Author Topic: Firm Is Accused of Sending Spam, and Fight Jams Internet  (Read 1968 times)

Offline Johnnie F.

  • Administrator
  • Korat forum specialist
  • *****
  • Posts: 6453
    • Korat-Info
Firm Is Accused of Sending Spam, and Fight Jams Internet
« on: March 27, 2013, 09:21:57 PM »
Firm Is Accused of Sending Spam, and Fight Jams Internet

A squabble between a group fighting spam and a Dutch company that hosts Web sites said to be sending spam has escalated into one of the largest computer attacks on the Internet, causing widespread congestion and jamming crucial infrastructure around the world.

Millions of ordinary Internet users have experienced delays in services like Netflix or could not reach a particular Web site for a short time.

However, for the Internet engineers who run the global network the problem is more worrisome. The attacks are becoming increasingly powerful, and computer security experts worry that if they continue to escalate people may not be able to reach basic Internet services, like e-mail and online banking.

The dispute started when the spam-fighting group, called Spamhaus, added the Dutch company Cyberbunker to its blacklist, which is used by e-mail providers to weed out spam. Cyberbunker, named for its headquarters, a five-story former NATO bunker, offers hosting services to any Web site “except child porn and anything related to terrorism,” according to its Web site.

A spokesman for Spamhaus, which is based in Europe, said the attacks began on March 19, but had not stopped the group from distributing its blacklist.

Patrick Gilmore, chief architect at Akamai Networks, a digital content provider, said Spamhaus’s role was to generate a list of Internet spammers.

Of Cyberbunker, he added: “These guys are just mad. To be frank, they got caught. They think they should be allowed to spam.”

Mr. Gilmore said that the attacks, which are generated by swarms of computers called botnets, concentrate data streams that are larger than the Internet connections of entire countries. He likened the technique, which uses a long-known flaw in the Internet’s basic plumbing, to using a machine gun to spray an entire crowd when the intent is to kill one person.

The attacks were first mentioned publicly last week by CloudFlare, an Internet security firm in Silicon Valley that was trying to defend against the attacks and as a result became a target.

“These things are essentially like nuclear bombs,” said Matthew Prince, chief executive of CloudFlare. “It’s so easy to cause so much damage.”

The so-called distributed denial of service, or DDoS, attacks have reached previously unknown magnitudes, growing to a data stream of 300 billion bits per second.

“It is a real number,” Mr. Gilmore said. “It is the largest publicly announced DDoS attack in the history of the Internet.”

Spamhaus, one of the most prominent groups tracking spammers on the Internet, uses volunteers to identify spammers and has been described as an online vigilante group.

In the past, blacklisted sites have retaliated against Spamhaus with denial-of-service attacks, in which they flood Spamhaus with traffic requests from personal computers until its servers become unreachable. But in recent weeks, the attackers hit back with a far more powerful strike that exploited the Internet’s core infrastructure, called the Domain Name System, or DNS.

That system functions like a telephone switchboard for the Internet. It translates the names of Web sites like or into a string of numbers that the Internet’s underlying technology can understand. Millions of computer servers around the world perform the actual translation.

In the latest incident, attackers sent messages, masquerading as ones coming from Spamhaus, to those machines, which were then amplified drastically by the servers, causing torrents of data to be aimed back at the Spamhaus computers.

When Spamhaus requested aid from CloudFlare, the attackers began to focus their digital ire on the companies that provide data connections for both Spamhaus and CloudFlare.

Questioned about the attacks, Sven Olaf Kamphuis, an Internet activist who said he was a spokesman for the attackers, said in an online message that, “We are aware that this is one of the largest DDoS attacks the world had publicly seen.” Mr. Kamphuis said Cyberbunker was retaliating against Spamhaus for “abusing their influence.”

 “Nobody ever deputized Spamhaus to determine what goes and does not go on the Internet,” Mr. Kamphuis said. “They worked themselves into that position by pretending to fight spam.”

A typical denial-of-service attack tends to affect only a small number of networks. But in the case of a Domain Name System flood attack, data packets are aimed at the victim from servers all over the world. Such attacks cannot easily be stopped, experts say, because those servers cannot be shut off without halting the Internet.

“The No. 1 rule of the Internet is that it has to work,” said Dan Kaminsky, a security researcher who years ago pointed out the inherent vulnerabilities of the Domain Name System. “You can’t stop a DNS flood by shutting down those servers because those machines have to be open and public by default. The only way to deal with this problem is to find the people doing it and arrest them.”

The heart of the problem, according to several Internet engineers, is that many large Internet service providers have not set up their networks to make sure that traffic leaving their networks is actually coming from their own users. The potential security flaw has long been known by Internet security specialists, but it has only recently been exploited in a way that threatens the Internet infrastructure.

