[ISN] Antispam firm says it was victim of sophisticated attack

From: InfoSec News (isn@private)
Date: Tue May 09 2006 - 00:18:51 PDT


By Jaikumar Vijayan
May 05, 2006

The CEO of an antispam firm whose service was knocked off-line by a
spammer earlier this week claimed that his company was the victim of a
sophisticated attack carried out, in part, with the help of someone at
a top-tier Internet service provider (ISP).

But some security experts expressed doubts abut the company's claims
and said they appear to be an attempt to deflect attention from the
criticism it has recived for the way in which it handled the attacks.

Eran Reshef, CEO of Blue Security Inc., an Israeli antispam firm, said
his company was attacked by a major spammer named PharmaMaster who
used a combination of methods to knock out the company's Web site and
the servers hosting its services.

Blue Security, which has its U.S. headquarters in Menlo Park, Calif.,
operates an antispam service designed to deter junk-mailers by
spamming them back. Blue Security's Do Not Intrude program allows
individuals to register their e-mail addresses with the company and
essentially flood spammers who send them e-mail with automated opt-out

The attacks that crippled Blue Service were preceded by PharmaMaster
sending out threatening e-mails to subscribers of the Do Not Intrude
Registry, warning them of even more spam if they did not withdraw
their subscriptions.

PharmaMaster then appears to have gotten someone at a major ISP to
block Blue Security's IP address on the Internet's backbone routers,
most probably via a process called black-holing, Reshef claimed. With
black-holing, an ISP essentially removes the advertised path to a
particular Web site or IP address -- making it completely inaccessible
to the outside world. According to Reshef, PharmaMaster informed Blue
Security that he had gotten an ISP to agree to black-hole the company
before the attacks started.

"Immediately, we started seeing our IP address getting blacklisted by
other ISPs," Reshef said. As a result, traffic to the company's main
Web site dropped from the usual 100 hits per minute to about two per
minute in less than an hour -- and nothing at all from outside of
Israel. At almost the same time, massive distributed denial-of-service
(DDoS) attacks were launched against the dedicated servers that
provide Blue Security's antispam service. The servers, located at five
separate hosting provider sites, were bombarded with up to 2GB of
traffic per second, rendering them inaccessible.

In what Reshef said was a bid to tell subscribers what was happening,
Blue Security pointed the company's corporate Web server URL to its
blog, which is hosted by Six Apart Ltd. in San Francisco. PharmaMaster
then launched a DDoS attack against the server hosting Blue Security's
blog. That caused thousands of other blogs hosted by Six Apart to be
knocked off-line.

The DDoS attacks against the company's dedicated servers meanwhile
resulted in service disruptions to five hosting providers as well as
major Domain Name System service provider Tucows Inc., he said.

Pointing the company's main URL to the Blue Security blog site on Six
Apart when it was under attack may not have been the best idea, Reshef
said. But at the time, the company had little idea that the attacker
would launch a separate DoS attack on the blog site as well.

But Todd Underwood, chief operations and security officer at Renesys
Inc., a Manchester, N.H.-based Internet monitoring company, said that
based on traffic analysis, Blue Security's main Web site appears to
have been under a DDoS attack for at least two days before it
redirected its URL to the blog.

"I do think if you are under attack, it is your duty not to redirect
it against someone else," Underwood said. "It is not a fair or an
ethical decision," he said, adding that it is hard to imagine that
Blue Security didn't know it was being hit with a DDoS attack when it
pointed its URL to the blog site.

Underwood also said that it was unlikely that a spammer would have
been able to get an individual at a major ISP to install a "no route"  
to Blue Security, as Reshef claimed. "These are not the kind of
networks where people can sneak in and make routing configuration
changes" without logging that change or discussing it with others, he
said. "The suggestion that some Russian spammer could bribe someone to
install a no-route" is hard to believe, he said.

John Levine, chairman of the Internet Anti-Spam Research Group, said
that other antispam efforts have been similarly targeted as well. But
they did not involve an ISP. And neither did those who were attacked
respond like Blue Security did, he said. "If you know you are under a
DoS attack, pointing your DNS at other parties is irresponsible," he

Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.

This archive was generated by hypermail 2.1.3 : Tue May 09 2006 - 00:45:40 PDT