Q&A: Behind ‘biggest’ cyber-attack in history

Got mail? Chances are good it’s spam: an estimated 90 percent of all email traffic is junk, according to nonprofit anti-spam group Spamhaus.

A study published last year, co-written by researchers at Microsoft and Google, found the spam industry makes about $200m in revenue a year. But the amount spam costs society was estimated to be almost 100 times higher: $20bn.

Given the negative effects, organisations like Spamhaus try to identify spammers and block the mail from being sent.

But the group has raised the ire of attackers, who in recent weeks launched what may have been the biggest cyber-attack ever. Spamhaus blames Dutch hosting company Cyberbunker for the assault. Cyberbunker denies the charge, but its spokesman has accused Spamhaus of using “mafia tactics” against internet users it doesn’t like.

Al Jazeera’s Sam Bollier spoke with Dreas van Donselaar, the chief technology officer of SpamExperts, a Netherlands-based email security firm, about the attack.

Al Jazeera: How do denial-of-service attacks work?

Dreas van Donselaar: What happens is that you try and flood a system with data, and at some point the system gets so much data that it just doesn’t know anymore what to do, and crashes.

You can compare it to a door … people want to go in and out, and you just send a mass of people to the door. Everybody tries to get in, then there’s nobody that can get out anymore.

Basically, the denial of service attack is flooding a system with packets so it doesn’t know anymore what should go in and out.

AJ: How was such a massive attack possible?

DD: If you want to flood a system with packets … you normally have one system and you start flooding another system. It’s very easy to block that one system.

What they did in this specific case is they didn’t originate the attack from one single source. They managed to use millions of different servers around the globe to initiate the attack. Although probably the attack itself was started from a single location, they set it up in such a way that millions of servers around the world started to amplify that attack from their own location.

[The attack targeted] systems that are basically set up incorrectly. So they track down all these servers that are set up incorrectly worldwide and instructed all those servers … to start forwarding this attack back to Spamhaus. … That’s how it became so massive.

AJ: How can these types of attacks be prevented in the future?

DD: It’s very hard. The internet is a complex network with different types of servers and services all around the globe. The biggest problem is that a lot of these computers are just not well-protected. Many computers get infected by a virus, for example, and as soon as your computer is infected by a virus, your computer can be used in these types of attacks.

In this attack specifically, they identified 25 million DNS servers worldwide that can be abused for an attack, to basically enhance the attack that has been initiated. That’s a very, very large number.

What they’re trying to do now is to have all the different internet providers warn the people operating vulnerable servers in their network so they can get repaired or shut down.

But it’s an endless fight, because there’s always new issues found in new systems. And it’s very hard for the internet as a whole to stay secure in that sense, because there’s just so many different devices connected to it.

AJ: Has this attack had any effects on ordinary users of the internet?

DD: We’ve never seen an attack that is of such scale … Spamhaus is using a distributed setup, which means they have servers in all kinds of countries and locations.

Because the attack is so massive, part of the internet infrastructure that is connecting all the different servers on the internet was getting overloaded. That would’ve caused delays or unresponsiveness to completely unrelated websites that are sharing the same lines that Spamhaus is also using.

AJ: Some people have accused Spamhaus of arbitrarily blocking websites that are not spammers. Is there any truth to those accusations?

DD: I’m absolutely convinced that the far majority of Spamhaus blocks are correct. They can make a mistake, because for example internet addresses may be shared between organisations. If you have an IP address that is causing abuse or sending out spam, and it also provides services for a legitimate company … the legitimate company on that same IP address is also affected.

What Spamhaus says, and I think that’s correct – the legitimate company has to figure out with their provider to make sure that there’s no more spam sent out to prevent being affected by confirmed abusive clients in the network. This situation is very rare, though, and Spamhaus is always very responsive to resolve any such complex situations.