Hundreds of thousands of Britons are unsuspecting participants in one of the internet‘s biggest cyber-attacks ever – because their broadband router has been subverted.
Spamhaus, which operates a filtering service used to weed out spamemails, has been under attack since 18 March after adding a Dutch hosting organisation called Cyberbunker to its list of unwelcome internet sites. The service has “made plenty of enemies”, said one expert, and the cyber-attack appeared to be retaliation.
A collateral effect of the attack is that internet users accustomed to high-speed connections may have seen those slow down, said James Blessing, a member of the UK Internet Service Providers’ Association (ISPA) council.
“It varies depending on where you are and what site you’re trying to get to,” he said. “Those who are used to it being really quick will notice.” Some people accessing the online streaming site Netflix reported a slowdown.
Spamhaus offers a checking service for companies and organisations, listing internet addresses it thinks generate spam, or which host content linked to spam, such as sites selling pills touted in junk email. Use of the service is optional, but thousands of organisations use it millions of times a day in deciding whether to accept incoming email from the internet.
Cyberbunker offers hosting for any sort of content as long, it says, as it is not child pornography or linked to terrorism. But in mid-March Spamhaus added its internet addresses to its blacklist.
In retaliation, the hosting company and a number of eastern European gangs apparently enlisted hackers who have in turn put together huge “botnets” of computers, and also exploited home and business broadband routers, to try to knock out the Spamhaus system.
“Spamhaus has made plenty of enemies over the years. Spammers aren’t always the most lovable of individuals, and Spamhaus has been threatened, sued and [attacked] regularly,” noted Matthew Prince of Cloudflare, a hosting company that helped the London business survive the attack by diverting the traffic.
Rather than aiming floods of traffic directly at Spamhaus’s servers – a familiar tactic that is easily averted – the hackers exploited the internet’s domain name system (DNS) servers, which accept a human-readable address for a website (such as guardian.co.uk) and spit back a machine-readable one (126.96.36.199). The hackers “spoofed” requests for lookups to the DNS servers so they seemed to come from Spamhaus; the servers responded with huge floods of responses, all aimed back at Spamhaus.
Some of those requests will have been coming from UK users without their knowledge, said Blessing. “If somebody has a badly configured broadband modem or router, anybody in the outside world can use it to redirect traffic and attack the target – in this case, Spamhaus.”
Many routers in the UK provided by ISPs have settings enabled which let them be controlled remotely for servicing. That, together with so-called “open DNS” systems online which are known to be insecure helped the hackers to create a flood of traffic.
“British modems are certainly being used for this,” said Blessing, who said that the London Internet Exchange — which routes traffic in and out of the UK — had been helping to block nuisance traffic aimed at Spamhaus.
The use of the DNS attacks has experts worried. “The No 1 rule of the internet is that it has to work,” Dan Kaminsky, a security researcher who pointed out the inherent vulnerabilities of the DNS years ago, told AP.
“You can’t stop a DNS flood by shutting down those [DNS] servers because those machines have to be open and public by default. The only way to deal with this problem is to find the people doing it and arrest them.”