Internet Under Attack: World's Largest DDoS Attack Almost Broke The Internet

from the the-hidden-war dept

Update: Gizmodo is calling bullshit on these claims. They're likely correct that this attack was not a "threat" to the overall internet, but I also believe that Gizmodo is underplaying the potential problems from open resolvers.

We've known for a while that there are a number of people out there who really dislike Spamhaus, one of the more well known providers of a blacklist of spam IP addresses. For what it's worth, there are times when it feels like Spamhaus may go overboard in declaring an IP or range of IP addresses as spammers. And, to some extent, because of that, it seems like some who use the Spamhaus list rely on it a bit too strongly. That said, Spamhaus is doing important work in helping to stop the internet from being overrun with spam, and that's a good thing. But sometimes those who it pisses off aren't particularly nice people. Last week, Spamhaus added hosting company Cyberbunker to its spamlist. Someone didn't like that very much, and thus began a very big DDoS attack using open DNS recursors. Spamhaus went to Cloudflare, who was able to mitigate the worst of the attack.

But... that just lead to round two, in which whoever was behind the DDoS went much, much bigger attacking a bunch of the providers who provide Cloudflare with its bandwidth. Basically, it was massive firepower directed at some key points on the internet. And it was a pretty big deal. Cloudflare's blog post stays away from getting too expressive about the whole thing, but just the fact that they note the attack came close to "breaking" the internet should get you to wake up.
Tier 1 networks don't buy bandwidth from anyone, so the majority of the weight of the attack ended up being carried by them. While we don't have direct visibility into the traffic loads they saw, we have been told by one major Tier 1 provider that they saw more than 300Gbps of attack traffic related to this attack. That would make this attack one of the largest ever reported.

The challenge with attacks at this scale is they risk overwhelming the systems that link together the Internet itself. The largest routers that you can buy have, at most, 100Gbps ports. It is possible to bond more than one of these ports together to create capacity that is greater than 100Gbps however, at some point, there are limits to how much these routers can handle. If that limit is exceeded then the network becomes congested and slows down.

Over the last few days, as these attacks have increased, we've seen congestion across several major Tier 1s, primarily in Europe where most of the attacks were concentrated, that would have affected hundreds of millions of people even as they surfed sites unrelated to Spamhaus or CloudFlare. If the Internet felt a bit more sluggish for you over the last few days in Europe, this may be part of the reason why.
The attackers say they're protesting Spamhaus acting as the internet's police:
Questioned about the attacks, Sven Olaf Kamphuis, an Internet activist who said he was a spokesman for the attackers, said in an online message that, "We are aware that this is one of the largest DDoS attacks the world had publicly seen." Mr. Kamphuis said Cyberbunker was retaliating against Spamhaus for "abusing their influence."

"Nobody ever deputized Spamhaus to determine what goes and does not go on the Internet," Mr. Kamphuis said. "They worked themselves into that position by pretending to fight spam."
Of course, all of this has exposed clearly a big vulnerability in the setup of the internet, and suggest that slowing down the internet on a large scale is entirely possible. But it's also made security folks that much more aware of how urgent it is to fix the a key vulnerability that made this possible: the fact that there are so many open DNS resolvers out there, that can be used to launch massive DDoS attacks. Because of that, security folks are rushing around to see if they can convince people to close as many of the approximately 21.7 million open resolvers out there:
While lists of open recursors have been passed around on network security lists for the last few years, on Monday the full extent of the problem was, for the first time, made public. The Open Resolver Project made available the full list of the 21.7 million open resolvers online in an effort to shut them down.

We'd debated doing the same thing ourselves for some time but worried about the collateral damage of what would happen if such a list fell into the hands of the bad guys. The last five days have made clear that the bad guys have the list of open resolvers and they are getting increasingly brazen in the attacks they are willing to launch. We are in full support of the Open Resolver Project and believe it is incumbent on all network providers to work with their customers to close any open resolvers running on their networks.
Basically, over the last week or so, there's been a war going on, concerning parts of the core of the internet, and while it might not have impacted you yet (or, maybe it did), it's likely that the next round will be even bigger. In the meantime, the race is on to shut down open resolvers to try to keep the internet working, and hopefully to cut down on the power of such attacks.


Reader Comments (rss)

(Flattened / Threaded)

    •  
      identicon
      Anonymous Coward, Mar 27th, 2013 @ 8:32pm

      Re:

      Gizmodo is a bunch of horseshit.
      Regardless of whether or not they're right about this.

       

      reply to this | link to this | view in chronology ]

    •  
      icon
      Nigel (profile), Mar 27th, 2013 @ 8:48pm

      Re:

      I read one on the telegraph, that was, quite simply, wrong.
      Bunker=everyone loses their mind.

      N.