An engineer at one of the largest Internet communications firms said the attacks in recent days have been as many as five times larger than what was seen recently in attacks against major American banks. He said the attacks were not large enough to saturate the company’s largest routers, but they had overwhelmed important equipment.

Cyberbunker brags on its Web site that it has been a frequent target of law enforcement because of its “many controversial customers.” The company claims that at one point it fended off a Dutch SWAT team.

“Dutch authorities and the police have made several attempts to enter the bunker by force,” the site said. “None of these attempts were successful.”

New York Times

Offline Johnnie F.

  • Administrator
  • Korat forum specialist
  • *****
  • Posts: 6453
    • Korat-Info
Re: Firm Is Accused of Sending Spam, and Fight Jams Internet
« Reply #1 on: March 28, 2013, 11:26:00 AM »
phpbb3, the forum software KORAT-INFO uses, does have a security function that checks on the Spamhaus DNS blacklist, when turned on:

Check IP against DNS Blackhole List:
If enabled the user’s IP address is checked against the following DNSBL services on registration and posting: and This lookup may take a while, depending on the server’s configuration. If slowdowns are experienced or too many false positives reported it is recommended to disable this check.

That function turned out useful to keep people from using proxy servers, as they're usually blacklisted.

For smf2, what this forum uses as software, there are probably mods to integrate for that check. 

Offline thaiga

  • Korat forum specialist
  • *****
  • Posts: 15973
Re: The largest DDoS attack didn't break the internet, but it did try
« Reply #2 on: March 28, 2013, 02:20:10 PM »
CloudFlare has claimed to have mitigated the biggest distributed denial-of-service (DDoS) attack in the history of the internet.

Spamhaus, a not-for-profit anti-spam organisation, came to CloudFlare last week for assistance against a large DDoS attack it was experiencing. Switching over to CloudFlare's network on March 19, the attack began with a 10Gbps flood of traffic, ramping up in excess of 100Gbps later that night. It initially took Spamhaus' website down, with the outage independently observed by the Internet Storm Center at the time.

According to CloudFlare, the majority of the attack was traffic sent using a technique called DNS (domain name system) reflection. Under normal circumstances, DNS resolvers wait for a user request, such as a lookup for the IP address for a domain name, then respond accordingly.

The issue with this system is that the source address of such requests can easily be forged, and in the absence of any checking or authentication, the DNS resolver simply replies to the source IP address. While this is a simple way of "bouncing" a request off a different server, it also has the added benefit of amplifying the damage that an attacker can do, as the response sent from the DNS resolver is often many times larger than the request.

Restricting DNS resolver responses to known IP addresses is one way to control who can or cannot be a potential target, but many DNS resolvers simply aren't configured in this manner — or, as with Google's Public DNS service, are meant to be open to the public.

To mitigate against abuse, a generally accepted practice is to throttle responses, which is what Google currently does. But, according to CloudFlare, the attackers used multiple DNS resolvers to spread the load across many targets, stop any throttling from occurring, and fly under the radar of any security measures. According to the company, it initially recorded over 30,000 DNS resolvers that were tricked into participating in the attack.

CloudFlare's strategy to respond to such distributed attacks is similar. DDoS attacks are typically successful, as a single target is unable to cope with the combined effects of multiple incoming traffic streams, so CloudFlare's response is to create more "targets", each capable of handling a smaller chunk of the traffic. It took the traffic and spread it across 23 of its own datacentres, while also dumping any requests it knew to be bogus.
Moving upstream

Realising their attack wasn't working, the attackers changed tactics, circumventing CloudFlare entirely by moving the attack upstream to CloudFlare's suppliers, which in turn pushed the traffic further up to even larger networks — in simplistic terms, those that service the connections to and from major ISPs that allow countries to talk to each other.

According to CloudFlare, the attack on these networks was in excess of 300Gbps, and further attacks "risk overwhelming the systems that link together the internet itself", referring to the internet exchanges (IXs) that many high-tier ISPs use to talk to each other.

"The largest routers that you can buy have, at most, 100Gbps ports. It is possible to bond more than one of these ports together to create capacity that is greater than 100Gbps; however, at some point, there are limits to how much these routers can handle. If that limit is exceeded, then the network becomes congested and slows down," the company wrote.

Despite admitting that it doesn't have "direct visibility into the traffic loads" that Tier 1 networks are seeing, CloudFlare said, "we've seen congestion across several major tier ones, primarily in Europe, where most of the attacks were concentrated, that would have affected hundreds of millions of people even as they surfed sites unrelated to Spamhaus or CloudFlare. If the internet felt a bit more sluggish for you over the last few days in Europe, this may be part of the reason why."

Sophos Asia-Pacific director Rob Forsyth agreed with CloudFlare's assessment of the impact on the European network, telling ZDNet that Europe is experiencing quite a lot of interruption to its usual flow of traffic, depending on what users are doing. However, he disagreed with any notion that the global internet as a whole was affected.

