MS Risk Blog

Largest Cyber Attack in History Slows Internet Worldwide

Posted on in Cyber title_rule

Internet around the world has been slowed down in what security experts are calling the biggest Distributed Denial of Service (DDoS) attacks in Internet history. Five national cyber-police-forces are investigating the attacks.


The attacks originally targeted Spamhaus, a European, non-profit anti-spam organisation. Spamhaus blacklists what it considers sources of email spam, and sells those blacklists to Internet Service Providers (ISPs). Last week, Spamhaus blacklisted controversial Dutch web hosting company, Cyberbunker, which claims willingness to host website with the exception of child pornography or terrorism-related material.

Following the blacklisting, the attacks began as waves of large but typical DDoS assaults. Spamhaus has alleged that Cyberbunker is behind the attack. Cyberbunker has not directly taken responsibility for the attacks; however Sven Olaf Kamphuis, spokesman for Cyberbunker, said that Spamhaus was abusing its position, and should not be allowed to decide “what goes and does not go on the internet”.

How the Attacks Happened:

The attackers used Distributed Denial of Service (DDoS), which floods the target with large amounts of traffic, rendering it unreachable. Picture a door with thousands of people standing on outside of it. Everyone is trying to enter, and no one can get out. This is the equivalent of a DDoS attack.

In most common DDoS attacks, hackers use thousands of “zombie” computers to send traffic to a particular site, with the intention of overloading it. These computers have often been infected with malware (most often received through spam email), which gives a hacker control of the machine, unbeknownst to its owner. Hackers can amass large networks of these infected computers, called “botnets”, and use them to conduct attacks.

Once the attacks began, Spamhaus immediately hired a security firm, CloudFlare, which enacted systems to prevent the DDoS from making a large impact. The attackers then changed tactics and targeted network providers of CloudFlare. To do this, they exploited a fault in the Domain Name System (DNS). The DNS converts a web address into a numeric IP address. A DNS resolver finds the connection from the IP address to the server, which then delivers content to a user’s computer. If a network is set up incorrectly, an open resolver can become an easily exploited vulnerability.

In this case, the hackers identified 25 million vulnerable DNS servers worldwide which could be used for attack, and instructed those vulnerable servers to forward an initial attack. Thus the attack, which was initiated at a single location, was amplified millions of times by exploited DNS servers around the world.

Global Impact and Prevention

Because the Internet relies on DNS to work, a large scale, DNS amplified DDoS attack can have consequences beyond the scope of the attack. Part of the internet infrastructure which connects all the servers on the internet was getting overloaded. This would result in delays or unresponsiveness to completely unrelated websites that share the same lines that Spamhaus is using.

Some Internet Service Providers have been working to implement technologies which prevent hackers from spoofing victims’ IP addresses. But the process is slow. Network administrators need to close all open DNS resolvers running on their network.

If a company operates a network, they should visit, and type in the IP addresses of their network. This will show if there is an open resolver on their network. If there is, it is more than likely to be used by criminals to launch attacks such as these.



Tagged as: , , , , , ,