DDOS of anti spam sites
jack smith
- used by Internet service providers and businesses to filter out
incoming spam before it reaches end users - both announced this week
that they are abandoning the services in the face of distributed
denial of service attacks (DDOS) that have targeted anti-spam sites
offering the lists this summer.
"It just wasn't feasible to run this (list) and make ourselves
a large target anymore," said Bill Larson, network administrator for
the Tennessee-based Internet Service Provider Compu-net Enterprises.
In withdrawing from the field of battle, they join
Osirusoft.com, which announced earlier this month that it would no
longer host the Spam Prevention Early Warning System, also known as
SPEWS.
Other block list providers, including SpamCop.net, Spamhaus.org
and the Spam & Open Relay Blocking System (SORBS) also have reported
being subjected to increasingly intense DDOS attacks from thousands of
compromised computers known as "zombies."
MYSTERIOUS FORCES BEHIND ATTACKS
The "zombie army" is being marshaled by mysterious opponents of
anti-spam forces who use virus-infected e-mail and hacking techniques
to take control of machines from unknowing users, most of whom haven't
taken the precaution of installing firewalls or anti-virus software to
protect them from intruders.
• How spammers and foes do battle
• Profiles of the prolific: The Top 10 spammers
Ron Guilmette, who operated the Monkeys.com block list for
more than a year and a half before shutting it down Monday night, said
in a news group posting announcing the list's demise that he had
"underestimated both the enemy's level of sophistication, and also the
enemy's level of brute malevolence."
Guilmette, of Roseville, Calif., told MSNBC.com on Wednesday
that his mail, web and DNS servers were bombarded by data packets
directed at Monkeys.com from "more than 10,000 machines" in DDOS
attacks that lasted for 10 days beginning on Aug. 19 and then resumed
again late last week.
He said that while his "small fry" operation was more
susceptible than some of the bigger lists like SPEWS and Spamhaus,
none of the anti-spam services are impervious.
"All of these services are now under criminal attack, which is
premeditated and financially driven," he said. "It's all-out warfare
and the bad guys have broken out the nuclear weapons."
In the case of Compu-Net, Larson said he made the decision to
cease operating the list not because of a DDOS attack, but because of
an escalating case in which someone was forging company e-mail
addresses on spam, causing many thousands of messages to "bounce" back
and threatening to overwhelm the company's e-mail servers.
THREATS TO SERVERS, SELVES
In addition to the bounced e-mail, Larson and other members of
Compu-Net staff were forced to handle a flood of abuse complaints from
people who wrongly believed the company was spamming them and deal
with "threats against ourselves, our servers and our Internet
connection," he wrote in a posting to the news.admin.net-abuse.email
(NANAE) news group.
And he feared that the DDOS attacks that have targeted other
block list operators would be next.
"As an ISP, if we got hit by a denial of service attack that
lasted a week or 10 days, we would be out of business," Larson said,
explaining the decision to cut and run.
Earlier this month, the cyberattacks forced Joe Jared, who had
been hosting the Spam Prevention Early Warning System, also known as
SPEWS, at his Osirusoft.com Web site, to suddenly pull the plug on the
popular but controversial block list.
Jared's action blocked access to the SPEWS.org Web site,
though mirror sites with the list continued to operate, enabling
network administrators to reconfigure their systems to query the
alternate sites.
Other block lists, which are used by Internet service providers
and businesses to filter out the majority of incoming spam before it
reaches the end users, have come under siege from distributed denial
of service (DDOS) attacks this summer. The bombardment of massive
amounts of data has intermittently prevented subscribers or users from
gaining access to lists at Web sites of SpamCop.net, Spamhaus.org,
Monkeys.com and the Spam & Open Relay Blocking System.
ATTACKS MORE SYSTEMATIC, INTENSE
DDOS attacks have been used against anti-spam sites before, but
this summer's onslaught appears to be more systematic and intense than
anything seen before.
"There's not much doubt in my mind that the various attacks are
the work of the same person or organization," Julian Haight, president
of Seattle-based SpamCop.net, which has been under attack
intermittently since mid-July, told MSNBC.com earlier this month.
While it's not clear who is behind the campaign, suspicion has
focused on renegade spammers, who have an obvious motive.
"These block lists have become more and more effective as
they've become focused, so they've started to hit home," said Jesse
Dougherty, director of development with software solution provider
ActiveState.
The block lists have alienated some in the Internet community
by blocking users who have nothing to do with spam, either
accidentally or, in the case of SPEWS, as a deliberate tactic aimed at
pressuring Internet service providers to crack down on spammers on
their networks. But because the attacks are targeting multiple sites
rather than just one or two, most experts say spammers are more likely
culprits.
"It has been suggested to me that the person (behind the
attacks) could be a site that I've erroneously blamed for spam, but
given the amount of resources being put into it I'd certainly vote for
the spammer," said Haight.
AN EXTRA $30,000 ON BILL
Haight, who said that SpamCop was knocked offline periodically
in the early days of the attack in mid-July, said it will cost about
$30,000 this year to pay for a content distribution network capable of
withstanding such assaults.
Britain's Spamhaus.org also has been able to withstand steady
attacks that began more than 2½ months ago, chief executive Steve
Linford told the Boston Globe earlier this month.
"We're usually under attack from 5,000 to 10,000 servers at
once," Linford was quoted as saying. "They're extremely large attacks
that would bring down just about anything."
Some security experts, and many in the anti-spam community,
believe that spammers have been behind recent viruses that have placed
malicious "Trojan horse" programs on vulnerable computers, creating
the network of "zombies" that can be remotely ordered to launch such
attacks.
And while there is no hard evidence, some believe that the
"sobig" family of viruses may be recruiting for the zombie army.
Guilmette, the former provider of the Monkeys.com block list,
said the electronic bombardment of his site began "at 11:27 p.m.
Pacific Time on Aug. 19, which coincidentally or not was the same day
that sobig.f started to make the rounds."
BIG ISPS SEEN AS CULPRITS
While the escalating attacks have the anti-spam community up in
arms, there is no indication that law enforcement yet considers them
to be serious.
"I went to my local police and I had to twist their arms just
to get them to take a report," said Guilmette, adding that he called
his local FBI office and left a message but was never called back.
But the longtime spam fighter said he bears more of a grudge
against big ISPs like AT&T and UUNet, because they are in a better
position to halt the attacks.
"If www.whitehouse.gov had been under attack for 10 days, you
can bet your ass that the big providers would have gone to the lower
level ISPs and and asked them to shut off the machines that were part
of the zombie army that was doing the attacking," he said. "In my case
they told me all I could do was try to ride it out and hope for the
best."