DDoS attack cripples HSBC online banking

No customer records compromised, bank says, after second outage of 2016

A cyber attack that has crippled HSBC’s website has left customers locked out of online banking services today.

A DDoS (distributed-denial-of-service) attack knocked out HSBC’s online functions at around 8.30am this morning, and customers have struggled to access their accounts online since, with HSBC warning at 4.45pm that the assault on its servers is ongoing, though a normal service is returning.

While no customer records or transactions have been compromised, the attack left customers unable to log into online banking facilities via web browsers or mobile apps.

A spokeswoman for HSBC initially told IT Pro that the bank “has successfully defended against the attack” at around 11.20am.

But a statement from COO John Hackett at 4.45pm read: “”We are continuing to experience attempted denial of service attacks and we are closely monitoring the situation with the authorities.

“HSBC’s internet and mobile services have partially recovered, and we continue to work to restore a full service. We apologise for the disruption and inconvenience this may have caused.”

Today’s DDoS attack comes on the final Friday of January, when many people will still be getting paid, and follows two days of outages at the beginning of this month affecting 17 million customers.

Security firm ESET’s security specialist, Mark James, said HSBC’s reputation will suffer as a result.

“DDoS attacks, regardless of motive, are never good for any organisation,” he said. “Its users may vote with their feet rather than be understanding and stay with them.”

Tripwire security researcher, Craig Young, speculated that the DDoS assault could be the work of hacktivists – hackers with a moral axe to grind – or cybercriminals looking to force HSBC to cough up in order to put an end to the issue.

“This is a common type of attack used by so-called hacktivists looking to make a political statement as well as extortionists requesting a ransom in exchange for stopping the attack,” he said. “Often times the flood of requests are coming from computers and routers which have been hacked and unwillingly enlisted for attack.”

HSBC said it is working with police to identify the culprits.

A spokeswoman said: “HSBC is working closely with law enforcement authorities to pursue the criminals responsible for today’s attack on our internet banking. We apologise for any inconvenience this incident may have caused.”

In addition to the outage at the beginning of January, the bank also angered customers last August by stopping BACS payments from leaving their accounts. HSBC revealed this week in a letter to a committee of MPs that the error was caused by a mega-payment rejected by its system, according to the BBC.

Source: http://www.itpro.co.uk/security/25962/ddos-attack-cripples-hsbc-online-banking#ixzz3yf6ziVYI

Police Around the World Join Forces to Target DDoS Gang

Law enforcers across Europe and beyond have started the year as they mean to go on with a closely co-ordinated operation resulting in the arrest of a key target in connection with infamous DDoS Bitcoin extortion group DD4BC.

Europol revealed in a statement on Tuesday that Operation Pleiades had been a success, resulting in one arrest, the detention of another suspect, and the seizure of an “extensive amount of evidence” resulting from property searches.

The operation was carried out on 15 and 16 December by law enforcers from Austria, Bosnia and Herzegovina, Germany and the UK along with Europol. It was the UK’s Metropolitan Police Cyber Crime Unit (MPCCU) that apparently identified key members of the group in Bosnia.

Police in Australia, France, Japan, Romania, Switzerland and the US (FBI and Secret Service) were also involved, alongside Interpol, the statement continued.

DD4BC is well known for extorting money from online gambling, financial services, entertainment and other firms—threatening them with DDoS attacks unless they pay up in Bitcoins.

“These [cybercrime] groups employ aggressive measures to silence the victims with the threat of public exposure and reputation damage. Without enhanced reporting mechanisms law enforcement is missing vital means to protect companies and users from recurring cyber-attacks,” argued Europol deputy director of operations, Wil van Gemert.

“Police actions such as Operation Pleiades highlight the importance of incident reporting and information sharing between law enforcement agencies and the targets of DDoS and extortion attacks.”

Brian Honan, founder of BH Consulting and special adviser to Europol, welcomed the news as another example of law enforcers working well together across jurisdictional boundaries, and as a good lesson for victimized firms on why working with police should always be the preferred option.

“In the past, companies have been reluctant to share details of a security incident with law enforcement as they think there is little chance the criminals behind the attack will be brought to justice,” he told Infosecurity.

