14 DAY TRIAL // A few days ago, we learned that the website and email server of Spamhaus, the anti-spam organization, were disrupted by a massive distributed denial-of-service (DDOS) attack.
Because they couldn’t mitigate it, they called in CloudFlare, a company that’s known for its ability to stop large attacks.
“Spamhaus's blocklists are distributed via DNS and there is a long list of volunteer organizations that mirror their DNS infrastructure in order to ensure it is resilient to attacks. The website, however, was unreachable,” Matt Prince, CEO and co-founder of CloudFlare, explained in a blog post.
It turns out that for this Layer 3 attack, the attackers used open DNS resolvers.
CloudFlare reported a few weeks ago that the number of open DNS resolvers had dropped by 30%. However, there are still enough left to allow cybercriminals to launch attacks that sometime exceed 100 Gbps.
In this particular case, CloudFlare has identified over 30,000 unique DNS resolvers.
To effectively dilute the attack by spreading it across its facilities, the company used Anycast, a network addressing and routing technique in which datagrams from a single sender are routed to the topologically nearest node in a group of potential receivers.
In addition to the DNS reflection traffic, ACK reflection has also been utilized, in which the attacker sends a number of SYN packets to servers with a spoofed source IP address pointing to the intended victim.
Shortly after the attack had started, hackers claiming to be part of Anonymous came forward with a statement saying that they were behind the campaign. Spamhaus refuted their claims, arguing that, in reality, Russian cybercriminals were responsible.
On the other hand, Prince says the source of the attack could not be determined.
Whichever the case may be, there appears to be a strong campaign at the moment against Spamhaus from a group operating under the name of STOPhaus.
Additional technical details on how CloudFlare has mitigated the attack are available here.