Suspect in massive Spamhaus DDoS attack arrested in Spain

About a month ago, veteran anti-spam campaigners Spamhaus became embroiled in a massive DDoS attack.

A DoS, or denial of service, is where you deliberately waste the resources of a legitimate online service, for example by sending lots of pointless emails or purposely uploading files that you know cause processing problems for someone’s server.

(It’s a bit like phoning someone you don’t like over and over throughout the night, even though you have nothing to say, just so they keep waking up.)

A DDoS is a distributed DoS, where you persuade or trick a raft of other people to join in the attack, each one starting what amounts to a DoS in its own right.

(Your victim’s phone, in our old-school analogy above, just never stops ringing. Indeed, it rings so much he can’t make outgoing calls of his own, or get to sleep at all, or do anything purposeful.)

The nature of the attacks

The attacks against Spamhaus used what techies call “DNS amplification”.

This relied on your home firewall, or your router at work, being wrongly configured.

The attackers could then exchange tiny packets of data with you, asking you to get DNS information from Spamhaus; you’d then convert that into a much larger exchange of data packets with Spamhaus itself.

By dispersing a few hundred bytes each to a few hundred misconfigured routers, the attackers could produce tens of megabytes of network traffic focused back onto Spamhaus’s servers.

And data from the OpenDNS project suggests that there are not merely a few hundred misconfigured routers worldwide, but tens of millions.

So, whoever attacked Spamhaus was able to muster a lot of bogus traffic, with some estimates putting the peak malevolent bandwidth at 300Gbit/sec.

The background to the attacks

According to reports back in March 2013, the attack boiled down to a dispute between Spamhaus, which fights spam, and countercultural ISP Cyberbunker, which caters to customers who are unwanted by, or afraid to use, traditional web hosts because of the activities they are involved in.

Cyberbunker, amongst others, despises Spamhaus for operating an email blocklist service.

This aims to maintain lists of suspected dodgy email senders so that Spamhaus customers can jettison email that they almost certainly aren’t going to want.

Spamhaus doesn’t actually prevent anyone sending email, or deny anyone the right to receive lawful email of their choice.

But it does provide an online assessment service – what’s known as a realtime blocklist – that you can query before you accept an email.

Cyberbunker, it seems, doesn’t like that at all. (So much for freedom of choice.)

The arrest

Anyway, a 35-year-old man identified only as S.K. has been arrested in Barcelona, Spain, in connection with the March attacks:

A 35-year-old Dutch national, S.K., was arrested in Spain on Thursday in an investigation into large-scale cyberattacks. A European arrest warrant was issued by the Dutch National Prosecutor.

K. is accused of serious attacks against the non-profit organisation Spamhaus, which maintains anti-spam databases. These so-called DDoS attacks, carried out last month, also took place against Spamhaus partners in the USA, the Netherlands and the UK.

The suspect

Who is S.K.?

The Dutch prosecutors and the Spanish cops know for sure; the rest of us can only guess.

But I can tell you that one of Cyberbunker’s leading personalities is a Dutchman by the name of Sven Olaf Kamphuis.

Kamphuis, as it happens, gave an online interview late last month to online “urban lifestyle” video site

Entitled “Meet the Man Behind the Biggest Cyberattack in History,” the interview quotes Kamphuis claiming to be the spokesperson for Stophaus, a group of anti-Spamhaus hacktivists.

He also states that “a few people from the Stophaus group…decided it was a very good idea to take down Spamhaus. And they did,” but denies that anyone from Cyberbunker was involved.

Kamphuis even claims, in the interview, that Cyberbunker itself, a NATO military bunker left over from the Cold War, isn’t Dutch territory at all – his implication seems to be that it is a sovereign independent state of its own.

But if S.K. really is Sven Olaf Kamphuis, you have to wonder why he didn’t hole up in the Republic of Cyberbunker in the aftermath of the attack, in order to spare himself the inconvenient attention of EU law enforcement officials.

An intriguing saga, I’m sure you’ll agree.

We’ll tell you more as the facts emerge…

Image of orange bloke with megaphone courtesy of Shutterstock.