“But by working with law enforcement the information gathered, analysed, and shared can provide an overall picture of who the criminals are. So even if the attack your company is victim to does not yield immediate results, the information you share with law enforcement could be a vital clue in unraveling the overall puzzle as to who the criminals are and eventually lead to their arrest.”

Honan added that the arrest also showed cybercriminals can’t always hide behind anonymization tools and digital currencies.

Others warned this is unlikely to be the last of DDoS-based ransom demands.

“Distributed denial of service attacks are easier to pull off than ever, which is why we are seeing them increasingly used as a means of gaining leverage over businesses that are highly reliant on the internet,” argued A10 Networks product marketing director, Paul Nicholson.

“For organizations such as banks, financial institutions and even gambling websites, network downtime is equated with an immediate loss of revenue, which can lead them to give in to demands. Fortifying defenses must be these organizations’ top priority.”

Source: http://www.infosecurity-magazine.com/news/police-around-world-join-forces/

400Gbps NTP-based DDOS attack – largest DDOS attack in History

Until a week ago, it was believed that Distributed denial-of-service(DDOS) attack against Spamhaus is the largest one in the history.  Now, an even bigger DDOS attack has been recorded by the Content delivery Network CloudFlare.

Matthew Prince, CloudFlare CEO, said in twitter that very big NTP reflection attack was hitting them and appears to be bigger than the Spamhaus attack from last year.

Sponsored Links
According to Matthew, the attack reached 400Gbps which is 100Gbps higher than the ddos attack targeting Spamhaus.

CloudFlare said all websites have returned to production.

Founder of a French hosting firm OVH also said their network received more than 350Gbps traffic, but it is not clear whether it is related or not.

Last month, CloudFlare also wrote an article detailing about the Network Time protocol(NTP) based DDOS attacks that caused trouble for some gaming web sites and service providers.

NTP protocol is UDP-based protocol runs on port 123 which is used by Internet connected computers to set clocks accurately.  A system will synchronize with the server and receives the current time.

Experts says this protocol is prone to amplification attacks because it will response to the packets with spoofed source IP address “and because at least one of its built in commands will send a long reply to a short request. That makes it ideal as a DDoS tool.”

List of open NTP servers on the Internet allows attackers to launch Denial of attack against any target network.

Source: http://www.ehackingnews.com/2014/02/400gbps-ntp-based-ddos-attack-hits.html

DDoS-for-hire service is legal and even lets FBI peek in, says a guy with an attorney

Paying a site to DDoS other sites is perfectly legal, the proprietor behind one such outfit told security journalist Brian Krebs.

Besides which, he says, his service, called RageBooter, even features a nifty backdoor that lets the FBI monitor customer activity.

The conversation took place recently between Krebs and Justin Poland, the US man from Memphis, Tennessee whom Krebs sniffed out via WHOIS lookup and Facebook.

According to Poland, DDoSing the beejezus out of sites is perfectly legal/justifiable/morally kosher because:

  1. It’s “a public service on a public connection to other public servers”;
  2. His service merely takes advantage of default settings of some DNS servers; and
  3. Spoofing a sender address is legal and OK because if a root user of the server doesn’t like it they just have to disable recursive DNS.

Regarding item No. 3, recursion is the act of querying additional DNS servers to resolve queries a DNS server can’t resolve from its own database.

Microsoft, for its part, confirms that yes, attackers can use recursion to deny the DNS Server service and has this TechNet article on how to disable it.

In short, Poland told Krebs, RageBooter is just a “legal testing service”:

How individuals use it is at there [sic] own risk and responsibilitys [sic]. I do not advertise this service anywhere nor do I entice or encourage illegal usage of the product.

How the user uses it is at their own risk. I provide logs to any legal law enforcement and keep logs for up to 7 days.

About that ready accommodation of “any legal law enforcement”: when Krebs asked Poland whether police or other authorities had ever asked for information about his customers, Poland told him that well, actually, he works for the FBI.

From Krebs’ account of the Facebook chat he had with Poland:

I also work for the FBI on Tuesdays at 1pm in memphis, tn. They allow me to continue this business and have full access.

The FBI also use the site so that they can moniter [sic] the activitys [sic] of online users.. They even added a nice IP logger that logs the users IP when they login.