       

      reply to this | link to this | view in chronology ]

    •  
      icon
      G Thompson (profile), Mar 27th, 2013 @ 9:39pm

      Re:

      Gizmodo, and i really hate to say this.. is absolutely correct in this matter.

      also 300gps is a drop in the ocean to T1 systems..

      As for the Open DNS resolvers out there, well yes it CAN be a problem but it's not as bad as anyone thinks it is and upstream systems are in place to mitigate any problems.

      Another way to remove these 21.7million 'open' resolvers (my bullshit detector just exploded at that figure) is to actually update, and there's a notion, BIND to the latest version. Something that should be done anyway.

      also giving it the 'recursion no' option is a good thing no matter what!

      The rest of the article about Spamhaus and Cloudfare is FUD made to let them moan and market there services and complain how someone didn't like them. Oh and make people think things like CISPA are needed even more so. [Look at who benefits from CISPA and who controls both orgs]

      Yes Spamhaus is ok, but it's not the only Spam black lister and anyone who has looked at the way Spamhaus actually manages and authenticates (rarely) their lists knows that they have a huge false flag problem

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Coward, Mar 28th, 2013 @ 6:26am

        Re: Re:

        We can't blame open DNS resolvers only. Another big problem is that most ISPs don't apply anti spoofing filters for subscribers. So it's easy to fake the source address and use open resolvers as traffic amplifiers to attack some site.

         

        reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Coward, Mar 28th, 2013 @ 7:22am

        Re: Re:

        300Gbs is a drop to an IX, but considering even at Tier 1 providers most are only running 100Gbs links or bonding multiple 10Gbs link at peering points. 300Gbs could easily saturate a link. Cloudflare uses anycast to mitigate the DDoS by distributing it against multiple sites, and they don't tell you if that 300 is aggregate traffic or at a single site/switch. Definitely has some marketing aspects in the article. Check out the actual email received from Gizmodo by the ISP: http://cluepon.net/ras/gizmodo

        21 Million seems high, but not impossible. I ran nmap with the dns_recursion script against my vps provider and found quite a few within the same C class that I'm assigned.

        Updating BIND wouldn't help, it's in the configuration about open recursion: allow-recursion { network/cidr };
        For authoritive DNS servers, use RRL: http://www.redbarn.org/dns/ratelimits

        Best option is to stop spoofing with BCP38 so the traffic isn't faked in the first place. This is DNS currently, but it could easily be any udp traffic such as a game server, which of course I see a lot.

         

        reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Coward, Mar 28th, 2013 @ 8:34am

        Re: Re:

        I think my previous comment was a bit long, or delay by work...

        300Gbs isn't much for an IX, but significant to a switch as most link are either 100Gbs or bonded 10Gbs from my experience at various DCs in the US.
        Updating BIND doesn't stop recursive attacks or spoofing, using valid configs and RRL will.

        The article is a lot of FUD and marketing for CloudFlare and Spamhaus, but it does show that action needs to be taken in regards to private companies not implementing basic security. BCP38, RRL, ACLs on services, etc...

         

        reply to this | link to this | view in chronology ]

    •  
      icon
      Josh in CharlotteNC (profile), Mar 28th, 2013 @ 5:38am

      Re:

      Yep, Giz has this one right. It's really a shame that Cloudflare is trying to hype this up, they've got a good track record, provide a useful service, and this really hurts their credibility.

      CF is not all wrong. The exchange IPs accepting external traffic issue they mention could have ramifications, but the guys running exchanges know their stuff and are rapidly fixing it.

       

      reply to this | link to this | view in chronology ]

  •  
    icon
    Jay (profile), Mar 27th, 2013 @ 6:21pm

    Hmmm...

    Call me skeptical but I'm thinking this is a way to try to pass CISPA in the chaos.

    It won't help solve the problem but politicians would use the "cyberwar" to begin a real war.

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      Zakida Paul (profile), Mar 28th, 2013 @ 2:49am

      Re: Hmmm...

      Nail on the head. That is exactly what this event will be used for. Governments will use it to scare people into supporting every draconian piece of legislation it thinks of that erodes our freedoms in the name of security.

      Politicians are so predictable.

       

      reply to this | link to this | view in chronology ]

  •  
    icon
    silverscarcat (profile), Mar 27th, 2013 @ 6:54pm

    OH!

    So THAT'S why all the porn sites suddenly stopped working.

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    Ninja (profile), Mar 27th, 2013 @ 7:23pm

    Interesting. There could be ways to tackle this problem without having to wait patiently for some clueless people to close such resolvers. I wonder what it'll be.

    I also believe the attackers aren't interested in 'breaking' the internet. But the US could use this to do some major damage and then put in place the cyber-Patriot Act. Regardless of ppl calling it horseshit or whatever it's a matter to keep an eye. If it's fairytales then nice, we are near April 1st but if not..

    In any case, even if some bored kids do break the internet this way there's no reason for anything like CISPA. But it will be used as an example of why it's needed...

