Spamhaus and Cloudflare’s Juvenile Cyber-Attacker Pleads Guilty

A denial of Service attack on SpamHaus and CloudFlare dubbed the largest DDoS in history was mastermind by a 17 year older teenage from London, revealed experts. Such a disastrous attack can only be prevented in future if companies takes steps to implement the BCP 38 principles and eliminate mis-configured routers.

A teenager from London was behind the largest known DDoS attack that almost broke the internet in April last year. Sean Nolan McDonough, alias Narko, pleaded guilty to carrying out a denial of service attack against SpamHaus a volunteer organization that works to subvert internet spamming.

The attack on SpamHaus came into lime light in March 2013 when an anonymous group of hackers opposed to SpamHaus anti-spam strategies launched DDoS assaults on the organization, causing massive outage for days. SpamHaus is a volunteer organization that distributes a blacklist of spammers to emails and network providers.

Following an initial attack, SpamHaus contracted CloudFlare, a Silicon Valley tech giant that specializes in mitigating cyberattacks. When the attackers could not take down CloudFlare, they changed tact and employed larger botnets, comprising of thousands of compromised computers to amplify attacks on both CloudFlare and SpamHaus servers. The New York Times termed the combined attack as the largest DDoS attack in History while CloudFlare termed it as “the attack that almost broke the Internet.”

“The attack, initially, was approximately 10Gbps generated largely from open DNS recursors. On March 19, the attack increased in size, peaking at approximately 90Gbps. The attack fluctuated between 90Gbps and 30Gbps until 01:15 UTC on March 21,” reported CloudFlare in a 2013 blog post.

Narko, was arrested in April 2013 and charged with a slew of computer frauds including money laundering in connection with the assault on SpamHaus and CloudFlare. The case remained out of media glare until recently when the KrebsOnSecurity revealed that Narko had actually pleaded guilty to the charges.

Details of the case are still very scanty, partly because Narko is still a minor but UK’s National Crime Agency spokesman confirmed that Narko took the guilty plea on December 10 adding that the “court reporting restrictions are in place in respect to a juvenile offender, [and] as a consequence the NCA will not be releasing further detail.”

Further investigation in to the hack reveals that Narko was working with an assorted group of hacktivist, spammers and online fraudsters under a movement known as StopHaus opposed to SpamHaus anti-spam activities.

Narko was allegedly the mastermind of the movement, but sources privy to matter says that the 17 year old Londoner was working for so Andrew J. Stephens, a self-proclaimed “media mercenary”. “It is likely that McDonough/Narko was hired by someone else to conduct the attack,” reported KrebsOnSecurity. “All signs point to Andrew J. Stephens, an angry, failed spammer living in Florida who runs an organization that calls itself the Church of Common Good.”

Meanwhile, security experts believe huge DDoS are made possible by the existence of millions of misconfigured routers that allows hackers to carry out an IP address spoofing. The blame of huge attacks like the one on SpamHaus, lies squarely on ISP providers who fail to verify whether the outgoing data packets are sent from legitimate customers or from botnets.

An attempt to address the problem misconfigured routers was initiated back in 2000 by a volunteer group of internet and telecommunication engineers knows as Network Working Group of the Internet Engineering Task Force. The group developed several “Best Current Practices” to empower organizations prevent IP address spoofing, a technique used by attackers to hide their fake IP address behind genuine domain names, a crucial step in a DDoS attack.

Unfortunately, very few internet companies took steps to implement the recommendations of the Task force outlined in a document known as BCP 38. A majority of companies continue to run on Open DNS resolvers which are high vulnerable to DDoS attacks. In such a case, the next DDoS attack might actually break the Internet if players fail to reconsider implementing BCP 38 recommendations.

“We spend too much time discussing cyberwar and not enough time discussing what a peaceful Internet looks like — and that is one in which people implement BCP 38 and care about their neighbors,” concludes Rick Wesson, the chief executive of Support Intelligence, a San Francisco-based cyber security company.

Ali Qamar Ali is an Internet security research enthusiast who enjoys "deep" research to dig out modern discoveries in the security industry. To be frank and honest, Ali started working online as a freelancer and still shares the knowledge for a living. He is passionate about sharing the knowledge with people, and always try to give only the best.
Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.