"People might notice streaming might be disrupted in Europe, but things like delivery of email and traffic of data files and so on is not the sort of thing that's going to be interrupted to any large extent," he said.

"The issue, for the time being, is confined to Europe."

As for Australia, Forsyth said there is "no noticeable reduction of internet capacity", indicating that the attack is not one that "almost broke the internet".

"The internet has been designed to be resilient, and I think internet traffic will be routed around any type of disruption."

As for CloudFlare's claims that the largest routers won't be able to scale to support the amount of traffic, some of Cisco's own products appear to more than exceed the capacity required. The multi-shelf version of Cisco's CRS-1 (carrier routing system) router, for example, is able to scale to 92Tbps. Cisco did not return ZDNet's queries as to whether these would be suitable for this application, but it appears that many IXs can handle the 300Gbps of traffic with their existing or minimal upgrades to their infrastructure.

To highlight a few IXs for comparison, Amsterdam IX AMS-IX had peak annual traffic of about 2.2Tbps in the past year, Sweden IX Netnod had peak annual traffic of about 340Gbps, and Moscow IX MSK-IX had peak annual traffic of about 1Tbps.

Although a security initiative aimed at making DNS more secure exists — DNSSEC — it does not necessarily address the issue of spoofed source addresses. DNS requests and responses typically use the UDP protocol, rather than the TCP protocol. The latter requires a three-way handshake to establish a channel and confirm with the machine it is talking to that it did, in fact, initiate a connection. The former, however, does not.

Instead of being an issue that DNSSEC might solve, it is actually a transport protocol problem that has little to do with the additional security measures that DNSSEC might offer. However, as Cloudflare and others have pointed out in the past, DNSSEC can make the issue worse, as the additional keys required to authenticate records further increases the magnitude of amplification that an attacker has access to.

Yet, Forsyth said that such attacks may have a silver lining, raising awareness of the flaws in DNS and DNSSEC's importance.

"DNSSEC tightens up the rules around the way which the domain name service behaves and provides an additional layer of security, so, as you increase the security on any component, perhaps the cybercriminals will focus on a weaker link somewhere else," he said.

"This might be the catalyst to review all aspects of security, including DNSSEC."
Anyone who goes to a psychiatrist should have his head examined.

Offline thaiga

  • Korat forum specialist
  • *****
  • Posts: 15973
Re: The Cyberbunker headquarters in Kloetinge
« Reply #3 on: March 28, 2013, 05:03:36 PM »

Has world's biggest cyber-attack hit internet banking? Thousands of RBS and NatWest customers suffer mobile phone app crash after hackers launch 'nuke' at web•SpamHaus group under attack from cyber-vandals in Geneva
•But other unconnected sites across the world have been caught in attack

•Now, emails have slowed down as a result, expert claims

The ‘biggest cyber attack in history’, which has been slowing down internet services for millions across the world, may have affected thousands of mobile banking customers.

Business and personal mobile banking customers for Natwest, RBS, and Ulster Bank are today experiencing problems accessing online accounts - although it has not yet been confirmed whether this is linked to the attack.

It comes after a bitter feud between two online companies - a group which aims to block unwanted emails known as ‘spam’ and a firm accused of sending them - erupted.

Spam-fighting organization Spamhaus says it's being subjected to a massive cyber-attack, apparently from groups angry at being blacklisted by the Geneva-based group.

Cyberbunker, is based at an ex-Nato bunker, is what is known as a hosting company, meaning it allows organisations to make their websites accessible on the internet by providing space on a server

The Cyberbunker headquarters in Kloetinge, Netherlands, from which the 'biggest cyber attack in history', has been launched

read more

Anyone who goes to a psychiatrist should have his head examined.

Offline thaiga

  • Korat forum specialist
  • *****
  • Posts: 15973
Re: Was 'the biggest cyberattack in history' all just a PR stunt?
« Reply #4 on: March 29, 2013, 03:39:51 PM »
It has been called one of the biggest ever cyberattacks in history, one that nearly broke the internet. But did you even notice? If not, you're not alone …

The headlines have been apocalyptic: "Global internet slows after biggest attack in history"; "Biggest ever cyberattack slows internet for millions"; "The attack that nearly broke the internet"; "Cyber attack jams crucial infrastructure around the world".

According to a company called CloudFlare, which specialises in helping websites minimise the impact of online junk data attacks by effectively creating more targets and thus spreading the burden between them, this particular assault – by a Dutch hosting company, Cyberbunker, on a not-for-profit anti-spam organisation called Spamhaus – eventually escalated to cause "congestion across several major [top-level, backbone internet networks], primarily in Europe, that would have affected hundreds of millions of people ... "

Hence, presumably, the armageddon headlines. Except, as the tech website Gizmodo points out, not many people seem to have noticed: few have complained that the internet was more than usually sluggish; movie-streaming services such as Netflix did not go down; mega net-enterprises such as Amazon reported nothing unusual; organisations that monitor the health of the web "showed zero evidence of this Dutch conflict spilling over into our online backyards". Specialists contacted by the site reported that the attack, major as it was, had "a severe impact" on the websites it was directed at, but it certainly did not shake the internet to its core.