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Mar 27th, 2013 @ 8:10pm

    Oh, is this an example of the cybersecurity FUD you were talking about? Members will be running down the corridors tomorrow to co-sponsor and "enhance" CISPA reform.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Mar 27th, 2013 @ 8:54pm

    My god! Don't you all see what's going on! It's a goddamn diversion for a fire sale! The end is near! The end is near!

    /MOTHER FUCKING S!

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    Watchit (profile), Mar 27th, 2013 @ 9:08pm

    Yeah, it's starting to look like a bunch of hyperbole on Cloudflare's part. But that's silly, they wouldn't gain anything from scare mongering... oh wait! They do!

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    Manabi (profile), Mar 27th, 2013 @ 9:34pm

    Not sure the OpenResolver list is useful

    I manage a couple of servers, I just checked that site for the IPs of them all, and one server it has listed. But... It's configured to not allow recursion except to a limited set of IP addresses that are other servers specifically allowed to access it for DNS lookup. I just tested it and it is NOT allowing recursion to other addresses, so it's working properly.

    Apparently BIND reports that recursion is enabled, even if it's not available for the IP address doing the check. So how many of those servers are like mine, allowing recursive lookups for only specific IPs and not doing recursion to the Internet at large? Those servers aren't part of the problem.

    The site seems to recognize this but not explicitly, only saying that of the 27 million servers they list, only roughly 25 million post a threat. If they want the owners of servers to fix things, they need to provide more information than they have available. Hopefully this is just a hurried attempt to get the site up and they'll be adding more info. Otherwise I suspect it's going to be useless in the goal of reducing the number of open resolvers.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymouse, Mar 28th, 2013 @ 1:00am

      Re: Not sure the OpenResolver list is useful

      The problem is, even if you don't recurse for everyone, you probably respond to recursion queries for those you dont recurse for with a "que? authorative server is" which of course still generates traffic. This is a minor issue compared to correct egress filtering on the border gateways of every ISP that *should* be in place, but in most cases is not.
      The reason this kind of attack works is because UDP (simple DNS query) does not handshake, so you can get some machines under your control to send falsified UDP query packets with the falsified source address of your target to even legit DNS servers, those that will always be around and they will respond to your target, not you, obviously, but if the target address does not fall within the scope of the ISP, where you remote machine is sitting and this ISP has proper egress filtering, this would fail, since the packet would get silently dropped, so no issue.

       

      reply to this | link to this | view in chronology ]

  •  
    icon
    Miff (profile), Mar 27th, 2013 @ 9:37pm

    At the very least, say goodbye to open dns resolvers after this...

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    G Thompson (profile), Mar 27th, 2013 @ 10:03pm

    For those interested this article at RT [ http://rt.com/news/spamhaus-threat-cyberbunker-ddos-attack-956/ ]shows a lot more about what Spamhaus actually is and the reasons why Cyberbunker think it was attacked.

    Personally I can't stand Spamhaus and how they try to place themselves above actual laws and due process. And neither can a lot of other people, Cloudfare also have a lot of explaining to do as to why they tried to push the attack onto their upstream provider LINX and why they didn't remove the Spamhuas site (as per industry standard practice) instead of allowing there other 1000+ customers to suffer losses due to one specific attack to a SINGLE customer. And lets not get into that the attack was NOT on the IX infrastructure but instead purely directed at Cloudfare/Spamhuas only, and Cloudfare then used there IX IP's to bear traffic instead which is WRONG and a cause for any customer of Cloudfare to re-assess their contract !

    As for Cloudfare's blog post.. Total marketing hype and a cause for concern is there usage of the top graphic of the two faces which in reality is actually the photo used by the English band Massive Attack [ http://www.audiodrums.com/2010/01/18/new-massive-attack-paradise-circus-ft-hope-sandoval-of-mazzy-st ar/ ]. They hype and FUD and bullshit is strong in this whole story

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Mar 28th, 2013 @ 4:26am

      Re:

      The way to weed out SpamHouse is to stop using them. More people are doing it. Remember SORBS? That blacklist that *everyone* used that "broke email" for some hours because their site died a year or two ago? Yeah, no one's using them anymore...

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Mar 28th, 2013 @ 6:51am

      Re:

      I'm also no fan of Spamhaus. They make some dumb-ass mistakes from time to time and won't take the responsibility for those. I understand that Spamhaus needs a literal firewall to protect itself against the hate of SPAMmers but they should allow victims of the mistakes they made to contact them easily and fix the problem ASAP.

      Another problem is that a lot of MTAs rely on Spamhaus only. That's a bad design decision and helps Spamhaus to maintain their power! There are much more methods to fight SPAM without using RBLs. There are even more effective! Don't rely on a single third party! It's a massive SPOF!

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Mar 28th, 2013 @ 9:19am

      Re:

      Honestly, using a BotNet to attack a company that you don't like? It's not like anyone is forcing people to use Spamhaus or Cyberbunker, so why should they be using third parties' internet connections to play out their little shouting match.