When Krebs called the number Poland gave him to check with the FBI, the man on the other end got peeved and referred him to the FBI’s press office, which in turn wouldn’t confirm or deny any of this.

Poland, for his part, stopped talking with Krebs, saying he’d been instructed to block him. His Facebook page disappeared within moments of Krebs receiving this message:

I have been asked to block you. Have a nice day.

Regarding the legality of hiring a DDoS service, Krebs checked with Mark Rasch, a security expert and former attorney for the US Department of Justice.

Rasch told Krebs that while companies regularly hire network stress-testing services, it’s generally part of a more inclusive penetration testing engagement in which those conducting the tests insist on first getting a “get out of jail free card” – e.g., a notarized letter from the customer stating that the testing firm was hired to break into and probe the security and stability of a targeted site.

Krebs quotes Rasch:

This is also why locksmiths generally force you to show ID that proves your address before they’ll break into a house for you...

The standard in the security industry is not only to require proof that you own the sites that are going to be shut down or attacked, but also an indemnification provision.

I checked with Sophos’ IT security manager, Ross McKerchar, who regularly fends off DDoS attacks, to see what he thought of DDoS legality. Unsurprisingly, he says DDoS should “clearly” be illegal, and the fact that it’s not illegal everywhere is just evidence of the law lagging:

To use an analogy, even if I have a very poor lock and no alarm system it’s still illegal to break in to my property.

The argument regarding reflected DNS attacks is “even weaker”, McKerchar says:

You are at risk to these attacks regardless of your own DNS servers: the problem is that any misconfigured DNS server can be used to attack someone else.

To say that it’s legit to attack company A, because unrelated companies B, C & D have poor security doesn’t really hold water.

None of this is meant to excuse poor security, of course.

To extend the lock analogy even further, McKerchar says:

If a bank had a rubbish lock and no alarm system, I think most people would agree that they bore some responsibility for a break-in. Larger companies should recognize and plan for the risk of DDoS attacks, given they are so easy to execute.

I think it would be fair to say that any company that doesn’t, and depends on their internet-facing systems for revenue is running a major risk, bordering on negligence.

Krebs’ sleuthing on this issue is far more extensive than this write-up. It’s definitely worth a read to check his original article, which provides more on the booter market, the nature of the backdoor which the FBI may or may not have into RageBooter, and how booters’ biggest threats are attacks from each other.

One interesting aspect of these services is how they use PayPal to fund their activities.

When Krebs checked with PayPal about this, the company told him that the use of its service for DDoS-for-hire sites would violate its terms of use agreement.

From its statement to Krebs:

While we cannot share specifics on our customers’ accounts due to our privacy policy, we can confirm that we will review suspicious accounts for malicious activity and work with law enforcement to ensure cyber criminals are reported properly.

We take security very seriously at PayPal and we do not condone the use of our site in the sale or dissemination of tools, which have the sole purpose to attack customers and illegally take down web sites.

PayPal will work with law enforcement to take down something that the FBI might well have its hand in? Up to the elbow and beyond?

Sure. OK. Right.

Eyebrow arched.

Source: http://nakedsecurity.sophos.com/2013/05/21/ddos-for-hire-service-is-legal-and-even-lets-fbi-peek-in-says-a-guy-with-an-attorney/


Tips for validating DDoS defenses

Prolexic has issued a number of recommendations that organizations can use to validate their DDoS defenses, as well as protection services they receive from mitigation providers.

Organizations should work closely with their DDoS mitigation providers to complete a professional, planned provisioning and service validation.

The only way to be sure that DDoS protection will be effective is through proactive validation against different types of attack scenarios.

Best practices:

  • With the DDoS mitigation service active, verify that all applications are performing properly.
  • Verify that all routing and DNS is working.
  • In partnership with your mitigation service provider, generate a few gigabits of controlled traffic to validate the alerting, activation and mitigation features of the service.
  • Test small levels of traffic without scrubbing and without any DDoS protection to validate that your on-premise monitoring systems are functioning correctly. This action will also help you identify the stress points on your network.
  • Conduct baseline testing and calibrate systems to remediate any network vulnerabilities.
  • Schedule validation tests on a regular basis (yearly or quarterly) with your DDoS mitigation service provider to validate that the service configuration is still working correctly – and eliminate the risk of network element failures due to DDoS. If network issues arise during testing, your service provider may need to make modifications based on recent changes to your network, such as modified firewall rules, firmware updates and router reconfiguration.

