The Spam Diaries

News and musings about the fight against spam.
 by Edward Falk

Monday, May 08, 2006

Details of Blue Security attack

Last week, spam-fighting service Blue Security was the target of a massive denial-of-service attack. Today, they've posted a detailed timeline of the attack.

Here are the highlights:
  • The attacks are blamed on a Russian spammer known as PharmaMaster.
  • Starting May 1st, extortion emails were sent to as many Blue Frog subscriber emails as the spamming community could find, demanding that subscribers drop Blue Frog. It's not known if PharmaMaster was behind the emails.
  • The next stage of attack was a technique known as "Blackhole Filtering". Blackhole filtering works by programming routers to deliver traffic to the non-existant "Null0" device, causing that traffic to be sent to the proverbial bit bucket. Normally, blackhole filtering is used to protect against a dos attack -- sacrificing traffic to one network block in order to save the rest of the network. In this case, the attacker managed to maliciously reprogram the routers of a major backbone service provider (Blue Security isn't saying which one). This would have required that PharmaMaster have an inside contact at that provider, or have managed to hack in.
  • Blue Security redirected the DNS entry for their home page to their blog page so that customers could get information about what had happened. Forty minutes later, a massive DDOS attack began against the blog, which was hosted by Six Apart. All Six Apart customers are affected by the attack.
  • Blue Security's DNS provider, Tucows is attacked next with another DDoS attack. Tucows caves in and terminates Blue Security's account.
Service was finally restored on May 4th.

The $64 question here is: which Tier 1 ISP was compromised in the attack and how was it done? My money is UUNet, mainly because of this InfoWorld article. Of course, the possibility exists that blackhole filtering isn't involved at all, and that this was an ordinary DDoS attack.

There is a Slashdot discussion which covers the attack in some detail.

Update: seems to think that Missouri spammer Christopher J. Brown is involved in the attack.


Post a Comment

<< Home