      IE. Don't defend DDoS attacks, especially if you are in security...

      Now I do hold some of these third parties responsible to some extent, but there is definitely blame on Cyberbunker if they admit to DDoSing. Did it take out the internet? No... Did it take out CloudFlare a bit? Sure, but that's their marketing pitch and they tried to swing their outage in a positive light.

       

      reply to this | link to this | view in chronology ]

    •  
      icon
      Mason Wheeler (profile), Mar 28th, 2013 @ 10:33am

      Re:

      Why is anyone even using blacklists--Spamhaus or otherwise--in this day and age? Wasn't it proven years ago that Bayesian filtering is both more reliable and less abusable?

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Pixelation, Mar 27th, 2013 @ 10:17pm

    There outta be a law

    Oh my God! It's Cyber-Warfare. Congress, please save us!

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    horse with no name, Mar 27th, 2013 @ 10:30pm

    almost broke the internet is like almost pregnant. it didn't happen, so no biggie.

    Even if it did "break" the internet, what would really happen? For a while, some sites might not be reachable. The world would not end, people would not starve, the planet would not stop spinning. If it happens, it happens, move along and go watch TV for a while instead.

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      nasch (profile), Mar 28th, 2013 @ 8:06am

      Re:

      almost broke the internet is like almost pregnant. it didn't happen, so no biggie.

      If you're having unprotected sex, just because your partner (or you) hasn't gotten pregnant doesn't mean there's no cause for concern.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    The Old Man in The Sea, Mar 27th, 2013 @ 10:34pm

    Effects of attack on Spamhaus and Cloudfare for us

    About the only effect I've seen so far has been a slow down of video downloading from youtube (woodworking videos). I thought it was because I had reached my limit on downloads. But my downloads were still far too fast for that.

    Yawn, yawn to attack.

    A note though, a town in the west of the state had a fire in the local exchange which did knock out communications and the last to get back up was the internet (apparently took weeks to fix). So for my book, actual physical destruction stops access rather than software related problems.

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    lfroen (profile), Mar 27th, 2013 @ 10:57pm

    Load of crap

    First of all: it's technically impossible to "overwhelm" T1 network. It's not your crappy $50 home router; it's designed to remain functional under near 100% utilization.
    Second, 100G is not that match (in such network). There're routers where _every_ _single_ _port_ is 100G.
    Yes, you read this correctly: while your home router port is usually 1G, and typically utilized at 30%, in T1 networks, routers designed to be "wire-speed", and can utilize all of 100G ports at almost 100% at once without hanging/stacking/etc.
    So no, Internet was not close to be "broken", whatever it means; and yes, Techdirt again publish rubbish about technical subjects. Please stay on patents/copyrights topics next time.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Mar 27th, 2013 @ 11:20pm

    Has the time come yet to utilize a few of them Bunker Buster bombs that we have?

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Mar 28th, 2013 @ 12:18am

    Dvorak also thinks the real target was Wikileaks:

    http://www.pcmag.com/article2/0,2817,2417142,00.asp

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymouse, Mar 28th, 2013 @ 12:43am

    The resolvers arem

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymouse, Mar 28th, 2013 @ 12:43am

    The resolvers are't the issue the ISP

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymouse, Mar 28th, 2013 @ 12:51am

    The resolvers are't the issue the ISPs are

    don't know why it submitted before I pressed submit, the issue here is that the various ISPs should put ingress and egress filters on their gateways, if the source address trying to leave my network isn't on my network it goes to /dev/null, the same for incoming traffic, if the destination trying to enter my network isn't on my network or routed by me to another network again it goes nowhere, the main problem is solved this way. Even if all the DNS servers out there reachable are only the ones that are authorative for a few zones are the ones remaining, this can still cause problems, the network needs to be cleaned up from a routing perspective, but I guess too many lazy ISPs and their techies couldn't care less about what traffic traverses their pipes.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Mar 28th, 2013 @ 3:54am

      Re: The resolvers are't the issue the ISPs are

      The problem with that is that people will move their business where there's no filtering in place to allow them the freedom they want.

      Any ISP that has that sort of filter in place will make me ask myself what other sort of packet inspection they're doing, and to what extent they're spying on me.

      Now think about web hosting. How can you deny people running their own nameservers? Sure, block all the traffic but then back to square one. So what then? Force them to take a test? Scan their servers for problems? Ok sure, but not for free, and people don't want to pay... etc.

      White labelled ISPs pride themselves with the lack of filtering and the ability for anyone to resell without branding. This gives their customers ultimate freedom but at a cost of security.

      The solution, as bad as it is, is to wait for attacks to be reported (or noticed) then act to make it stop or bring the server offline. You can only prevent so much while trying to keep freedom and quality.

