In mid-March, a loosely connected group of disgruntled European Internet users called Stophaus allegedly took revenge against Spamhaus, a European anti-spam group which had blacklisted a group called Cyberbunker. They effectively released an army of zombie computers, using them to unleash a distributed denial-of-service (DDoS) attack that reached 300GB per second at its peak.
When Spamhaus enlisted the help of a security company called CloudFlare, Stophaus turned its attack against the world’s largest Internet exchanges in places like London, Amsterdam, Frankfurt and Hong Kong. By its end, the operation had taken its place as the world’s largest cyber attack. If an attack of an even larger scale was directed at a country’s infrastructure, the consequences could be disastrous.
Many organizations have heard of worms and Trojan horses, but more private and public sector entities need to expand their antivirus education so they can understand zombie viruses and other ways that hackers take over unprotected machines. The attackers wouldn’t have achieved such a large-scale assault if so many people around the world hadn’t left their computer systems vulnerable.
What Happened During the Spamhaus Attack
The Spamhaus attack was a distributed denial-of-service (DDoS) attack of enormous scale. Stophaus began by sending commands just a few bytes in size to approximately 1,000 computers under their control. These computers, using spoofed source addresses disguised as Spamhaus, sent requests for information to open resolvers, which are types of Internet servers that provide recursive name recognition to hosts outside of their domains.
Then, the open resolvers sent replies to the faux Spamhauses that were probably hundreds of bytes in size. These replies sucked up bandwidth as they traveled back to their origin computers. Because Spamhaus couldn’t handle the fake traffic, it stopped responding to legitimate traffic. After a few days, Spamhaus called CloudFlare. CloudFlare expanded Spamhaus’s ability to receive traffic by taking some of the fake traffic on its servers.
When the attackers couldn’t make Spamhaus go offline, they started to target regional exchanges in Europe and Asia utilized by CloudFlare and large ISPs. The attacks caused isolated outages in Europe and then appeared to stop. However, they started up again two days later. This created more major disruptions for European Internet users.
Many unprotected computers became involved in the massive traffic jam, effectively functioning as “zombies” because their owners were unaware of their involvement in the sending and receiving of fake messages. Some sources speculate even unprotected set-top cable boxes were sucked into the Spamhaus attack.
The “Doomsday” Scenario
In many developed countries, all kinds of supply chains, from national power grids to money exchanges, are dependent on digital models. A massive DDoS attack against a municipality, a state or even a country could potentially cut power, halt food distribution, disable banks and gas stations, shut down broadcasts and ground air traffic.
Companies can use Source Address Validation technology to filter forged traffic, like the messages with spoofed Spamhaus addresses, from legitimate traffic. Unfortunately, the technology isn’t yet widespread. Additionally, researchers are working to develop response rate-limiting technology that would keep open resolvers from amplifying the original requests. However, the current technology slows down Internet speeds.
Another defense is to designate dedicated servers to handle HTTP, DNS and FTP traffic. A huge weakness of the open resolver is that it passes these kinds of traffic without significant filtering. Separating these areas from more critical network functions can ensure resources are deployed where they need to be during an attack.
Open resolvers, in a sense, are just amplifiers for unprotected computers. When users fail to download regular updates for their operating systems, they leave their computers susceptible to threats like zombie computer viruses. Protect your desktop computer with antivirus software and make sure that you download regular software updates for your computer. You can also check the Open DSN Resolver Project to see if your ISP is on the list of 27 million providers.