Source: http://www.net-security.org/secworld.php?id=14911

May 7th 2013: OpUSA Banks Face Uncertain Threat DDoS Attack

Banks may be about to endure yet another cyberattack by hacktivist groups.

The hacker collective Anonymous has joined with groups throughout the Middle East and North Africa to vow a series of so-called denial of service attacks this Tuesday against financial institutions, other U.S. firms and government agencies.

The campaign, which hacktivists have dubbed OpUSA, comes in retaliation for what backers say are U.S. war crimes in Iraq, Afghanistan and Pakistan.

“Anonymous will make sure that this May 7th will be a day to remember,” the group wrote in a message posted April 24 on Pastebin, a website used by programmers.

The threat follows a similar campaign against commercial and government targets in Israel by Anonymous, which has claimed responsibility for a series of attacks on financial networks and online sites in that country.

The attacks are expected to consist mostly of “nuisance-level attacks against publicly accessible webpages and possibly data exploitation,” the U.S. Department of Homeland Security warned on May 1 in a bulletin obtained by Krebs on Security. “The criminal hackers behind the OpUSA campaign most likely will rely on commercial tools to exploit known vulnerabilities, rather than developing indigenous tools or exploits.”

“Independent of the success of the attacks, the criminal hackers likely will leverage press coverage and social media to propagate an anti-U.S. message,” DHS added.

No major online sites had been adversely affected as of Monday afternoon, according to Radware, a digital security firm that is monitoring the threat.

Experts say publicly announced attacks can vary in credibility and are sometimes just a bid for attracting attention. “If the attackers follow the same patterns as previously witnessed during the [Operation Israel] attacks, then targets can expect a mixture of attacks,” including “denial of service attacks and web application exploits,” Mike Schiffman, a security researcher at Cisco, wrote recently. “Given the lack of specific details about participation or capabilities, the exact severity of the attack can’t be known until it (possibly) happens.”
For protection against your eCommerce site click here.

Source: http://www.americanbanker.com/issues/178_87/banks-face-uncertain-threat-from-cyberattack-planned-tuesday-1058881-1.html

WordPress Sites Attacked; May Be Prep for DDoS Barrage

If you haven’t used WordPress to publish a blog, you surely have at least visited a WordPress-powered site to read a blog or other content. It’s so easy to use that it has become one of the most popular blogging and Web publishing platforms in the world.

Now, it’s under attack by hackers. And that could put you under attack.

“The attacker is brute-force attacking the WordPress administrative portals, using the username ‘admin’ and trying thousands of passwords,” said CloudFlare, a Web site optimization firm, in its blog. “It appears a botnet is being used to launch the attack and more than tens of thousands of unique IP addresses have been recorded attempting to hack WordPress installs.”

A Rare Target

According to CloudFlare, one of the concerns of an attack like this is that the attacker is using a relatively weak botnet of home PCs in order to build a much larger botnet of beefy servers in preparation for a future attack.

“These larger machines can cause much more damage in DDoS attacks because the servers have large network connections and are capable of generating significant amounts of traffic,” the company said. “This is a similar tactic that was used to build the so-called itsoknoproblembro/Brobot botnet which, in the fall of 2012, was behind the large attacks on U.S. financial institutions.”

Graham Cluley, a senior security analyst at Sophos, said WordPress was a target because it powers many millions of Web sites around the world.

“If the owners of those Web sites haven’t locked down their sites properly, they could be hijacked by cybercriminals for their own purposes. Sadly, many people do still choose poor username/password combinations,” Cluley said. “Botnets continue to be a major problem. But it’s rare for us to see an attack targeting WordPress sites in this way on this scale .”

Dictionary Attacks

Cluley’s colleague, Sophos security analyst Paul Ducklin, said since it would take too long to try every possible username and password on every known WordPress or Joomla server, this onslaught is using what is known as a dictionary attack. The strategy is to automate the password guessing, speed up the attack, and don’t spend too long on any individual site.

