17/4/2014 Chronology of a DDoS: SpamHaus

Blogs Home All of Cisco

Cisco Blogs

151

Tw eet

94

Like 12

Share

13

Kindle

Search

Cisco Blog > Security Chronology of a DDoS: SpamHaus

Seth Hanford | March 28, 2013 at 2:27 pm PST (0 Comments)

Around 12:00 GMT March 16, 2013, a distributed denial of service (DDoS) attack took offline both the spamhaus.org website and a portion of its e-mail services. SpamHaus was able to restore connectivity by March 18; however, SpamHaus is still weathering a massive, ongoing DDoS attack. The DDoS attacks have also had less severe but measurable consequences for the Composite Block List (CBL) as well as Project Honey Pot.

The attackers appear to have hijacked at least one of SpamHaus’ IP addresses via a maliciously announced BGP route and subsequently used a Domain Name System (DNS) server at the IP to return a positive result for every SpamHaus Domain Name System-based Block List (DNSBL) query. This caused all SpamHaus customers querying the rogue nameserver to erroneously drop good connections.

According to the New York Times, Sven Olaf Kamphuis is acting as a “spokesman for the attackers.” Kamphuis is allegedly associated with hosting provider “the CyberBunker,” which is housed in an old, five- story NATO bunker located in the Netherlands. CyberBunker has a reputation for “bulletproof hosting,” not http://blogs.cisco.com/security/chronology-of-a-ddos-spamhaus/ 1/7 17/4/2014 Chronology of a DDoS: SpamHaus only because of the physically fortified infrastructure, but also for their permissive terms of use, stating “Customers are allowed to host any content they like, except child porn and anything related to terrorism. Everything else is fine.” Kamphuis is also allegedly affiliated with the StopHaus group, which publicly claimed responsibility for the BGP hijack attack via Twitter.

Attacks on networks at the London Internet Exchange (LINX), German Internet Exchange (DE-CIX), Amsterdam Internet Exchange (AMS-IX), and most recently, the Hong Kong Internet Exchange (HKIX) are reportedly causing Internet delays across the world. The DDoS is perpetrated via open DNS resolvers using a DNS reflection attack. The current volume of the DDoS is reported to be quite large, topping 140Gbps in some instances, while other reports suggest it may have been as high as 300+ Gbps. The DDoS appears largely directed at SpamHaus’ website, e-mail servers, and DNS IPs, or other connectivity. Reliable sources from within SpamHaus inform Cisco that the blacklist data and infrastructure where it is stored has not come under significant attack.

Other anti-spam organizations have been targeted, though none as heavily as SpamHaus. Both CBL and Project Honey Pot were affected by these same DDoS attacks, but their services appear to be operating normally once again.

DNS Reflection

DNS reflection attacks use open DNS resolvers. In a DNS reflection or amplification attack, the attacker issues a request to an open DNS resolver for some large set of data and spoofs the source IP of the victim. The DNS server responds by sending a large amount of data back to the victim’s IP. These types of DDoS attacks will only get worse until the open DNS resolvers around the Internet are closed. Cisco has some resources for how to protect against DDoS attacks, mitigate them with anycast, and secure DNS infrastructure, as well as those on protecting BGP and anti-spoofing countermeasures. Enabling IPS signatures for DNS flooding can also help prevent an organization from becoming an unwitting participant in the flood of traffic bound for the target.

The StopHaus group has set up a website and Twitter account where they have publicly expressed their dislike for SpamHaus and have claimed a role in the attacks.

A post from the StopHaus Twitter account on March 24 reads, “@cloudfare if you truely wanna stop DDoS attacks, routers all need to evenly spread cap on out interface. takes a few tb of ram for stats.” That tweet http://blogs.cisco.com/security/chronology-of-a-ddos-spamhaus/ 2/7 17/4/2014 Chronology of a DDoS: SpamHaus sounds strikingly similar to an e-mail sent by Kamphuis to the North American Network Operators Group (NANOG) mailing list in February 2012 discussing DDoS attacks where Kamphuis states, in part, “there is a fix for it, it’s called ‘putting a f***ton of ram in -most- routers on the internet’ and keeping statistics for each destination… keyword here, is terabytes of ram.” That same post made to the NANOG mailing list links the cb3rob moniker with Sven Olaf Kamphuis. This link is further strengthened by a public Facebook page which also reflects the linkage with the CyberBunker. This moniker correlates with a StopHaus website page that seems to have a transcript of the interview with the New York Times.

No Cisco customers should be directly affected by the DDoS attack; however, network slowdowns or blockages may occur over some links as a result of competing with the DDoS traffic for limited bandwidth. Additionally, at no time were Cisco security devices affected by the BGP injection attack.

