Real Mafia War Online; Could Crash the Global Internet

Last week econoTwist’s reported on what most likely was tha largest cyber attack on US banks, ever. Now, it turns out, that it was only the beginning of something much larger – and even more scarier – the largest computer attack in the history of the Internet. The biggest DDoS attack ever recorded is said to be  jamming crucial infrastructure all over the world and causing widespread congestion. But this has nothing to do with the Anonymous or other online activists – this is in fact the first full-blown real mafia war online we’ve ever seen. I’m afraid it won’t be the last.

“These guys are just mad.”

Patrick Gilmore


According to BBC, five national cyber-police-forces are investigating the attacks. The attackers have used a well-known  tactic called “Distributed Denial of Service (DDoS),” which floods the intended target with large amounts of traffic in an attempt to render it unreachable. But they have also found a way to amplify the effect, creating a data-tsunami of 300 gigabyte per second – three times larger than any DDoS attack we’ve seen before.

The intended main target appears to be Spamhaus, a European organization that maintains a blacklist of ISPs that supposedly host “spam gangs” and who refuse to stop serving them as customers.

Spammers are – plain and simple – the marketeers of organized crime, making it possible for counterfeit products, medicine and illegal (child) pornography to reach potential customers worldwide. They are the “street pushers” of internet dope.

And the competition seems to have reached  a whole new level.

wp7As you can imagine, Spamhaus has no shortage of enemies, given its line of business. But most rumors point to the Dutch spammer CyberBunker who that prides in hosting anything –  except terrorist material and child pornography. Cyberbunker brags on its Web site that it has been a frequent target of law enforcement because of its “many controversial customers.” The company also claims that at one point it fended off a Dutch SWAT team“Dutch authorities and the police have made several attempts to enter the bunker by force,” the site says. “None of these attempts were successful.”

However, up until now these cyber cowboys have fought their internal battles mostly by blocking each others traffic. But this time the Dutch were really, really angry.

Sven Olaf Kamphuis, an Internet activist who claims he is a spokesman for the attackers, says in an online message to The New York Times that  Cyberbunker was retaliating against Spamhaus for “abusing their influence.” 

according to the NYT, they got help from Eastern European and Russian gangs.

“Nobody ever deputized Spamhaus to determine what goes and does not go on the Internet. They worked themselves into that position by pretending to fight spam,” Mr. Kamphuis says.

Spamhaus is pretty resilient, as its own network is distributed across many countries, but the attack was still enough to knock its site offline on March 18. A spokesman for Spamhaus says the attacks began on March 19, but have so far not stopped the group from distributing its blacklist.

Patrick Gilmore, chief architect at Akamai Technologies, confirms Spamhaus’s role as generator of Internet spammer lists.

Commenting on Cyberbunker, he says: “These guys are just mad. To be frank, they got caught. They think they should be allowed to spam.”

Mr. Gilmore also explains that the attacks consists of concentrate data streams that are larger than the Internet connections of entire countries.

He compares the technique to using a machine gun to spray an entire crowd when the intent is to kill one single person.

If you want to read what the involved parties have to say for themselves – here are some links:

Amplified Attack

What makes this case specially interesting (and disturbing) is that the cyber criminals seems to have found a way to amplify the attacks.

Professor Alan Woodward of the University of Surrey, one of the UK’s premier computer security experts, says that the attack “seems to be orders of magnitude larger than anything seen before,” and highlights the technique that’s been used.

“The thing that got people talking is that it’s a DNS amplification attack. The point is, if you’re targeting something and  the target has a 10 Gbps switch, you only have to throw 11 Gbps at it and you’ve pole-axed the system. If it is at 300 Gbps, then potentially some of the main infrastructure is being affected, though I’m not sure how much it’s really affecting it.”

The company that Spamhouse called for help, (Cloudflare), provides an even more detailed explanation:

“The largest source of attack traffic against Spamhaus came from DNS reflection… This method has become the source of the largest Layer 3 DDoS attacks we see (sometimes well exceeding 100Gbps). Open DNS resolvers are quickly becoming the scourge of the Internet and the size of these attacks will only continue to rise until all providers make a concerted effort to close them…”

“The basic technique of a DNS reflection attack is to send a request for a large DNS zone file with the source IP address spoofed to be the intended victim to a large number of open DNS resolvers. The resolvers then respond to the request, sending the large DNS zone answer to the intended victim. The attackers’ requests themselves are only a fraction of the size of the responses, meaning the attacker can effectively amplify their attack to many times the size of the bandwidth resources they themselves control.”

Exactly, How Dangerous?

Steve Linford, chief executive for Spamhaus, says that this kind of attack power would be strong enough to take down government internet infrastructure.

“If you aimed this at Downing Street they would be down instantly, They would be completely off the internet.”

“They are targeting every part of the internet infrastructure that they feel can be brought down,” Mr Linford says.

“There’s certainly possibility for some collateral damage to other services along the way, depending on what that infrastructure looks like,” says Dan Holden,  director of security research at Arbor Networks.

“If it was done really seriously in a wider attack, then it could affect many users. Trying to take down the whole internet is impractical, but you could start to decapitate sections of it,” Professor Alan Woodward says, according to

medium_complicated_censoredSo, just to summarize:

  • We now have local police trawling Facebook in search of gang activity.
  • The FBI is busy chasing trolls who mocks them by hacking their computers.
  • Governments are making laws to forbid people from speaking their mind on their personal blogs.
  • Meanwhile, the really dangerous cyber criminals are experimenting with new cyber weapons with unimaginable destruction power. 


Filed under Laws and Regulations, Technology