The substantial security threats which millions of poorly configured Internet Domain Name System (DNS) servers pose for organisations came into limelight this week, following massive distributed denial-of-service (DDoS) attacks on Spamhaus, the volunteer organization based in Geneva, Switzerland.

The attacks on Spamhaus started on March 19; and were probably launched by a group which opposes the antispam work carried out by the organisation. According to a number of security companies, the attacks on Spamhaus were by the biggest ever publicly disclosed DDoS attacks thus far.

The magnitude of the Spamhaus attacks can be gauged from the fact that while most of the large DDoS attacks generally involve between 4 gigabits per second to 10Gbps of traffic, the traffic volumes involved in the Spamhaus attacks reportedly touched as astounding 300Gbps, which is not only at least three-fold more than the biggest DDoS traffic witnessed till date, but is also notably greater than the traffic involved in most of the past DDoS attacks.

The perpetrators behind the Spamhaus attacks apparently made use of the well-known, but not much frequently used, DNS reflection mechanism, for generating the mammoth stream of DDoS traffic directed against the organisation.

According to Matthew Prince, CEO of CloudFlare, which has been assisting Spamhaus in dealing with the recent attacks, the look-up queries were crafted by the attackers to magnify the volume of traffic in such a way that each query opened DNS server to respond with bigger-than-normal volumes of data.