       

      reply to this | link to this | view in chronology ]

      •  
        icon
        nasch (profile), Mar 28th, 2013 @ 8:11am

        Re: Re: The resolvers are't the issue the ISPs are

        Any ISP that has that sort of filter in place will make me ask myself what other sort of packet inspection they're doing, and to what extent they're spying on me.

        I'm not a networking expert, but what is the problem with the kind of filtering he's describing? What legitimate reason is there to spoof packets' source address? What reason does an ISP have to accept a packet that is addressed to somewhere it isn't going to be able to send it?

         

        reply to this | link to this | view in chronology ]

        •  
          identicon
          Anonymous Coward, Mar 28th, 2013 @ 9:21am

          Re: Re: Re: The resolvers are't the issue the ISPs are

          By definition if it's spoofed you don't know where it's coming from. How do you judge which packet to stop or which to allow? How do you decide it's not a legit packet and block it?

          So then you have to establish deep packet inspection to learn more about the packets, thus more monitoring and very high costs especially if you have lots of traffic.

          The problem is that if you assume the end user will take care of it, you'll have a network with lots of security issues. But if you force security over your users, you'll lose your users.

          DNS is a very basic system required by every business with an online presence. Sure, you can host using DNS hosters, but then you put your DNS in the hands of someone else.

          If distributions concentrated on security instead of user-friendliness, this wouldn't be happening. But when you apt-get install bind/powerdns/etc, it has to work with minimal comprehension and reading of the manual, because you know, otherwise people will stay with Windows.

           

          reply to this | link to this | view in chronology ]

          •  
            icon
            nasch (profile), Mar 28th, 2013 @ 9:43am

            Re: Re: Re: Re: The resolvers are't the issue the ISPs are

            By definition if it's spoofed you don't know where it's coming from. How do you judge which packet to stop or which to allow? How do you decide it's not a legit packet and block it?

            If it originates from within your network but says it comes from somewhere else, no? Likewise if it's coming into your network but not going anywhere your network can handle. Am I missing something here (genuine question because maybe it's not as simple as it sounds)?

             

            reply to this | link to this | view in chronology ]

          •  
            icon
            Mason Wheeler (profile), Mar 28th, 2013 @ 11:42am

            Re: Re: Re: Re: The resolvers are't the issue the ISPs are

            By definition if it's spoofed you don't know where it's coming from. How do you judge which packet to stop or which to allow? How do you decide it's not a legit packet and block it?


            You make it sound like such a difficult question.

            If it's spoofed, you don't judge it, you don't inspect it, you kill it immediately. If its IP addresses are bad, then it's either corrupt or malicious, so shut it down.

             

            reply to this | link to this | view in chronology ]

            •  
              identicon
              Anonymous Coward, Mar 28th, 2013 @ 1:25pm

              Re: Re: Re: Re: Re: The resolvers are't the issue the ISPs are

              Again, how do you identify it as spoofed without DPI?

               

              reply to this | link to this | view in chronology ]

              •  
                icon
                nasch (profile), Mar 28th, 2013 @ 3:02pm

                Re: Re: Re: Re: Re: Re: The resolvers are't the issue the ISPs are

                Again, how do you identify it as spoofed without DPI?

                Anonymouse's comment below addresses that (sounds reasonable though I'm not that knowledgeable about it). What would DPI tell you about address spoofing that inspecting the headers wouldn't?

                 

                reply to this | link to this | view in chronology ]

          •  
            identicon
            Anonymouse, Mar 28th, 2013 @ 2:16pm

            Re: Re: Re: Re: The resolvers are't the issue the ISPs are

            You seem to have a lack of networking experience, no packet inspection necessary *ever*, if the source IP address of a packet trying to leave your network is not part of your network it gets dropped, since packets originating from your network should have source IP address that are part of your network. Simple, since the source and destination addresses need to be "looked" at by your router anyway (strictly only the destination), your are not doing any "packet inspection" other than verifying the address validity.

             

            reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Mar 28th, 2013 @ 6:44am

      Re: The resolvers are't the issue the ISPs are

      This is ABSOLUTELY correct. There is a long and serious discussion on this very point happening on the NANOG mailing list this week: see http://mailman.nanog.org/pipermail/nanog/ if you want to follow along.

      As to Spamhaus: those of you slamming it are (a) spam-supporting parasites or (b) clueless. Spamhaus performs a function precisely equivalent to Consumer Reports: they express an opinion, one which you are free to heed or ignore. This is no different from hundreds of other DNSBLs, RHSBLs, static lists, etc. ALL of them express opinions, NONE of them enforce them on anyone.

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Coward, Mar 28th, 2013 @ 9:26am

        Re: Re: The resolvers are't the issue the ISPs are

        Wrong. They enforce it indirectly to *everyone*.

        I'm trying to send Bob an email. Bob is using SpamHouse. I can't send Bob an email from home because my ISP is blacklisted for having "dynamic DNS" (let's not get into THAT).

