Police arrest suspect accused of “unprecedented” DDoS attack on Spamhaus
Courtesy Dan Goodin, Ars Technica
Spanish authorities have arrested a 35-year-old Dutchman they say is “suspected of unprecedented heavy attacks” on Spamhaus, the international group that helps network owners around the world block spam.
A press release (English translation here) issued by the Dutch Public Prosecutor Service identified the suspect only by the initials SK and said he was living in Barcelona. A variety of circumstantial evidence, mostly taken from this Facebook profile, strongly suggests the suspect is one Sven Olaf Kamphuis. He’s the man quoted in a March 26 New York Times article saying a Dutch hosting company called CyberBunker, which Kamphuis is affiliated with, was behind distributed denial-of-service attacks aimed at Spamhaus. Kamphuis later denied he or CyberBunker had anything to do with the attacks.
With peaks of 300 gigabits per second, the March attacks were among the biggest ever recorded. Besides their size, they were also notable because they attacked the London Internet Exchange, a regional hub where multiple networks from different service providers connect. As Ars writer Peter Bright explained, the size and technique threatened to clog up the Internet’s core infrastructure and make access to the rest of the Internet slow or impossible. While some critics said that assessment was overblown, Bright provided this follow-up explaining why the attacks had the potential to break key parts of the Internet.
The crippling distributed denial-of-service (DDoS) attacks began a few weeks after Spamhaus added CyberBunker to one of the real-time blacklists that ISPs use to block e-mail from networks suspected of engaging in, or at least turning a blind eye to, the sending of spam. CyberBunker has long been known as an “anything goes” host provider. As long as content isn’t “child porn and anything related to terrorism,” the company permits it. According to an article published Friday by KrebsOnSecurity, Spamhaus officials contacted CyberBunker after seeing botnet controllers and illegal pharmaceutical operators hosted on its service. “We got a rude reply back, and he made claims about being his own independent country in the republic of CyberBunker, and said he was not bound by any laws and whatnot,” an unnamed Spamhaus official told reporter Brian Krebs. Kamphuis’ Facebook page has also claimed he has diplomatic immunity.
It should be emphasized that so far there is no official confirmation that the SK in custody is Kamphuis. Even if it is, he should still be presumed innocent until proven otherwise. Dutch prosecutors said SK’s Barcelona residence was searched and computers, data carriers, and mobile phones were seized. They also said they expect SK to be transferred to Dutch authorities soon. We’ll be eager to learn if there’s evidence that can conclusively tie the man to one of the biggest reported DDoS attacks ever.