This story doesn't mention that Spamhaus is protected by CloudFlare and we took a beating from this attack. At some point I'm hoping the full technical story about how the attack morphed from our infrastructure to Internet infrastructure can be told.
At some point I'm hoping the full technical story about how the attack morphed from our infrastructure to Internet infrastructure can be told.
See poorly configured DNS servers and ISP's failing to configure their networks properly - so traffic with a source address which is not part of your allocated IP block is not allowed to leave your network. It is not that hard!
The Internet Infrastructure is working as designed.
If you run a DNS server - it is your responsibility to maintain and protect it so that it cannot be used to attack others, and by doing that you are helping the 'Internet infrastructure' remain intact as designed. By not doing this you are helping the 'attackers'
BCP 38, RFC 2827, is designed to limit the impact of distributed
denial of service attacks, by denying traffic with spoofed addresses
access to the network,
> See poorly configured DNS servers and ISP's failing to configure their networks properly - so traffic with a source address which is not part of your allocated IP block is not allowed to leave your network. It is not that hard!
It may not be that hard to set things up this way, but very few ISPs configure their network with this restriction.
"But we're up - they haven't been able to knock us down. Our engineers are doing an immense job in keeping it up - this sort of attack would take down pretty much anything else." --Steve Linford from the BBC article.
If Spamhaus' Linford is quoted accurately, he's kind of full of it. The NYT article gives more detail about CloudFlare's involvement.
CloudFlare protects the website, which has no bearing on Spamhaus' actual service which are run on their DNSBL servers in various networks around the world.
Can you also describe exactly what the connection between CyberBunker and the attack is. Is there any indication that the hosting company is actually involved? It seems dubious but of course there are defunct hosting companies that have done such things (Russian Business Network comes to mind). However, this host does not seem shady in comparison to RBN.
It has an actual location. The name of the owner is known. It has evidentially been involved in legal disputes so it is on record with the government.
Much more likely is someone using the hosting system for something nefarious is retaliating against spamhaus. I don't think the hosting company should go down for that.
Thanks. It was totally unclear from the original article that it was in anyway actually a bad actor. It seems like these types of hosts are double edged swords.
It's not censorship; it's simple property rights and basic freedom. I don't consent to someone else using bandwidth that I have paid for, space on my hard disk, or my attention and time, for advertising. Hosting is cheap enough; they can get their own damn website and opt-in mailing list. And spamhaus subscriptions are completely voluntary and optional.
That being said, the problem with many BL's is that they are run by incompetents or extremists. They usually either end up blocking things that are not spam by accident (see lists of supposedly dynamic IPs), or block whole subnets (sometimes entire ISPs) to try and "teach them a lesson." or blackmail them into fixing the problem.
> That being said, the problem with many BL's is that they are run by incompetents or extremists.
Unfortunately, that includes Spamhaus.
It's a bit sad to see how many companies will blindly support such entities because they've "heard" that they somehow help fight spam. As someone who's had issues with them because of their badly configured hosts and shady practices (e.g. using domains previously used by mail providers as "spam honeypots", meaning anyone who emails someone with an old address can be banned [all content mailed there is considered spam, regardless of what it actually is]), I am disappointed (yes, looking at you cloudflare).
AIUI, as mhurron says, what Spamhaus does is publish a list.
The nominal purpose of that list is to identify spammers, so that people who wish to filter out spam can be assisted by that. People do, in fact, use that list, to filter email. The email recipient wants to be protected from spam, so the recipient's ISP attempts to perform that service, and Spamhaus contributes an opinion that the ISP takes seriously.
So, in practice, if Spamhaus adds you to their list, many many users will stop seeing email from you. Spamhaus has a great deal of power to mostly-silence domains.
I have no reason to believe that Spamhaus uses their power for anything other than good. But it's not quite as simple as "do they censor? no".
I think, basically, Spamhaus should be thought of as the Internet's equivalent to a Credit Ratings Agency (S&P, Moody's, Fitch, et al.)
In CRAs' own opinions, they are practicing "free speech" and giving what amounts to "numeric editorials on the quality of companies." In critics' opinions, large corporations and sometimes governments are relying on these "editorials", so CRAs' abilities to say whatever-the-heck-they-want should be regulated.
From what I understand, Spamhaus basically provides lists that identify known spammers, or known spam hosts. These lists are used for things like filtering out spam emails. So Spamhaus is basically saying that Cyberbunker is a host to spammers, and therefore email coming from the Cyberbunker's IP addresses should be treated as spam.
Some of my sites have had short periods of slow response times for the past few days but I assumed it's the crappy host their on. One of my clients on CF hasn't had any issues.
I and some friends noticed 4chan being inaccessible (DNS failure) for parts of yesterday evening. Don't know who else is a CloudFlare client. (I'm in the UK like the sibling comment).
Also, http://openresolverproject.org
PS Technical details: http://blog.cloudflare.com/the-ddos-that-almost-broke-the-in...