus goes from 30Gbps to over 140Gbps
March 21, 2013 00:00 – CBL site recovers
March 20, 2013 13:00 – DDoS attacks take down the CBL
March 18, 2013 23:00 – SpamHaus site recovers
March 16, 2013 12:00 – DDoS attacks take down SpamHaus website and MX IP