        So I email Alice and ask her to email Bob, which she does. She asks Bob to remove SpamHouse from his blocklists, but Bob also uses his ISP email and cannot do anything.

        SpamHouse are one of the worst out there. They almost always refuse to remove blacklists even when the issue is resolved and you have evidence, if you get an answer at all, and they often refuse to provide the reasons as to why you were blocked in the first place.

        If only they charged for removal we could officially label them a scam.

         

        reply to this | link to this | view in chronology ]

        •  
          identicon
          Anonymous Coward, Mar 28th, 2013 @ 9:50am

          Re: Re: Re: The resolvers are't the issue the ISPs are

          You're full of shit.

          If someone's ISP is refusing email as a consequence of a Spamhaus listing, then it's because that ISP chose to use Spamhaus. Nobody makes them do it.

          Second, sending mail direct-to-MX from dynamic IPs is very, very stupid. It's a worst practice. So no whining that you can't do it, you shouldn't even be trying.

          Third, Spamhaus is very prompt about removing listings once the reason for them has been resolved. In fact, they're TOO prompt, TOO nice about it, and occasionally they get scammed because the reason resurfaces shortly after they pull the listing.

          Fourth, you have to really, REALLY work hard to earn a Spamhaus listing. Either (a) you have to be a prolific spammer or (b) you have to be an utterly incompetent, hopelessly lazy, throughly stupid network/system admin to get onto their list. Spamhaus is VERY lenient and VERY tolerant, often to my annoyance.

          Fifth, it's trivially easy to see why something is listed by Spamhaus: they have a web interface that you can query and thus access a wealth of information. So when you say that "they often refuse to provide the reasons", you are -- once again -- lying.

          Sixth, Spamhaus listings rarely happen in isolation. If you check numerous other DNSBLs/RHSBLs, you will see that the same IP addresses/network blocks/domains that show up on one, tend to show up on many. Given that they're all independently run by people with very different criteria -- people who often argue with each other -- then it should be obvious that when this happens, it's not because they all woke up and decided arbitrarily to make it happen. It's because there's a real problem.

          I'm sure none of this will stop you from continuing to lie about Spamhaus, of course. Which spammer did you say you were>?

           

          reply to this | link to this | view in chronology ]

          •  
            identicon
            Anonymous Coward, Mar 28th, 2013 @ 10:03am

            Re: Re: Re: Re: The resolvers are't the issue the ISPs are

            While I understand the reason's behind not being able to send mail direct-to-MX, it's breaking the end to end principle as well. So blocking direct-to-MX is bad, but a necessary evil.
            Getting listed on a RBL is rather trivial, but a good RBL will respect valid operators that research the reason for the listing and stop the offending emails. I've never had a problem with Spamhaus, so I don't know how easy it is to contact them. Like you stated though, everyone can choose their own hosting provider and use any RBLs or nothing if that is what they wish.

             

            reply to this | link to this | view in chronology ]

          •  
            icon
            nasch (profile), Mar 28th, 2013 @ 10:12am

            Re: Re: Re: Re: The resolvers are't the issue the ISPs are

            If someone's ISP is refusing email as a consequence of a Spamhaus listing, then it's because that ISP chose to use Spamhaus.

            This would only affect people using their ISPs email address, right? So just one more reason not to do that.

             

            reply to this | link to this | view in chronology ]

          •  
            icon
            Mason Wheeler (profile), Mar 28th, 2013 @ 11:46am

            Re: Re: Re: Re: The resolvers are't the issue the ISPs are

            Again, why is anyone still using blacklists in 2013, when it was proven years ago that Bayesian filtering is far more effective and less prone to abuse?

             

            reply to this | link to this | view in chronology ]

            •  
              identicon
              Anonymouse, Mar 29th, 2013 @ 12:17am

              Re: Re: Re: Re: Re: The resolvers are't the issue the ISPs are

              This is quite easy, quite a few ISPs pay per bandwidth, quite heftily, in fact, so traffic not carried (blacklist) is bandwidth not wasted, as opposed to accepting the traffic, then running a Bayesian filter over it and possibly still determining it to be spam, when they could have avoided the traffic and CPU cycles in the first place.

               

              reply to this | link to this | view in chronology ]

          •  
            identicon
            Anonymous Coward, Mar 28th, 2013 @ 1:31pm

            Re: Re: Re: Re: The resolvers are't the issue the ISPs are

            First, it's very difficult to take you seriously when you start off by "You're full of shit".

            Second, *tons* of ISPs allow direct-to-MX from dynamic IPs. Tons. Did I say tons? Tons.

            Third, SpamHouse are known to be the nazis of blacklists and refuse to remove a single listing if other IPs in the same /24 are listed. I've been dealing with them for over 6 years, and it's mostly only problems.

            Fourth, you don't have to work hard. You only need to run a hosting company and let the users take care of it for you.

