The website of non-profit spam fighter Spamhaus is online again after a huge DDoS attack knocked it offline on Sunday, but attackers are continue to target another anti-spam sites that help ISPs combat spam from infected IP addresses.
Spamhaus, which provides several anti-spam DNS-based blocklists and maintains the “register of known spam operations”, came under a huge DDoS attack on Sunday, which knocked its web server and mail server offline until Wednesday.
Spamhaus spokesperson Luc Rossini on Monday denied a report that Anonymous was behind the attack and pointed to a “Russian criminal malware gang” as the source.
On Tuesday Spamhaus sought cover from the attack with DDoS protection provider CloudFlare, which today reported the attack on Spamhaus reached a peak of about 75 gigabits per second.
The attackers used a cocktail of DDoS attack methods, but the primary one that helped generate that volume of traffic was a “reflection attack”, according to Matthew Prince, CloudFlare’s CEO.
“The basic technique of a DNS reflection attack is to send a request for a large DNS zone file with the source IP address spoofed to be the intended victim to a large number of open DNS resolvers,” Prince explained, noting that 30,000 open DNS resolvers were recorded in the attack, which used spoofed IP addresses CloudFlare had issued to Spamhaus.
“The resolvers then respond to the request, sending the large DNS zone answer to the intended victim. The attackers' requests themselves are only a fraction of the size of the responses, meaning the attacker can effectively amplify their attack to many times the size of the bandwidth resources they themselves control.”
The attack reached a peak of about 75 gigabits per second.
Image credit: Cloudfare
The DDoS appears to be one component of a multi-pronged attack on blocklist tools the anti-spam community uses to stop botnets sending spam.
The “CBL” or composite blocklist webserver at http://cbl.abuseat.org, which hosts a list of infected IP address used for spam, was responding slowly on Sunday, according to Laura Atkins of anti-spam consultancy Word to the Wise.
Several commenters who use Spamhaus lists also reported their websites suddenly being listed on CBL and Spamhaus’ Exploit Blocklist (XBL).
In a Wednesday update, Atkins said the CBL website was still down and under attack, which meant there were “no public channels for delisting from the CBL”.
Spamhaus spokesperson Quentin Jenkins on Wednesday announced the organisation’s website was up again, but not all its other public systems, such as sites on its DNS-based blocklists can lodge requests to have IPs and domains removed from the list.
“Due to the unpredictable nature of DDOS attacks, we can't provide an estimate of that progress, but we want those systems up as much as you do,” said Jenkins.
The attack on the sites appears to have prevented a key component of Spamhaus’ remediation processes.
“What we can tell you is that we are aware of the many people who have fixed their infected systems, and ISPs which have solved spam problems, and need to have IPs and domains removed from our lists (SBL, XBL/CBL, PBL and DBL),” said Jenkins.
“Those removal systems are being fixed as this is typed, and we will continue to provide updates as they come back online, in this blog article or in a newer one. Our best advice to you is to follow normal removal procedures, to re-try as needed (every hour or so) and to watch this blog for updates. Thanks for your cooperation as we ride out this attack.
Spamhaus had not responded to CSO’s request for comment at the time of publishing.
Follow @CSO_Australia and sign up to the CSO Australia newsletter.