Media accounts claim that the latest non-government cyber-Armageddon — a Distributed Denial of Service attack on anti-spam service SpamHaus by unidentified attackers alleged by some to be acting on behalf of “pretty much anything goes” web host CyberBunker — reached such proportions that it may have actually slowed down the Internet in general. As I write this article, the attack on SpamHaus appears to have ended in failure, but CyberBunker itself has been taken down in (direct or indirect, who knows) retribution.
As US Vice President Joe Biden might put it, this was a big —-in’ deal. The attackers deployed DDOS resources nearly an order of magnitude more powerful than those typically seen in large-scale cyber attacks, and so far as we know they didn’t have the resources of a state at their disposal. Lots of juicy implications there with regard to governments’ ability to attack Internet freedom versus users’ ability to aggressively respond. But that’s not what really caught my attention.
Maybe I live under a rock or something, but I had never heard of SpamHaus before this incident. I knew there were non-user-level “anti-spam services” available, but I hadn’t ever considered how they might work or what impact they might have on the essential openness of the Internet.
According to its web site, Spamhaus “is an international nonprofit organization whose mission is to track the Internet’s spam operations and sources, to provide dependable realtime anti-spam protection for Internet networks, to work with Law Enforcement Agencies to identify and pursue spam gangs worldwide, and to lobby governments for effective anti-spam legislation.” It “maintains a number of realtime spam-blocking databases” which “are today used by the majority of the Internet’s Email Service Providers, Corporations, Universities, Governments and Military networks.”
Now, I don’t like spam any more than most people like spam. But what I like even less than spam is the idea of some centralized organization deciding what is and is not spam FOR me, without me ever seeing it, and deleting the things its operators don’t think I SHOULD see. Especially if that organization associates itself with “Governments and Military networks.”
Call me old-fashioned, but I’m comfortable handling my own spam policing duties. Yes, my preferred email client (Gmail) does tentatively class a lot of mail as spam, but it doesn’t just delete that mail. It sticks it in a different folder than the usual stuff, and I’m free to peruse that folder, decide that some of the things in it aren’t spam, and arrange for them not to be treated as spam in the future.
Spamhaus looks, well, dangerous to a free and open Internet. And as we dig into the details of its dust-up with Cyberbunker, even more so. The kerfuffle didn’t start this week. The attack on Spamhaus wasn’t preemptive, it was retaliatory. And while the attack on SpamHaus was along the lines of a “surgical strike,” albeit with some alleged “collateral damage,” its previous actions were more like dropping a nuclear weapon on a city full of innocent civilians.
In 2011, Spamhaus identified Cyberbunker as the host from which a spammer was operating. Instead of simply adding that specific spammer to its blacklist, SpamHaus attempted to intimidate CyberBunker’s upstream provider, A2B, into shutting down the entire hosting service. When A2B declined (while shutting down the specific spammer in question), SpamHaus cleared its Enola Gay for takeoff and dropped a Little Boy, adding all of A2B’s IP addresses to its global blacklist. A2B filed an extortion complaint with police; it’s unclear whether the matter has since been litigated.
If SpamHaus only worked with private sector service providers, I’d probably just write them off as a bad idea and ask my own ISP and/or email provider not to use them. But their publicly disclosed (nay, promoted!) associations with “Government and Military networks” make them more than just a bad idea. SpaumHaus is effectively a transnational Internet secret police force, in the service of various governments, acting with an arrogance, impunity and absence of accountability which poses a clear and present danger to the Internet itself. Here’s hoping that the recent DDOS attack is followed up with more effective countermeasures.