            Fifth, the interface is useless because you still have to apply to get delisted and the idiot human behind the scenes always refuses, because "you have other networks listed".

            Sixth, Spamhouse block tons of people that no other blocklist do. As I said above, in the web hosting world, they're known as the Nazis. Simple as that. Talk to some people that have inside knowledge for spam management.

            I'm not sure if this will confirm you're a spamhaus employee or just someone without knowledge of spam. Which scammer err.. spamhauser did you say you were?

            I work for a reputable company that fights with those idiots day after day. What scammers do you work for again? Hitler is that you?! Sorry I couldn't resist.

             

            reply to this | link to this | view in chronology ]

            •  
              identicon
              Anonymouse, Mar 29th, 2013 @ 1:41am

              Re: Re: Re: Re: Re: The resolvers are't the issue the ISPs are

              1st - you did take him serious, else you wouldn't have responded :-)

              2nd - strange you measuring the ISPs by weight, I guess its because they're sinking due to all the SPAM

              3d Maybe SpamHouse are a bit overzealous, but it works... to have a little story, assume everyone on your block uses the loo, like most civilized humans do, but you crap in the hand basin, not to want to talk to anyone on your block may cause peer pressure to make you change your behaviour and use the loo instead, until you do, don't expect me to accept your mail

              4th there's the rub, not working and letting users loose on the infrastructure who are not educated enough about correct internet procedures gets you listed...

              5th oh yes, refer to 3d above

              6th oh yes, again refer to 3d above and there's the second problem, if you're doing *WEB* hosting, why would DNS Blacklisting, which only impacts *MAIL* have anything to do with you?

              I doubt he's a SpamHouse employee, neither am I, but I was happily using their services from '98? '99? onwards.

              Yup a *reputable* company, like the tons referred to in 2nd above...

              There never is a reason to accept mail from a dynamically assigned IP address, if they really want to send out email, simple, they just configure their SMTP server to relay out via their ISPs SMTP server, problem solved and SpamHouse won't have you listed, unless, of course, that ISP transports lots of SPAM out and doesn't do a thing to clean this up.

               

              reply to this | link to this | view in chronology ]

              •  
                identicon
                Anonymous Coward, Apr 1st, 2013 @ 12:51pm

                Re: Re: Re: Re: Re: Re: The resolvers are't the issue the ISPs are

                1st - I said it was hard.

                2nd - Strange you say that. I never measured anything. I pointed out the obvious, obviously.

                3d No. The correct analogy would be that you prevent everyone from using the hand basin until that one person stops… this punishing everyone because something 1 person did.

                4th Enjoy running your company without clients. I guess you never worked in web hosting - or no much about it for that matter.

                5th oh yes, refer to 3d above - yes exactly

                6th Web hosting includes email. Again, you should learn the lingo before trying to use it without understanding it.

                Yup a *reputable* company, like the tons referred to in 2nd above... said the guy who can't understand basics of web hosting.

                "There never is a reason to accept mail from a dynamically assigned IP address, if they really want to send out email, simple, they just configure their SMTP server to relay out via their ISPs SMTP server, problem solved and SpamHouse won't have you listed, unless, of course, that ISP transports lots of SPAM out and doesn't do a thing to clean this up."

                Exactly, so leave it up to the nazis to decide what is dynamic and what is not, which was exactly the problem in the first place.

                 

                reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Mar 28th, 2013 @ 2:15am

    Hey, what's with "open resolvers" somehow being bad all of a sudden?! Has everyone forgotten that the likes of OpenDNS are the main thing standing between us and widespread censorship? No one should trust their ISP's own DNS servers after the whole "six strikes" thing.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    infirit, Mar 28th, 2013 @ 3:33am

    I did not notice a thing

    I am in the Netherlands and I have not noticed anything. Only after reading about it online I was made aware of it.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Mar 28th, 2013 @ 3:47am

    I believe whoever wrote that blog post on cloudflare doesn't understand much about routing and tier1 providers.

    From experience, any major traffic peak that *can* (not necessarily does) affect their customers will be nullrouted at the first ingress (or egress) router, thus traffic goes nowhere. Then they'll contact you with the reason for the nullroute and the target.

    Also, they assume that at any point there is a single 100gbps router handing the traffic, which couldn't be further from the truth unless you use known low-quality tier1's. Routers are stacked for redundancy and to share cpu power.

    It's not the first laugh we have about some non-tech person claiming the possibility to break the internet, remember the root nameserver one?

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Mar 28th, 2013 @ 7:04am

      Re:

      Yeah! It's complete BS that 300Gbit/s are able to almost break the internet. 300Gbit/s is some nice piece of traffic but not enough to cause major trouble. Just checked the statistics for decix (public peering point in Germany). Peak traffic is about 2.5Tbits/s for the last weeks as usual, no spikes for the DDoS. Let's call that a marketing hype!

