Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Q&A: Just how bad were the Spamhaus DDoS attacks?

Karine de Ponteves | April 3, 2013
Possibly the biggest DDoS attack of all time, says Karine de Ponteves, antivirus analyst, FortiGuard Labs, Fortinet.

Incident Background

The massive DDoS (distributed denial of service) attack launched on 19 March started with a conflict between Spamhaus, an anti-spam organisation, and CyberBunker, a hosting company. When Spamhaus blacklisted CyberBunker for hosting spammers, botnets acting on behalf of the hosting company launched DDoS attacks against the anti-spam organisation, and tried to crash their servers over several days.

Q: Is it, as some media reported, the biggest DDoS attack of all time?

It could be. The original attack against Spamhaus peaked at 90Gbps. However, when the attackers saw that website acceleration company CloudFlare was mitigating their attack, they decided to take it a notch up and target CloudFlare's ISPs. One Tier-1 provider reported traffic peaks of 300Gbps related to the attack. Given this number, this would be the largest publicly recorded DDoS attack.

Q: Is the attack really impacting the whole Internet?

No. Although the bandwidth consumed is indeed the biggest publicly recorded for a DDoS attack, the traffic was mainly noise and caused, at worst, minor congestions. Both the Amsterdam Internet Exchange (AMS-IX) and the London Internet Exchange (LINX) back up this assessment1. For comparison, AMS-IX had peak annual traffic of about 2.2Tbps in the past year.

Steve Linford, chief executive for Spamhaus, said himself: "All Spamhaus DNSBL (DNS Block List) services continued to run unaffected throughout the attack. In fact, Spamhaus DNSBLs have never once been down since we started them in 2001."

Q: How could Spamhaus have protected itself against such an attack?

The attack used DNS reflection, a technique leveraging brute force volumetric methods in an attempt to disable the DNS servers. The only two ways to mitigate against a volumetric attack are:

  • Increase bandwidth
  • Split the attack power with the Anycast network methodology, in which packets from a single sender are routed to the topologically nearest node of a group of receivers all identified by the same destination address. This is how DNS root servers - the phone book of the Internet (which convert IP addresses to names such as - protect themselves from DDoS attacks.

Indeed this was what happened - the attacks were mitigated within the service provider networks (using Anycast).

That said, if the attack had been more sophisticated, like the technique used by the Izz ad-Din al Qassam Cyber Fighters against US banks2 with much smaller 50Gbps attacks (layer 7 attacks hidden within the traffic), it would have been impossible for the service provider to give the level of granularity and protection required.

The only way to truly mitigate such an attack would have been with a combination of bandwidth service provider and granular layer 7 protection at the edge of the network.




Sign up for MIS Asia eNewsletters.