A squabble between a spam-fighting group and a website hosting company has led to the biggest internet attack in history, caused widespread congestion and threatens critical infrastructure.

DNS Server Room
People peer into a server room during the grand opening of Hewlett-Packard's Executive Briefing Center in Palo Alto, California (Credit: Reuters)

The largest known distributed-denial-of-service (DDoS) attack in the history of the internet is currently being waged against a company attempting to stop the spread of spam emails, and is causing widespread congestion to critical infrastructure around the world.

The squabble between Spamhaus, a spam-fighting group based in London and Geneva, and hosting service CyberBunker is causing a global slowdown of internet speeds and leading to frustration for those unable to access websites as quickly as normal or stream TV shows online.

Opinion: Did the Spamhaus Attack Really Break the Internet?

Up to five separate international police forces are investigating the incident.

It is the sheer scale of the attack which will be most worrying for those charged with protecting the underlying structure of the internet.

The attack is larger than anything ever seen before with the attackers flooding Spamhaus servers with up to 300 billion bits per second (300Gbps) of data. Darren Anstee from Arbor Networks told IBTimes UK that attacks of 100Gbps are the largest recorded before now, and if it this attack is 300Gbps, it is "substantially larger" than anything ever seen before.


Speaking to the BBC, Steve Linford, chief executive for Spamhaus, said the scale of the attack was unprecedented: "We've been under this cyber-attack for well over a week. The attack not only knocked Spamhaus' website and mail systems offline, such was the volume of traffic that it affected a much wider pool of internet users."

He added that if a similar attack was aimed at critical government infrastructure, then it would be instantly knocked offline:

"If you aimed this at Downing Street they would be down instantly. They would be completely off the internet. These attacks are peaking at 300Gbps. Normally when there are attacks against major banks, we're talking about 50Gbps."

Spamhaus is a network which works to create a real-time blacklist of servers they believe are used to send out spam email. Such is its importance to how the internet works that in 2011 when a lawsuit threatened to shut it down, industry experts testified that doing so risked breaking the email infrastructure as we know it.

The Spamhaus blacklist is used by email system administrators to weed out unwanted messages getting through to users.


So pervasive is the system, it is estimated that Spamhaus is directly or indirectly responsible for filtering out as much as 80 percent of daily spam messages.

One of the companies the service blacklisted was CyberBunker a website hosting service based in a five-storey former NATO bunker in Holland. CyberBunker, on its website, claims to host "services to any Web site 'except child porn and anything related to terrorism'."

However the service has also acquired notoriety for hosting spam site and denial-of-service attacks.

In an apparent reprisal for being placed on the blacklist, last week CyberBunker launched a cyber-attack on Spamhaus' system. The attack knocked the website and email system offline, and Spamhaus got in touch with CloudFlare, a company which specialises in mitigating these type of attacks.

The mitigation techniques used by CloudFlare - explained here in detail by CEO Matthew Pryce - were successful and the site returned to normal. However at the time the attacks were in the 75Gbps range but have since escalated in size.


According to the New York Times, when questioned about the attacks, Sven Olaf Kamphuis, an Internet activist who said he was a spokesman for the attackers, said: "We are aware that this is one of the largest DDoS attacks the world had publicly seen." Mr. Kamphuis said Cyberbunker was retaliating against Spamhaus for "abusing their influence."

"Nobody ever deputised Spamhaus to determine what goes and does not go on the Internet. They worked themselves into that position by pretending to fight spam."

These so-called distributed-denial-of-service (DDoS) attacks are used to knock websites offline by attacking the servers which host them. Those carrying out the attacks use networks of infected computers called botnets to drive huge amounts of traffic to the target server.

Graham Cluley, senior technology consultant at the computer security firm Sophos, once eloquently described such an attack as "15 fat men trying to fit through a revolving door all at once - nothing moves."

However, the size of this attack indicated that it used a technique becoming increasingly popular called DNS amplification.

DNS Amplification

Domain Name Service (DNS) is commonly referred to as the internet's phone book. It is the system which converts web addresses you type into a browser (www.ibtimes.co.uk) into IP addresses which are used by the internet's infrastructure (which look like this

The basic structure of the internet is underpinned by just 13 DNS servers which are located all around the globe, running on different software and protected by different organisations.

Should one or more of these servers be successfully targeted by a DDoS attack and knocked offline it would have serve repercussions for the internet as a whole.

DNS amplification is a method which allows attackers to leverage the critical internet infrastructure to magnify the size of the attacks they can generate.

Computers generate query a DNS server using a spoofed IP address of their intended target. The DNS server then responds with a much larger volume of traffic which it directs towards the intended target, in this case Spamhaus.

"What they are doing it that certain people haven't followed certain best practices," Anstee says. Some internet service providers allow open DNS servers to run on the networks they operate and these can be used by attackers to carry out DNS amplification.

Anstee says Internet Service Providers should be filtering incoming traffic from their customers "because really your customers should only be sending traffic from the addresses you have given them. You shouldn't be accepting traffic with somebody else's spoofed IP address."