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    anonymouse, Mar 28th, 2013 @ 3:52am

    wow

    Ok i dont understand the technology or the problme with this massive attack, but if someone could explain it to me like i am five i would really appreciate it.

    From what i have read 300gb of traffic has been directed at spamhous whihc is a site that creates blocklists of potential spammers. They have then been attacked by someone they listed as a spam generating entity.

    Is there now a chance that developers will spend some time preventing these type of attacks from happening again? surely it would be simple enough to prevent ddos attacks by having a system where after a certain amount of attempts to dos attack an entity the servers would automatically restrict and future connection attempts , thereby completely nullifying the attack close to where it is being generated from. Simply block every attempt to attack a specific ip range.
    Maybe i am simplifying this too much and don't understand the problem but surely the main structure of the internet should be able to identify this type of attack and prevent it from spreading.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Mar 28th, 2013 @ 4:22am

      Re: wow

      Yes simple. Tell every nameserver distributing software/distribution to disable open resolvers by default instead of enabling them. Problem solved.

      If you force the user to read up on a feature because being able to use it, then the user will learn about that feature and make the conscious decision of enabling it or not. I believe RedHat and all its derivatives ship with it enabled by default. Possible other distros as well.

      Theo de Raadt made a presentation about DNSSEC and how it could be used to amplify these sorts of attacks. The video's on youtube. Basically with misconfigured DNSSEC the attack could have been 10x, maybe even 100x worse.

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymouse, Mar 29th, 2013 @ 2:33am

        Re: Re: wow

        To that other anonymouse, the DNS resolvers are not so much the issue as proper routing procedures not being implemented by ISPs.

        Assume you sit behind an ADSL connection, which assigns you one IP address, the router port on the ISPs end of the circuit, should, once assigning you the IP address, add 2 restrictions on their end:
        1. allow traffic into the network from you, coming from your assigned IP address
        2. drop/block everything else
        To panic about open resolvers ignores ICMP problems and any other services that utilize UDP and that don't require handshaking and are thus prone to being used in spoof attacks.
        The same goes for a leased line connection with a block of IP Addresses
        1. allow traffic into the network from you, coming from your assigned network range, for example 196.15.195.128/27
        2. drop/block everything else
        Then for good measure, on the routers to the rest of the world, allow outgoing traffic from the IP addresses that are local to the ISP and drop/block everything else. No impact on the users, no packet inspection, no developers needing to do anything.

        To identicon, you are missing the big picture, *think of the children*... DNS is a minor and non-issue, the issue is that ISPs knew about the spoofing issues back in the last century and have had the tools/option to setup the rules on their gateways since then, but it is a bit of work and these lazy so and so's should be kicked in the nuts for not implementing this lot ages ago already. Implementing the best practices rules on the gateways would take care of any and all ICMP and UDP spoof attacks, I am sure others may arise, they can then be dealt with in a way appropriate for those attacks, yelling DNS and open resolver does not solve the actual problem. The network as a whole should be cleanly set up, which includes every ISP from tier 1 on down to your local one man shop with half a class C assigned to him.

         

        reply to this | link to this | view in chronology ]

  •  
    icon
    Gunntherd (profile), Mar 28th, 2013 @ 4:09am

    Totally agree, they (Government) need to "cause" issue's, which keep getting bigger and bigger, which the liberal media will just go along with the claims until the minority beg the powers that be, to do something, which in the end will be the backdoor to taking control of the internet so the children and unknowledgeable internet users will be safe from terrorism by means of a cyber attack. I call bullshit on this too!! Nothing but a power grab to invoke another knee-jerk reaction to do nothing but take control of more of our freedoms.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Mar 28th, 2013 @ 4:12am

    It's true my internet is running like shit :( oh wait never mind it was a porn torrent lagging me.

    I'm still getting over 11,000 kbs download speeds but I wish I had Google with that GFG 1gbps u/d :(

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Lurker Keith, Mar 28th, 2013 @ 7:10am

    Popehat

    Yesterday, & only yesterday, I had problems getting to Popehat, & only Popehat. I didn't notice anything else.

    No clue if this was related or not. It's the first time I had difficulty navigating to Popehat since I started visiting it around the time The Oatmeal train wreck got underway.

    Granted, I'm in the US.

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      G Thompson (profile), Mar 28th, 2013 @ 7:28am

      Re: Popehat

      Well your problem there in not being able to access Popehat was 1: they had an interesting article all about SEX.. Yes SEX *gasp horror eyeswideopen*
      and 2: it seems you need to supply more Pony's to Ken! ;)

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Mar 28th, 2013 @ 8:47am

    I hope they can shutdown Spamhaus for good

    this company is as bad as any spammer. If you get put on their list. They charge you $500 to get off of it, or you can wait one month.

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    Jesse (profile), Mar 28th, 2013 @ 11:01am

    We need CISPA!!!!

     

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This