Timeline March 27, 2013 09:30 – DDoS attacks continue, SpamHaus weathers storm March 22, 2013 18:00 – DDoS at SpamHaus goes from 30Gbps to over 140Gbps March 21, 2013 00:00 – CBL site recovers March 20, 2013 13:00 – DDoS attacks take down the CBL March 18, 2013 23:00 – SpamHaus site recovers March 16, 2013 12:00 – DDoS attacks take down SpamHaus website and MX IP

Tags: Cisco Security, cisco sio, DDoS, distributed denial of service, dns, DNS reflection attack, spamhaus, TRAC Comments Are Closed

http://blogs.cisco.com/security/chronology-of-a-ddos-spamhaus/ 3/7 17/4/2014 Chronology of a DDoS: SpamHaus Subscribe Now Enter email address RSS Feed LinkedIn Google+ Pinterest SlideShare News@Cisco Twitter Facebook YouTube Flickr More -> Learn More Already a rewards member? Log In Blogs at a Glance Most Recent Most Commented Popular Latin America: How Innovation Can Fuel a New Economic Cycle Felipe Lamus | 16 Apr 2014 (0 Comments) Like 5 Tw eet 18

Making Your Metrics Program Effective Beyond Just Charts and Numbers Sujata Ramamoorthy | 16 Apr 2014 (1 Comment) Like 2 Tw eet 13

Cisco and Microsoft SQL Server 2014 Rex Backman | 16 Apr 2014 (0 Comments) Like 4 Tw eet 27

ACI enables a world class Service Oriented IT organization Harry Petty | 16 Apr 2014 (0 Comments) Like 2 Tw eet 16

Unlock the Hidden Capabilities Your Cisco Integrated Services Routers Ido Glazer | 16 Apr 2014 (0 Comments) http://blogs.cisco.com/security/chronology-of-a-ddos-spamhaus/ 4/7 17/4/2014 Chronology of a DDoS: SpamHaus Like 6 Tw eet 13

More Posts >

21 / 74 Partner…

0:00 / 6:08

Archives Select What We're Reading CERT Vulnerability Analysis Microsoft Security Research & Defense SANS Internet Storm Center Schneier on Security

Related Links Advisories and Responses Cyber Risk Reports Security Best Practices Security Intelligence Operations Security Products Threat Outbreak Alerts

Technology Collaboration Data Center and Cloud Enterprise Networks Mobility Security Small Business SP360:Service Provider Video

Industries Education Energy Financial Services Government Healthcare Manufacturing Retail

Support http://blogs.cisco.com/security/chronology-of-a-ddos-spamhaus/ 5/7 17/4/2014 Chronology of a DDoS: SpamHaus Cisco Support Community

Partners Channels Cisco Developer Network

More From Cisco Architect & DE Discussions Connected Life Exchange Digital and Social High Performance Computing Networking Inside Cisco IT Open at Cisco Perspectives TechWiseTV

Corporate/News The Platform Corporate Social Responsibility High Tech Policy Inclusion and Diversity Internet of Everything

Countries and Regions Canada English French Emerging Countries France Réseaux Data Center Green IT IPv6 Collaboration Sécurité Smart Cities Germany Italy Italia PartnerIT Japan Korea Latin America Latin America (Spanish) Brazil Cansac Netherlands Poland Portugal http://blogs.cisco.com/security/chronology-of-a-ddos-spamhaus/ 6/7 17/4/2014 Chronology of a DDoS: SpamHaus Russia Spain Switzerland

Contacts | Feedback | Help | Site Map | Terms & Conditions | Privacy Statement | Cookie Policy | Trademarks

Legal Disclaimer

Some of the individuals posting to this site, including the moderators, work for Cisco Systems. Opinions expressed here and in any corresponding comments are the personal opinions of the original authors, not of Cisco. The content is provided for informational purposes only and is not meant to be an endorsement or representation by Cisco or any other party. This site is available to the public. No information you consider confidential should be posted to this site. By posting you agree to be solely responsible for the content of all information you contribute, link to, or otherwise upload to the Website and release Cisco from any liability related to your use of the Website. You also grant to Cisco a worldwide, perpetual, irrevocable, royalty-free and fully-paid, transferable (including rights to sublicense) right to exercise all copyright, publicity, and moral rights with respect to any original content you provide. The comments are moderated. Comments will appear as soon as they are approved by the moderator.

Switch to our mobile site

http://blogs.cisco.com/security/chronology-of-a-ddos-spamhaus/ 7/7