The method of attack used in this case is known as DNS reflection and involves sending spoofed requests to so-called open DNS (Domain Name System) resolvers -- DNS servers that can be queried by anyone on the Internet -- that appear to originate from the intended victim's IP address. The attackers usually craft their requests so that the responses returned to the victim by the queried servers would be very large.
DNS reflection attacks are not new and there are millions of open DNS resolvers on the Internet that can be abused in this way.
This type of attack can be mitigated by the victim or the provider that is defending against the attack, but in this particular case, because of its size, the attack also stressed the rest of the Internet along the way, Holden said. "It was essentially stressful to the fabric of the Internet."
Holden hopes that the size of the attack and the attention it received will help speed up efforts to rid the Internet of open DNS resolvers. However, he agreed that in the short term it might actually encourage other attackers to use the same attack method because of its success.
A group called the Stophaus Movement has taken responsibility for the unprecedented attack. The group claims that Spamhaus is abusing its position of power to force hosting companies to end their business relationships with certain customers that are flagged as spammers without any court order or legal oversight.
The members of the Stophaus Movement are hosting companies and other parties that have been flagged by Spamhaus as spammers themselves because they refused to comply with Spamhaus' requests, said Sven Kamphuis, who claims to be a spokesman for the group, on Wednesday.
Kamphuis runs a network provider called CB3ROB that has been blacklisted by Spamhaus for hosting spam botnets and extortion scams. CB3ROB is a provider for a Dutch hosting company called CyberBunker.com that allows its customers to "host any content they like, except child porn and anything related to terrorism."
"I'm not a spammer and none of the Stophaus members are," Kamphuis said. If a company gets blacklisted by Spamhaus, its bandwidth providers get blacklisted too, he said. This means that if CB3ROB gets blacklisted and this company has KPN as a bandwidth supplier, KPN's mail servers get blacklisted too, he said. Those suppliers then often decide to terminate the contract to keep themselves off the blacklist, he added.
Because of this and because so many providers use Spamhaus' blacklist, the organization "acts like they are the de facto Internet police," Kamphuis said. "Everyone in the business has had more than enough of Spamhaus."
Kamphuis said that he didn't attack Spamhaus himself. The attacks came mainly from China and Russia, he said. "We have quite a few people in the group [Stophaus] that are in areas where it isn't such a problem to launch these kind of attacks."
CB3ROB and Cyberbunker did a "test" together to intercept traffic to Spamhaus' network, but that isn't a DDoS attack, Kamphuis said.
When CloudFlare was attacked, other websites went down too, but CloudFlare can't blame Stophaus for that, Kamphuis said. "They decided that it was a good idea to start hosting a company that is attacked by the biggest DDoS ever," he said.
"They can claim that we are destroying the Internet but we, the hosters, built the Internet," he said, adding that it is Spamhaus that is a "nuisance" for the Internet, not the other way around.