Anatomy of a Breach

Anatomy of a Breach: Spamhaus — The 300 Gbps DDoS That Nearly Broke the Internet

> series: anatomy_of_a_breach —— part: 051 —— target: spamhaus —— peak_traffic: 300_gbps —— method: dns_amplification<span class="cursor-blink">_</span>_

Hedgehog Security 31 March 2013 13 min read
ddos spamhaus dns-amplification cyberbunker internet-disruption uk-organisation london series
Breach #051

300 gigabits per second. The attack that shook the internet.

In March 2013, Spamhaus — the London and Geneva-headquartered organisation that maintains DNS-based blocklists used by email providers worldwide to filter spam — was targeted by a DDoS attack that peaked at approximately 300 Gbps. The attack was so large that CloudFlare, which was providing DDoS mitigation for Spamhaus, reported that the traffic volume caused measurable congestion at internet exchange points across Europe, affecting internet performance for users who had no connection to either Spamhaus or the attackers.

The attack used DNS amplification — a technique that exploits open DNS resolvers to multiply the volume of attack traffic. The attacker sends small DNS queries to open resolvers with the source IP address spoofed to appear as the victim's address. The resolvers respond with much larger DNS replies directed at the victim, amplifying the traffic by a factor of 50x or more. The Spamhaus attack demonstrated that DNS amplification could generate traffic volumes sufficient to overwhelm not just a single target but the internet infrastructure that connects it.

The UK Connection
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

Spamhaus: a London-headquartered internet guardian.

Spamhaus, founded by Steve Linford in 1998, is headquartered in London with operations in Geneva. Its blocklists are used by email providers, corporations, and governments worldwide to filter spam and malware distribution. An attack on Spamhaus is effectively an attack on global email infrastructure — and the UK's role as host to this critical internet organisation made the attack a matter of national concern.

DNS Amplification at Scale
The attackers exploited tens of thousands of open DNS resolvers worldwide to amplify their traffic. A 1 Mbps query stream could generate 50+ Mbps of response traffic directed at Spamhaus. At 300 Gbps, the aggregate attack traffic exceeded the capacity of most internet exchange points. Our <a href="/penetration-testing/infrastructure">infrastructure testing</a> assesses DDoS resilience and identifies whether your organisation's DNS infrastructure could be exploited as an amplifier.
Collateral Damage Across the Internet
The Spamhaus attack demonstrated that sufficiently large DDoS attacks cause collateral damage — degrading internet performance for users and services that have no connection to the target. This 'blast radius' effect means that DDoS attacks are not just a problem for the target but for the internet ecosystem. For UK businesses depending on internet connectivity, DDoS resilience is a business continuity concern.
CyberBunker and the Hosting Dispute
The attack was linked to <a href="https://en.wikipedia.org/wiki/CyberBunker">CyberBunker</a>, a controversial Dutch hosting provider that advertised its willingness to host any content except child exploitation material. Spamhaus had added CyberBunker to its blocklists, and the attack was apparently retaliation. The operator, Sven Olaf Kamphuis, was later arrested in Spain.
CloudFlare's Mitigation
Spamhaus was protected by CloudFlare, which used its global Anycast network to absorb and distribute the attack traffic. Without enterprise-grade DDoS mitigation, a 300 Gbps attack would overwhelm any single-site infrastructure. Our <a href="/penetration-testing/infrastructure">infrastructure assessments</a> evaluate DDoS preparedness and mitigation strategy.
DDoS Defence

Preparing for attacks measured in hundreds of gigabits.

The Spamhaus attack established that DDoS traffic volumes can reach hundreds of gigabits per second — far beyond the capacity of any single organisation to absorb on its own. Defence requires upstream mitigation (CDN-based or ISP-based traffic scrubbing), architectural resilience (Anycast distribution, geographic redundancy), and incident response planning that includes communication with upstream providers, customers, and stakeholders during an attack.

Our infrastructure penetration testing assesses DDoS preparedness — including your organisation's ability to survive volumetric, protocol, and application-layer attacks. Cyber Essentials establishes baseline infrastructure security. SOC in a Box monitors for the reconnaissance and early-stage traffic patterns that precede DDoS attacks. And UK Cyber Defence provides incident response during active DDoS events.

DDoS Resilience

300 Gbps hit a London-based organisation. Could your infrastructure survive it?

Our <a href="/penetration-testing/infrastructure">infrastructure testing</a> assesses your DDoS resilience. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors for attack precursors. Because when the traffic reaches hundreds of gigabits, only prepared organisations survive.

Assess Your DDoS Resilience Next: AP Twitter / Syrian Electronic Army
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 31 October 2024

Anatomy of a Breach: Internet Archive — 31 Million Accounts Breached at the Library of the Internet

Breach #190. In October 2024, the Internet Archive — the nonprofit organisation operating the Wayback Machine and one of the most important digital preservation projects in history — was breached, with approximately 31 million user accounts compromised. The attackers obtained a database containing usernames, email addresses, and bcrypt-hashed passwords. The breach was accompanied by a website defacement and concurrent DDoS attacks that kept the site offline for extended periods. The attack on a nonprofit dedicated to preserving human knowledge demonstrated that no organisation — regardless of its mission, its importance, or its nonprofit status — is safe from cyber attacks.

internet-archive wayback-machine
12 min read
Anatomy of a Breach 30 November 2019

Anatomy of a Breach: UK Labour Party — DDoS Attacks During a General Election Campaign

Breach #131. In November 2019, the UK Labour Party was hit by two DDoS attacks during the general election campaign — one large-scale and one smaller — targeting its digital platforms including the party's website and online campaign tools. The attacks, which were mitigated by Cloudflare, briefly disrupted Labour's online operations during one of the most contested election campaigns in recent British history. While no data was stolen, the attacks demonstrated that UK democratic processes are vulnerable to the same cyber disruption that had affected the US (DNC hack, 2016) and other democracies.

ddos labour-party
12 min read
Anatomy of a Breach 31 October 2016

Anatomy of a Breach: Dyn and the Mirai Botnet — When IoT Devices Took Down Half the Internet

Breach #094. On 21 October 2016, the Mirai botnet — a network of approximately 100,000 compromised IoT devices including IP cameras, DVRs, and home routers — launched a massive DDoS attack against Dyn, a major DNS provider. The attack disrupted DNS resolution for hundreds of major websites including Twitter, Netflix, Reddit, Spotify, GitHub, PayPal, and the BBC. The internet experienced its most widespread outage in years — and the weapon was an army of insecure webcams and baby monitors with default passwords.

ddos mirai
14 min read
All Posts Get in Touch