“Not being the low-hanging fruit isn’t a generic solution to this problem, as it’s a bit like outrunning your buddy when you are chased by a hungry lion: It saves you, but leaves someone else to take the hit,” Ducklin wrote in a blog post. “But that is no reason not to move your fruit to higher branches. Remember that if someone breaks into your server, that’s bad for you, but it is also bad for everyone else.”

Ducklin warned that not setting strong passwords gives the crooks a free ride for hosting malware, launching further attacks, publishing phishing pages, disseminating fake updates or bogus information, and much more.

“All with your imprimatur, and, in the end, with your services blacklisted by anyone who’s security conscious. Remember, password-guessing attacks of this sort happen all the time,” he said. “The attack volume in this case has been sufficient to attract global attention, which is a good thing, but it’s currently thought to be only about three times the usual level.

“In other words, even when ‘normal service’ is resumed, we’ll all still be firmly in the sights of the cybercriminals, so take this as a spur to action!”

Source: http://www.cio-today.com/news/WordPress-Web-Sites-Under-Attack/story.xhtml?story_id=033003176VMR&full_skip=1

Top Bitcoin exchange Mt. Gox blames outage on massive DDoS attack

After an outage yesterday that helped cause Bitcoin prices to plummet, No. 1 Bitcoin market Mt. Gox said it is experiencing a major Distributed Denial of Service (DDoS) attack by people aiming to destabilize the currency or profit from it.

Bitcoin is a virtual currency that isn’t regulated by any governments, and people can use to make international monetary transfers free, easy, instantaneous, and hard to trace. The single largest exchange to buy and sell Bitcoins is Mt. Gox, which handles more than 70 percent of Bitcoin trades in the world and facilitates more than 420,000 trades per month.

But yesterday, Mt. Gox went offline, helping drive Bitcoin prices down about $30. Additionally, Bitcoin wallet service Instawallet shut down “indefinitely” due to a hacking incident, and that could have also played a role in the price of Bitcoins dropping.

Mt. Gox writes in a lengthy post on Facebook (emphasis ours):

It’s been an epic few days on Bitcoin, with prices going up as high as $142 per BTC. We all hope that this is just the beginning!

However, there are many who will try to take advantage of the system. The past few days were a reminder of this sad truth.

Mt. Gox has been suffering from its worst trading lag ever, 502 errors, and at one point some users were not able to log in their account. The culprit is a major DDoS attack against Mt.Gox.

Since yesterday, we are continuing to experience a DDoS attack like we have never seen. While we are being protected by companies like Prolexic, the sheer volume of this DDoS left us scrambling to fine-tune the system every few hours to make sure that things don’t go beyond a few 502 error pages and trading lag.

Why has Mt.Gox become the target of a DDoS attack?

It is not yet clear who is behind this DDoS and we may never know, but these actions seem to have two major purposes:

1. Destabilize Bitcoin in general.

It is not a secret Mt.Gox is the largest Bitcoin exchange with more than 80% of all USD trades and more than 70% of all currencies. Mt.Gox is an easy target for anyone that wants to hurt Bitcoin in general.

2. Abuse the system for profit.

Attackers wait until the price of Bitcoins reaches a certain value, sell, destabilize the exchange, wait for everybody to panic-sell their Bitcoins, wait for the price to drop to a certain amount, then stop the attack and start buying as much as they can. Repeat this two or three times like we saw over the past few days and they profit.

Mt. Gox said there isn’t much it can actually do about the DDoS attacks and that all sorts of companies are frequently victims of these sorts of attacks. It did say there was one thing it could do do help protect further from attacks.

“There are a few things that we can implement to help fight the attacks, such as disconnecting the trade engine backend from the Internet,” the company said. “By separating the data center from the Mt. Gox website, we will continue to be able to trade.”

Bitcoin prices are sitting at about $135 per Bitcoin as of this writing. That’s not quite the high of $142 from yesterday but it’s considering the outage and large drop in prices yesterday.

For DDoS protection click here.

Source: http://venturebeat.com/2013/04/04/mt-gox-outage-ddos-attack/

Internet creaks following DDoS attack on Spamhaus

Spamhaus accused Cyberbunker for the attack

UK and Switzerland-based nonprofit organisation Spamhaus, which operates a filtering service, has been hit by distributed denial of service (DDoS) attack, which several security companies claim is the largest DDoS to date.

