The hosting company behind CyberBunker, the company allegedly behind the DDOS attacks on Spamhaus, connects to the Internet through other providers. Perhaps the only way to pressure those responsible for the attacks is to put pressure on the upstream providers

Larry Seltzer, Contributor

March 28, 2013

4 Min Read

Reputable businesses don't like to have customers using their services to facilitate crimes. Sadly, not all businesses are reputable. Some don't even pretend to be.

Consider CyberBunker. (The site has been offline a lot today.) Their website says they will sell hosting services to any website "except child porn and anything related to terrorism." They brag about it. Is it any wonder that spammers and other such miscreants use their services? Spamhaus, one of the most popular DNSRBLs (DNS-based Blackhole List; they are a service which provide lists of IP addresses of hosts known to spam), called them on it and when their direct ISP, A2B Internet, didn't comply with Spamhaus's requests, Spamhaus put their network on the SBL and that's when things got really ugly. Attackers, claiming to be acting on CyberBunker's behalf, conducted a major DDOS against Spamhaus and their hosts.

You might think that this is obviously a case for law enforcement or maybe we should just send in the marines, but it turns out that the authorities are largely ineffective in such cases. It's rare enough that law enforcement takes down attackers that you hear about it when it happens, and you don't hear much. And the laws are not at all universal. What CyberBunker and A2B are doing may not even be against the law in The Netherlands. The only thing that will move these companies is market and media pressure.

I was talking to Dave Rand, Technical Fellow at Trend Micro. Rand is a pioneer of many Internet technologies, DNSBLs among them. He reminded me of another situation which could be instructive for this one.

Back in late 2008, the world volume of spam dropped precipitously for a while after McColo, a dirty Web hosting provider, was cut off the Internet by their upstream service providers (Global Crossing and Hurricane Electric). McColo was infamous in security circles but after Brian Krebs of the Washington Post contacted Global Crossing and Hurricane Electric, they cut off service.

So the answer would seem to be to get CyberBunker's upstream providers to shut them off. Who are these providers? There's a bit of dispute over that, but I think it's pretty clear.

Looking at Internet routing data with the help of Dave Rand, we see that CyberBunker's IP addresses are part of ASN 51088 which, as I mention above, is registered to A2B Internet BV, a Dutch ISP. A2B is in the thick of this and, while their own Web page seems derelict, they do defend themselves on a web page put up by CyberBunker calling out Spamhaus for "blackmail." Interestingly, on this page Erik Bais, a director at A2B Internet is quoted as saying: "CyberBunker isn't even a customer of ours, but is rather a customer of DataHouse (who also has their own network and IP addresses)..."

Who is DataHouse? They appear to be this Dutch colocation company. The routing information suggests that DataHouse is either a customer of A2B or a closely-related organization. The IP block 217.67.224.0/19 is allocated by RIPE (the European IP registry) to DataHouse, but it is announced by A2B in the routing system. In any case, CyberBunker.com itself is currently pointing to 46.244.10.26 which is not a DataHouse address, but an A2B address.

My attempts to contact A2B and DataHouse were unsuccessful

Who's next up the chain? Who does A2B get their bandwidth from? There are two principal providers: Tata Communications and Inteliquent. My attempts to contact Inteliquent were unsuccessful, but I got through to Tata Communications. They provided a statement:

"Tata Communications has AUP (Acceptable Use Policy) which governs the use of our services including Internet Access. We regularly monitor our Internet Backbone and make sure the traffic behaviour of our direct connected customer is in compliance with our AUP. We cannot comment on individual cases, but Tata Communications will perform necessary action to mitigate the situation which includes DDoS attack, spam and other malicious action listed in the AUP."

This isn't surprising. They're not our customer, they're our customer's customer. It's also not enough. It allows, for example, any ISP to evade responsibility for a customer's actions even if the intermediary between them exists only on paper. At least they say they'll follow up, but it can't end there.

It's worth noting, as I mentioned above, that CyberBunker is vaguely denying the charges and A2B is claiming that they haven't received sufficient documentation from Spamhaus to shut down CyberBunker. I don't have the data on which Spamhaus relied to blacklist A2B. I am more inclined to trust their statements than I am CyberBunker's. And there's other evidence against CyberBunker: For example, Rand says "Trend Micro has numerous listings for the address space allocated to CB3ROB/CyberBunker on our anti-spam services, as we have spam on file for these address ranges." ("CB3ROB Ltd." is given as a name in RIPE records for networks used by CyberBunker.)

If anything is to be done about companies like Cyberbunker, it has to be done by companies like Tata Communications and Inteliquent. What would cause them to step up?

About the Author(s)

Larry Seltzer

Contributor

Follow Larry Seltzer and BYTE on Twitter, Facebook, LinkedIn, and Google+:

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights