Mother of all Cyber attacks used DNS reflection

Mother of all Cyber attacks used DNS reflection


If you experienced a slow web browsing in past week, then there is a good chance that it was because of the DDoS attack that CyberBunker was carrying out on The SpamHaus Project.


CyberBunker is a Dutch hosting company that, according to its website, hosts “services to a web site ‘except child porn and anything related to terrorism”. It is well known for hosting spam sites and denial-of-service attacks. The company is located in Netherlands and is housed in a bunker that can withstand even a nuclear attack that is also the reason behind the name of the company.

The SpamHaus Project on the other hand is an international organization, based in both London and Geneva. It tracks e-mail spammers and other spam related activities and blocks billions of spam emails per day globally on the Internet. So basically CyberBunker and SpamHaus should be rival companies by the kind of work they do, and indeed they are.


It all started in October 2011, when SpamHaus identified CyberBunker as providing hosting for spammers and contacted their upstream service provider A2B, asking that service be cancelled. A2B blocked only a single IP address initially that was linked to spamming. SpamHaus then blacklisted all of A2B’s address space, which forced A2B to drop CyberBunker.


In March 2013, SpamHaus added CyberBunker to its blacklist. This re-ignited the old bitterness. SpamHaus experienced a distributed denial of service (DDoS) attack with traffic rates as high as 300 Gbps being launched against its Domain Name System (DNS) servers exploiting a known vulnerability of DNS. This attack was the greatest ever if the amount of traffic is concerned; the largest previous public attack was with traffic rates of 100 Gbps. This attack lasted for over a week.


According to CloudFare the attackers were using a technique called DNS reflection for generating overwhelming amounts of Web traffic on SpamHaus’s servers. In DNS reflection, the attacker sends many insecure DNS resolvers a small DNS request that generates a large response, spoofing the return address to that of the victim. There were almost 30,000 DNS resolvers used for this. Each 36 byte of request generated around 3000 bytes of response.


SpamHaus and CyberBunker did not immediately respond to a request for comment.

Facebook Comments

Share this post

Post Comment