Spamhaus chief executive Steve Linford said that the company has been under this cyber-attack for more than a week.

“They are targeting every part of the internet infrastructure that they feel can be brought down,” Linford added.

Security firm Kaspersky Lab confirmed the attack and claimed it was the largest DDoS cyber attack. Kaspersky Lab said: “Based on the reported scale of the attack, which was evaluated at 300 Gigabits per second, we can confirm that this is one of the largest DDoS operations to date. There may be further disruptions on a larger scale as the attack escalates.”

The cyberattacks on Spamhaus started when it added the Netherlands-based web hosting firm, Cyberbunker, to its global blacklist.

According to a CloudFlare blogpost, the attack was initially approximately 10Gbps generated largely from open DNS recursors on 18th March, while on March 19, the attack increased in size, peaking at approximately 90Gbps.

The attack fluctuated between 90Gbps and 30Gbps until 01:15 UTC of March 22.

A DDoS attack is an attempt to make a machine or network resource unavailable to its intended users, most commonly by saturating the target machine with external communications requests.

Earlier this year, Gartner predicted that the number of sophisticated attacks on e-commerce and financial industries will increase in 2013. The research firm expects that high-bandwidth DDoS attacks will become the new norm and be particularly damaging to unprepared enterprises.

Source: http://security.cbronline.com/news/internet-slows-down-following-ddos-attack-on-spamhaus-280313

BIGGEST DDoS attack in history FAILS to slash interweb arteries

The massive 300Gbit-a-second DDoS attack against anti-spam non-profit Spamhaus this week didn’t actually break the internet’s backbone, contrary to many early reports.

The largest distributed denial-of-service (DDoS) assault in history began on 18 March, and initially hit the Spamhaus website and CloudFlare, the networking biz hired by the spammer-tracking outfit to keep its systems online, at 90Gbps. After failing to knock the organisation offline, the attackers targeted CloudFlare’s upstream ISPs as well as portions of the networks at internet traffic exchanges in London and Amsterdam.

The volume of this second-wave attack, which began on on 22 March, hit 300Gbps, an unnamed tier-1 service provider apparently told CloudFlare.

By far the largest source of attack traffic against Spamhaus came from DNS reflection, which exploits well-meaning, public-facing DNS servers to flood a selected target with network traffic – this is opposed to the usual tactic of using a huge botnet army of compromised computers.

DNS reflection attacks involve sending a request for a large DNS zone file to a DNS server; the request is crafted to appear as though it originated from the IP addresses of the victim. The server then responds to the request but sends the wad of data to the victim. The attackers’ requests are only a fraction of the size of the responses, meaning the attacker can effectively amplify his or her attack by a factor of 100 from the volume of bandwidth they control.

CloudFlare reckons there were 30,000 DNS servers involved in the attack against Spamhaus, which might have been launched from only a small botnet or cluster of virtual servers. The attack against Spamhaus and CloudFlare proved there is a serious design flaw in the underpinnings of the internet, one that security experts such as Team Cymru and others have been warning about for years – although the use of DNS servers in DDoS attacks is rare, Rob Horton from NCC Group told El Reg.

The open DNS server problem is both a huge and under-reported issue involving 21.7 MILLION DNS resolvers that can be abused to launch equally ferocious attacks in future.

But the good news is that fixing the problem only requires small changes in configuration files that take only minutes. Everybody El Reg has spoken to agrees there’s a problem with open DNS servers with some even suggesting the easily abused resource may replace botnets as a launchpad for DDoS attacks.

Joakim Sundberg, security solutions architect at security appliance maker F5, commented:

The Spamhaus attack is a demonstration of the kind of DDoS attack I have been expecting for some time: DNS Reflection. DNS Reflection attacks will play a more prominent role in DDoS attacks in the future.The major driver for this kind of attack is the decreasing number of bots available for rent, with the authorities more effectively cracking down on major botnets. With a lower number of bots now available, hacktivists and other cyber criminals are finding new ways in which to amplify their attacks.

However there’s deep disagreement about to what extent, if any, the DNS reflection attack thrown against Spamhaus and CloudFlare affected the internet more generally.