Gizmodo concludes the whole story was essentially a cynical bid by CloudFlare to drum up more business. James Blessing of the UK Internet Service Providers Association council won't go quite that far, saying the attack "did have an impact. Some sites will be affected." But while the global internet, or parts of it, may potentially be vulnerable to a truly massive attack using the kind of DDoS (Distributed Denial of Service) techniques Cyberbunker has allegedly deployed, this one is probably not it. Yet. If you really want to slow down the internet, the best way may still be the simplest: cut a cable.

So how was it for you?

Anyone who goes to a psychiatrist should have his head examined.

Offline thaiga

  • Korat forum specialist
  • *****
  • Posts: 15973
Re: Dutch Man Said to Be Held in Powerful Internet Attack
« Reply #5 on: April 27, 2013, 04:21:14 PM »
Dutch authorities say police officials in Spain have arrested a man believed to be connected to an online attack on a spam-fighting site that snarled the Internet last month.

While the authorities did not give the full name of the man in a statement published on a Dutch government Web site, they identified him as “S.K.” A source close to the investigation, who was not authorized to speak publicly, confirmed that the arrested man was Sven Olaf Kamphuis, a 35-year-old Dutch man who has been the spokesman of a group that was protesting a European antispam group’s tactics.

Spanish police arrested the man on Thursday at his home in Barcelona, at the request of the Dutch police, and seized his computers and mobile phones. He is expected to be sent to the Netherlands. Wim de Bruin, a spokesman for Dutch national prosecutor’s office, said “S.K.” was suspected of playing a role in a wave of attacks last month.

His arrest came after an investigation by authorities in the Netherlands and other European countries into Mr. Kamphuis’s involvement in one of the largest attacks on the Internet. Mr. Kamphuis has been suspected of starting a distributed denial of service, or DDoS, attack against Spamhaus, the antispam group. Such attacks are a criminal offense under Dutch law.

Mr. Kamphuis calls himself the “minister of telecommunications and foreign affairs for the Republic of CyberBunker.” But many consider him to be the Prince of Spam. He runs CB3ROB, an Internet service provider, and CyberBunker, a Web hosting company that in the past has hosted sites like WikiLeaks and the Pirate Bay, a site accused of abetting digital content piracy.

Antispam groups say they believe CyberBunker acts as a conduit for vast amounts of spam. Last month, Spamhaus, an antispam group based in Geneva, added CyberBunker to its blacklist, which is used by major e-mail providers to block spam.

In the days and weeks after the blacklisting, Spamhaus was targeted with an DDoS attack, which flooded the site with traffic until it fell offline.

After Spamhaus hired a Silicon Valley Internet security firm, CloudFlare, to defend against the attack, the attackers turned their ire on CloudFlare. When efforts to bring down CloudFlare were unsuccessful, the attackers hit back with a far more powerful strike that exploited the Internet’s core infrastructure, called the Domain Name System, or D.N.S.

Their attack quickly reached previously unknown magnitudes, growing to a data stream of 300 billion bits per second, which resulted in slowing Internet traffic for millions of Internet users around the world.

Mr. Kamphuis has denied his role in the attack and said he was only a spokesman for Stophaus, a loose organization set up to take down Spamhaus. Asked about his involvement in the attacks last month, Mr. Kamphuis told The New York Times, “We are aware that this is one of the largest DDoS attacks the world has seen so far, yes.”

But through his Facebook page, Mr. Kamphuis has actively called on hackers to take Spamhaus offline.

“Yo anons, we could use a little help in shutting down illegal slander and blackmail censorship project ‘,’ which thinks it can dictate its views on what should and should not be on the Internet,” he said on Facebook on March 23.

Dutch prosecutors singled out Mr. Kamphuis because of his vocal role. Greenhost, a Dutch Internet hosting service, said in a blog post that it had found CB3ROB’s digital fingerprints while studying the attack traffic directed at Spamhaus.

Mr. Kamphuis’s arrest in Barcelona was made through the European Union’s judicial collaboration unit, Eurojust.

An anonymous statement was posted to Pastebin, a Web forum for hackers, on Friday, proclaiming Mr. Kamphuis’s innocence and threatening another round of attacks if he is not released. “We demand u to release Sven or we will indeed start the biggest attack u humans have ever experienced toward The Internet, and yourself,” the hacker wrote.


Anyone who goes to a psychiatrist should have his head examined.