Attacks on Spamhaus Used Internet Against Itself

An escalating cyberattack involving an antispam group and a shadowy group of attackers has now affected millions of people across the Internet, raising the question: How can such attacks be stopped?

Gerry Shih/Reuters

Matthew Prince, chief executive of CloudFlare. The attacks first centered on his company’s client Spamhaus and spiraled outward.

More Tech Coverage

News from the technology industry, including start-ups, the Internet, enterprise and gadgets.On Twitter: @nytimesbits.

The short answer is: Not easily. The digital “fire hose” being wielded by the attackers to jam traffic on the Internet in recent weeks was made possible by both the best and worst aspects of the sprawling global computer network. The Internet is, by default, an open, loosely regulated platform for communication, but many of the servers that make its communication possible have been configured in such a way that they can be easily fooled.

The latest attacks, which appeared to have subsided by Wednesday, have demonstrated just how big a problem that can be.

On Tuesday, security engineers said that an anonymous group unhappy with Spamhaus, a volunteer organization that distributes a blacklist of spammers to e-mail providers, had retaliated with a cyberattack of vast proportions.

In what is called a distributed denial of service, or DDoS, attack, the assailants harnessed a powerful botnet — a network of thousands of infected computers being controlled remotely — to send attack traffic first to Spamhaus’s Web site and later to the Internet servers used by CloudFlare, a Silicon Valley company that Spamhaus hired to deflect its onslaught.

This kind of attack works because the botnet exploits Internet routing software and fools Internet servers into responding to requests for information sent simultaneously by a large group of computers. The Internet servers that answer the requests are tricked into sending blocks of data to the victims, in this case Spamhaus and CloudFlare.

The attack was amplified because each of the servers in this case was asked to send a relatively large block of information. The data stream grew from 10 billion bits per second last week to as much as 300 billion bits per second this week, the largest such attack ever reported, causing what CloudFlare estimated to be hundreds of millions of people to experience delays and error messages across the Web.

On Wednesday, CloudFlare described the highly technical game of cat-and-mouse between itself and Spamhaus’s opponents that has played out over the course of the last nine days. After the attackers discovered that they could not disable CloudFlare, which had been hired by Spamhaus to absorb its attack traffic, they changed their strategy.

They took aim at the networks that CloudFlare connected to and began to attack the computer servers that serve as the network’s foundation. These are specialized “peering” points at which Internet networks exchange traffic. The attackers took aim at organizations like the London, Amsterdam, Frankfurt and Hong Kong Internet exchanges, which route regional Internet traffic and are also used by sites like Google, Facebook and Yahoo to pass traffic efficiently among one another.

Here, too, they were unable to stall the Internet completely, but they did slow it, particularly by focusing on the London exchange, known as LINX.

“From our perspective, the attacks had the largest effect on LINX,” said Matthew Prince, CloudFlare’s chief executive, in a description posted on the company’s Web site on Wednesday. For a little over an hour on Saturday, he said, the traffic passing through the LINX infrastructure dropped significantly.

The attacks were episodic, stopping and starting and shifting targets over nine days through Tuesday morning. On Wednesday, Mr. Prince said that there some indications that the attackers were planning further actions, although he said he did not know if they would include DDoS attacks.

Veteran Internet engineers said the attack was made possible by a combination of defects, loopholes and sloppy configuration of Internet routing equipment. Indeed, a number of computer security specialists pointed out that the attacks would have been impossible if the world’s major Internet firms simply checked that outgoing data packets truly were being sent by their customers, rather than botnets. Unfortunately, a relatively small number of Internet companies actually perform this kind of check.