CloudFlare’s take of The DDoS That Almost Broke the Internet can be found in a blog post that the states the attacks against it and Spamhus eventually spilled over to knacker internet connections across Europe:

Over the last few days, as these attacks have increased, we’ve seen congestion across several major Tier 1s, primarily in Europe where most of the attacks were concentrated, that would have affected hundreds of millions of people even as they surfed sites unrelated to Spamhaus or CloudFlare. If the internet felt a bit more sluggish for you over the last few days in Europe, this may be part of the reason why.

Even the websites of large corporations or hosting providers would be swept away by an attack of this intensity, judging by CloudFlare’s rhetoric. However, this 300Gbps of traffic amounts to heavy congestion on a slip road that didn’t hold up the main flow of traffic across the interwebs.

We understand a massive dip in a graph of traffic flowing through the London Internet Exchange (LINX) on 23 March, a graphic included in CloudFlare’s blog post, is due to a data-plotting glitch and NOT due to the effects of the attack.

Spamhaus compiles lists of IP addresses of servers and other computers accused of distributing spam or promoted using junk mail. These blacklists are used by ISPs, businesses and spam-filtering firms to block the worst sources of unsolicited marketing mail before applying more computational intensive filtering techniques, such as analysing the actual content of messages.

Junk-mail distributors and the like regularly threaten, sue or DDoS Spamhaus. Some businesses also object to Spamhaus’s alleged vigilante approach to tackling spam.

Spamhaus’s blocklists are distributed via DNS and are widely mirrored in order to ensure the overall system is resilient to attacks. The blacklists were never affected and were even updated, with none of its core infrastructure going titsup, according to Spamhaus.

“Only the website and our email server were affected,” Steve Linford, chief executive for Spamhaus, told the El Reg. “All Spamhaus DNSBL [DNS Block List] services continued to run unaffected throughout the attack. In fact Spamhaus DNSBLs have never once been down since we started them in 2001.”

Linford praised the support of engineers at CloudFlare and Amazon, which supplied load balancing of DNS services, for ensuring its service remained available during the packet carpet bombing. He claimed the attack caused Netflix to slow down and caused congestion elsewhere on the web.

However internet traffic exchanges in both London and Amsterdam – two of the top three peering hubs in Europe, the arteries of the internet – both played down the impact of the attack beyond CloudFlare and its customers.

Malcolm Hutty, head of public affairs at LINX, the London Internet Exchange, said: “Apart from CloudFlare we saw a minor amount of collateral congestion in a small portion of our network which may, or may not have, have affected some members. This would have been accommodated through their normal procedures.”

Ordinary internet users would not have been affected because the DNS flood “only have affected CloudFlare and its customers”, he added.

CloudFlare uses Anycast technology which spreads the load of a distributed attack across all 23 of its data centres. Even so it was left reeling from the weight of the assault, which prompted it to suspend its peering in London.

Overblown reports that the internet slowed down or ground to halt appear to be well wide of the mark. This is not to dismiss the significance of the attack, or take anything away from CloudFlare for helping Spamhaus to weather the storm. The simple fact is the attack amounted to nothing more severe than minor congestion, an assessment backed up by AMX-IX, the Amsterdam internet exchange as well as its counterpart in London.

“We have not experienced any disruptions related to our platform,” a spokeswoman for AMX-IX told El Reg. “When we look at the amount of traffic some of our members and customers exchange we see some increases here and there, but they could easily manage it.”

The New York Times claimed that the attacks against Spamhaus appear to be tied to a dispute with CyberBunker, a website hosting provider in the Netherlands. CyberBunker is accused by Spamhaus of being the world’s most toxic haven of phishing and malware.

CyberBunker is quite open in running a bullet-proof anonymous hosting facility out of a Cold War bunker in the Netherlands where anything goes except child-abuse material and terror-related websites. “Customers are allowed to host any content they like, except child porn and anything related to terrorism,” its online policy states.

The hosting provider told El Reg it denies any involvement in spamming. It declined to respond directly to the accusation in the NYT article that CyberBunker was retaliating against Spamhaus for “abusing its influence” and using vigilante tactics in the fight against spam:

The only thing we would like to say is that we (including our clients) did not, and never have been, sent any spam. We have no further comment. Thank you.

Source: http://www.theregister.co.uk/2013/03/28/spamhaus_mega_ddos_little_collateral_damage/page2.html