Spamhaus vs. Cyberbunker

There’s a real, genuine cyber-war going on over the Internet between Spamhaus and a Dutch company called Cyberbunker, and their connectivity provider A2B Internet. Spamhaus is a not-for-profit organisation that blacklists internet service providers that allow spammers to use their facilities, and Cyberbunker is an ISP which, according to their own web site, provides services to anyone for any purpose “except child porn and anything related to terrorism. Everything else is fine.” Spamming is okay by them; they’ve never denied it and basically take the view that all ISPs dealing with spammers: it’s none of Spamhaus’ business what they do and launching a denial-of-service attack against them is some kind of natural right. They’re known for hosting outfits like Pirate Bay when no one else would touch them, to give you some idea.

Pirate Bay
One of Cyberbunkers more high-profile customers – The Pirate Bay.

The war started on 19th March when a DDOS attack was launched against the Spamhaus servers in retaliation for them adding a range of IP addresses provided to Cyberbunker by A2B Internet.

A2B Internet’s view is that they’re not responsible for what Cyberbunkers’ customers do with the IP addresses and it’s no business of Spamhaus what anyone else on the Internet does. Spamhaus, and the users of the Spamhaus block-list (SBL) think it is, and after all, no one is forced to use the SBL – they use it to identify emails coming from outfits of the type often hosted by Cyberbunker. This didn’t stop A2B Internet going to the Dutch Police in outrage, accusing Spamhaus of extortion by blacklisting some of its IP addresses. Quite how this amounts to extortion isn’t clear. It pressures A2B  on who it sells connectivity to Cyberbunker, to stop doing so, but Spamhaus would argue that it was listing IP addresses used to send spam, and that’s all there is to it.

Although the SBL isn’t easy to disable by such methods, it was nonetheless annoying and Spamhaus called on the services of Californian-based CloudFlare to mitigate the attacks, which promptly got attacked themselves for their trouble. The attackers are using a feature of DNS to send gigabits of traffic towards the Spamhaus servers. Using a botnet, they’re sending zone transfer requests to poorly configured DNS servers claiming that Spamhaus has requested data on a zone (domain). The request is short, but the data returned can be very large and is sent directly to Spamhaus. People running a DNS should configure it such that it won’t accept zone transfer requests from “just anyone”, but many fail to do this – especially Microsoft installations, in my experience. By using a botnet to send the initial request the attackers have been generating traffic said to be in excess of 300Gbps.

But these attacks don’t just affect Spamhaus. The DNS servers hijacked for the purpose are consequently over-loaded when legitimate requests get through, and the traffic heading to Spamhaus is going to squeeze other legitimate traffic en route. There are stories about concerning disruption to Netflix and other high-bandwidth Internet services. Whether this is any great loss is a matter of opinion.

But is it fair to blame Cyberbunker for these attacks? Circumstantially they’re implicated. The New York Times quoted “Internet Activist” Sven Olaf Kamphuis, who claims to speak for the attackers, as saying that Cyberbunker was retaliating against Spamhaus for “abusing their influence using  one of the largest DDoS attacks the world had publicly seen.” However, it’s my understanding that Mr Kamphuis is the actually the Managing Director, and possibly owner, of Cyberbunker – so if the comments in the NYT are correct, it’s clearly them.

Please generate and paste your ad code here. If left empty, the ad location will be highlighted on your blog pages with a reminder to enter your code. Mid-Post

Kamphuis continued, “Nobody ever deputized Spamhaus to determine what goes and does not go on the Internet, they worked themselves into that position by pretending to fight spam.”

He has a point, but possibly not a very good one. About 75% of the spam filters in the world use the SBL to drop mail from dodgy sources. They don’t have to; they choose to. If the SBL was no good, they wouldn’t use it. It’s not really a case of Spamhaus determining what goes on the Internet, it’s a case of the majority of the Internet trusting Spamhaus more than they do Cyberbunker when it comes to deciding what’s spam and what isn’t.

But it means that the maintainers of the SBL have a lot of power, because incorrectly listing an IP address has a seriously negative effect on its owner. It depends on your point of view as to whether a listing is deserved or not. Spammers say they’re within the law (or their moral rights); the recipients of their marketing messages may disagree.

Cyberbunker
Cyberbunker is what its name suggests: a data centre in a disused NATO bomb-proof bunker

This disagreement has been going on for years, but A2B Internet’s complaint to the police and the subsequent DDoS attack are probably a game changer. They’ve crossed a line and “the authorities” can no longer ignore Cyberbunker’s activities. Subsequent action could be interesting as Cyberbunker’s own web site boasts of them already having defeated a raid by a Dutch “SWOT team” – a bunch of heavily armed police with battering rams at least. As they’re holed up in an old NATO nuclear bunker with blast doors able to withstand a 20 Megaton atomic bomb, a bunch of coppers with a sledge hammer aren’t going to have much effect.

Turning off the up-stream link might, however, have the desired effect. They may have buried themselves with enough food, water and diesel for their generators to withstand a long siege, but there’d be no point once they’d been disconnected. I understand that A2B Internet have decided to turn off the tap already. According to Spamhaus, Cyberbunker is getting feeds from elsewhere, but on checking they’re not terribly good feeds – or someone is currently attacking Cyberbunker.

As to the collateral damage, I suspect it’s being somewhat over-blown. Operators of a DNS server should configure it properly to prevent this nonsense, and ISPs really ought to take the initiative and check their customers are secure. But this could be a seminal event where spammers are concerned, and the world will be watching the Dutch authorities with interest.

And before condemning Cyberbunker completely, it’s worth noting they’re providing hosting for legitimate users being hounded by illegitimate governments around the world. In principle, they’re possibly as often right as they are wrong by ignoring what their customers do. There’s reputedly a lot of cyber-crime taking place on AWS, don’t forget, and the world isn’t clamouring to shut Amazon down. The difference may only be scale.

Spammer without a Motive

Anyone who knows what I’m about will have guessed that I’d take an interest in the spamming attempts on this blog site. And indeed I have. However, a couple of weeks ago I had a slew of comments for which I can’t deduce a motive.

They took the form of meaningful comments to half a dozen posts – the sort of thing you’d normally let through even they they didn’t add any useful knowledge. They were also well written, by someone who clearly spoke English. But they didn’t add up.

The author purported to be an American cleric, and the comments were written from that viewpoint. However, they didn’t smell quite right – there were a few slips that suggested they weren’t written by a west-coast American priest. Investigation revealed they were, in fact, sent from a computer in Manchester or thereabouts.

So what’s the game? Well there were no links or other nasties in any of the posts. The web site of the poster (which may well have been blocked anyway) was a religious blog in the USA, but it hadn’t seen any activity since mid-2006.

Could this person have been creating an identify for a sock-puppet? Well having waited a couple of weeks, the name hasn’t appeared anywhere else. It could be that the poster failed to convince anyone, but the Internet is a big place and most blogs aren’t posted by computer security experts.

The only explanation I can think of is someone trying to create an identity with enough rights that subsequent posts could get through unmoderated. This would have taken a great deal of further work, especially as the email address provided was an anonymised temporary one.

So, I’m still stumped!

Some of the comments were quite funny, so I might let them through anyway and see what happens.