Suspect in massive Spamhaus DDoS attack arrested in Spain

Filed Under: Featured, Law & order

About a month ago, veteran anti-spam campaigners Spamhaus became embroiled in a massive DDoS attack.

A DoS, or denial of service, is where you deliberately waste the resources of a legitimate online service, for example by sending lots of pointless emails or purposely uploading files that you know cause processing problems for someone's server.

(It's a bit like phoning someone you don't like over and over throughout the night, even though you have nothing to say, just so they keep waking up.)

A DDoS is a distributed DoS, where you persuade or trick a raft of other people to join in the attack, each one starting what amounts to a DoS in its own right.

(Your victim's phone, in our old-school analogy above, just never stops ringing. Indeed, it rings so much he can't make outgoing calls of his own, or get to sleep at all, or do anything purposeful.)

The nature of the attacks

The attacks against Spamhaus used what techies call "DNS amplification".

This relied on your home firewall, or your router at work, being wrongly configured.

The attackers could then exchange tiny packets of data with you, asking you to get DNS information from Spamhaus; you'd then convert that into a much larger exchange of data packets with Spamhaus itself.

By dispersing a few hundred bytes each to a few hundred misconfigured routers, the attackers could produce tens of megabytes of network traffic focused back onto Spamhaus's servers.

And data from the OpenDNS project suggests that there are not merely a few hundred misconfigured routers worldwide, but tens of millions.

So, whoever attacked Spamhaus was able to muster a lot of bogus traffic, with some estimates putting the peak malevolent bandwidth at 300Gbit/sec.

The background to the attacks

According to reports back in March 2013, the attack boiled down to a dispute between Spamhaus, which fights spam, and countercultural ISP Cyberbunker, which caters to customers who are unwanted by, or afraid to use, traditional web hosts because of the activities they are involved in.

Cyberbunker, amongst others, despises Spamhaus for operating an email blocklist service.

This aims to maintain lists of suspected dodgy email senders so that Spamhaus customers can jettison email that they almost certainly aren't going to want.

Spamhaus doesn't actually prevent anyone sending email, or deny anyone the right to receive lawful email of their choice.

But it does provide an online assessment service - what's known as a realtime blocklist - that you can query before you accept an email.

Cyberbunker, it seems, doesn't like that at all. (So much for freedom of choice.)

The arrest

Anyway, a 35-year-old man identified only as S.K. has been arrested in Barcelona, Spain, in connection with the March attacks:

A 35-year-old Dutch national, S.K., was arrested in Spain on Thursday in an investigation into large-scale cyberattacks. A European arrest warrant was issued by the Dutch National Prosecutor.

K. is accused of serious attacks against the non-profit organisation Spamhaus, which maintains anti-spam databases. These so-called DDoS attacks, carried out last month, also took place against Spamhaus partners in the USA, the Netherlands and the UK.

The suspect

Who is S.K.?

The Dutch prosecutors and the Spanish cops know for sure; the rest of us can only guess.

But I can tell you that one of Cyberbunker's leading personalities is a Dutchman by the name of Sven Olaf Kamphuis.

Kamphuis, as it happens, gave an online interview late last month to online "urban lifestyle" video site Heavy.com.

Entitled "Meet the Man Behind the Biggest Cyberattack in History," the interview quotes Kamphuis claiming to be the spokesperson for Stophaus, a group of anti-Spamhaus hacktivists.

He also states that "a few people from the Stophaus group...decided it was a very good idea to take down Spamhaus. And they did," but denies that anyone from Cyberbunker was involved.

Kamphuis even claims, in the interview, that Cyberbunker itself, a NATO military bunker left over from the Cold War, isn't Dutch territory at all - his implication seems to be that it is a sovereign independent state of its own.

But if S.K. really is Sven Olaf Kamphuis, you have to wonder why he didn't hole up in the Republic of Cyberbunker in the aftermath of the attack, in order to spare himself the inconvenient attention of EU law enforcement officials.

An intriguing saga, I'm sure you'll agree.

We'll tell you more as the facts emerge...

Image of orange bloke with megaphone courtesy of Shutterstock.

, , , , , ,

You might like

2 Responses to Suspect in massive Spamhaus DDoS attack arrested in Spain

  1. Joe · 509 days ago

    Now that you have our attention, why not tell us how to tell if our routers are misconfigured, and how to fix the configuration?

    • Paul Ducklin · 508 days ago

      The problem is DNS recursion.

      That's a fancy way of saying "my DNS server is willing to pass queries on to other people's domains, as well as giving information about my own."

      Even on a SoHo router, you probably have a DNS server that *does* answer questions about the whole internet, so your internal users can find their way round the internet. That server should *not* be listening on the external (WAN) interface, where outsiders could abuse it to "bounce' queries from you onto a third-party victim.

      If you have your own domain name, then you (or someone for you) probably have a DNS server that accepts queries from outsiders, in order to give authoritative answers about your own internet properties. That server should *not* answer questions about the whole internet, i.e. should not support recursion.

      If you have Unixy skills, or a friend who does, test your home router by issuing a command like this from outside your network:

      $ dig @your.ip.number.here example.com

      You should get no reply at all.

      Test your authoritative DNS server (or servers, since you should have at least two) with same command.

      You should get a "recursion not supported" message, because "example.com" is someone else's domain.

      Hope that helps, and isn't too techie.

      Bottom line for a SoHo router is that, unless you really intend it that way, it probably shouldn't be providing *any* services on its external interface, DNS included...

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog