INTERNET SECURITY SERVICE Cloudflare has revealed more details about the recent internet attack on Spamhaus that stressed the internet nearly to the breaking point.
In a post on its company blog, Cloudflare related the sequence of events which began on 18 March when Spamhaus engaged it to defend against an attack against its spam blocking service that allegedly was pursued by "criminal gangs" in Eastern Europe and Russia at the behest of Dutch hosting site Cyberbunker.
The attack apparently began as an assault via open Domain Name System (DNS) recursors against Spamhaus' servers on 15 March, and Spamhaus engaged Cloudflare to mitigate the problem on 18 March. Initially the attack ramped up from 10Gbit/s to 90Gbit/s, then reached 120Gbit/s on 22 March.
Cloudflare explained, "On Monday, March 18, 2013 Spamhaus contacted Cloudflare regarding an attack they were seeing against their website spamhaus.org. They signed up for Cloudflare and we quickly mitigated the attack. The attack, initially, was approximately 10Gbps generated largely from open DNS recursors. On March 19, the attack increased in size, peaking at approximately 90Gbps. The attack fluctuated between 90Gbps and 30Gbps until 01:15 UTC on March 21."
After Cloudflare got involved, the attackers switched tactics and started attacking its internet peers, including Tier 1 internet providers and major internet exchanges (IXs), including the London Internet Exchange (LINX), the Amsterdam Internet Exchange (AMS-IX), the Frankfurt Internet Exchange (DE-CIX) and the Hong Kong Internet Exchange (HKIX).
Cloudflare provided an overview in its blog post of the technical details of the attack and the steps that were required to counter it, but it's clear that the incident amounted to a major assault on the core internet infrastructure.
It concluded that open DNS recursors remain a serious internet vulnerability and recommended that all internet service providers work to resolve the problem as a matter of some urgency to protect the internet. µ