Just over two years ago, we wrote about a massive DDoS attack against Spamhaus.
To explain, Spamhaus is a project that “tracks the internet’s spam senders” for the purpose of publishing blocklists of known spammers, and assisting law enforcement “to identify and pursue spammers worldwide.”
And a DDoS is a Distributed Denial of Service attack, where you abuse lots of computers at the same time to flood someone’s server with purposeless traffic so it can’t keep up.
It’s a bit like getting all your friends to call up a takeaway joint at the same time, sit in the voicemail queue until they get answered, then to dilly-dally over what they want to order…
…before hanging up without buying anything.
The enquiries seem legitimate at first, but generate no business while at the same time keeping genuine callers at the back of a long queue.
Stophaus vs. Spamhaus
Apparently, the attacks against Spamhaus were stirred up in a controversy called Stophaus, in which a countercultural posse of internet users discussed taking out Spamhaus.
The Stophaus schemers, it seems, wanted to teach Spamhaus some kind of lesson for daring to take a stance against spam.
And so they attacked.
The trick they used is called DNS amplification, and it works like this.
DNS is the system that converts (amongst other things) internet names such as www.example.com into internet numbers such as 18.104.22.168.
DNS servers fall into three loose categories:
- Ones that run on your router at home to service your home network, which simply relay your queries unaltered onwards to your ISP, or some other public server like Google’s well-known 22.214.171.124.
- Ones that organisations run as their own official DNS servers to give so-called authoritative answers to queries for the domains they own.
- Ones that will accept your queries, reply immediately if they have the answer cached already, or else recursively (a fancy word for “in their turn”) ask the authoritative servers on your behalf, cache the result for everyone else, and reply to you.
Most recursive servers aren’t public, unlike Google’s 126.96.36.199, because they end up doing a lot of work and carrying a lot of traffic.
So recursive servers are usually restricted to customers of a specific ISP, or to computers inside your company, or some other handily circumscribed set of users.
Or, if they’re open to the public, they are carefully managed to prevent abuse.
One sort of abuse is to make multiple small requests to a recursive server such that each request provokes a much bigger request-and-reply from the authoritative server belonging to your victim.
Small requests turning into large ones is where the name amplification comes in.
In theory, amplification attacks should be hard to do, because the majority of DNS servers aren’t supposed to be recursive – in other words, they shouldn’t pass on requests willy-nilly to other people’s servers at all.
The problem was, at least when the Stophaus attack was carried out, that lots and lots of home routers – perhaps 20 million or more – were misconfigured to act as full-blown recursive servers for the whole world, as well as plain-old relay servers for the owner’s home network.
So the Spamhaus attackers had millions of misconfigured DNS servers at their disposal that they could use to turn millions of modest and innocent-looking outbound DNS requests from their attack zombies into much larger amounts of DNS request-and-reply traffic, all of it aimed at Spamhaus.
Effects of the attack
According to reports, Spamhaus’s DNS servers were subjected to traffic peaks of 300Gbit/sec, the sort of attack that quickly gets not only disruptive but expensive.
Within a month or so, a 16-year-old was arrested for allegedly taking part in the Stophaus attack scene.
He couldn’t be named, being under 18, but he did put his hand up and plead guilty the following year to a bunch of offences.
At the time, those offences were reported as including money laundering and child abuse, with sentencing deferred until 2015.
Sentenced and named
The guilty party, having now turned 18, has recently been sentenced in Southwark crown court, and named as Seth Nolan Mcdonagh.
It sounds as though he wasn’t just a piracy-loving activist-leaning youngster who fell in with older hacker/cracker types and went along for the ride.
The BBC’s report suggests that Mcdonagh, who went by “narko” online, would take money to attack named websites, making him a sort of DDos gun-for-hire.
In fact, “narko” apparently had £72,000 (then about $105,000) in the bank at the time of the attacks – not a bad nest-egg for a 16-year-old – plus 1000 stolen credit card numbers on his computer.
Nevertheless, the court has given him a chance to reform without going to prison: he’s been sentenced to 240 hours of community service.
Let’s hope Mcdonagh, now legally an adult, takes this as an opportunity, not a lucky escape.