Dutchman arrested in Spain for DDoS attacks on Spamhaus

Posted by   Virus Bulletin on   Apr 29, 2013

Suspect drove around in 'mobile bunker' to co-ordinate attacks.

Police in Spain have arrested a 35-year-old Dutchman, believed to be responsible for the DDoS attacks on Spamhaus last month.

Although the Dutch public prosecutor has only identified the suspect as 'SK', it is almost certain that he is Sven Olaf Kamphuis, spokesman for hosting provider CyberBunker. It was the blacklisting of CyberBunker's IP addresses that triggered the DDoS attacks, and Kamphuis has acted as an unofficial spokesman for the 'Stophaus' group behind the attacks - although, somewhat implausably, he denies any direct involvement.

CyberBunker is named after the disused NATO bunker from the Cold War era in the Netherlands, where it was once (and possibly still is) located. CyberBunker promises to host anything 'except child porn and anything related to terrorism', thus few will be surprised that it is a popular host for spammers, scammers and malware authors. It has also hosted a Wikileaks mirror and the website of torrent index The Pirate Bay.

For this latter reason, the provider has gained some popularity among the hacktivist community. This popularity may also have been fuelled by the spin Kamphuis has given to the story, where he tried to portray himself as an online Robin Hood, accusing Spamhaus in general and its founder Steve Linford in particular of wanting to control the Internet.

The attack on Spamhaus was said to be 'the biggest DDoS ever', and although some stories in the media about the iminent collapse of the Internet were somewhat inflated, it certainly was big. It disrupted both the website and the email infrastructure of the blacklist provider, although it didn't affect the DNS-based list itself. This led to the ironic situation where IP addresses could still be added to the blacklist, but removals could be delayed.

It is uncertain whether the arrest of Kamphuis means the DDoS attacks have now come to an end. Shortly after his arrest, some hacktivists posted an 'official' press release, in which they threaten more attacks if Kamphuis is not released. They also claim to be responsible for a series of DDoS attacks against Dutch banks and government websites in recent weeks, but this is probably to be taken with a pinch of salt.

More details at the blog of Brian Krebs here, with comments from Spamhaus's Steve Linford here. Meanwhile, the Dynamoo blog had a look at some of CyberBunker's IP space and found a significant part of it listed for spreading malware and/or spam.

Posted on 29 April 2013 by Martijn Grooten

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest posts:

VB2018 paper: Office bugs on the rise

At VB2018 Sophos researcher Gábor Szappanos provided a detailed overview of Office exploit builders, and looked in particular at the widely exploited CVE-2017-0199. Today we publish his paper and release the video of his presentation.

VB2018 video: The Big Bang Theory by APT-C-23

Today, we release the video of the VB2018 presentation by Check Point researcher Aseel Kayal, who connected the various dots relating to campaigns by the APT-C-23 threat group.

VB2019 London - join us for the most international threat intelligence conference!

VB calls on organisations and individuals involved in threat intelligence from around the world to participate in next year's Virus Bulletin conference.

VB2018 paper: Tracking Mirai variants

Today, we publish the VB2018 paper by Qihoo 360 researchers Ya Liu and Hui Wang, on extracting data from variants of the Mirai botnet to classify and track variants.

VB2018 paper: Hide'n'Seek: an adaptive peer-to-peer IoT botnet

2018 has seen an increase in the variety of botnets living on the Internet of Things - such as Hide'N'Seek, which is notable for its use of peer-to-peer for command-and-control communication. Today, we publish the VB2018 paper by Bitdefender…

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.