Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

3/28/2013
02:34 PM
Larry Seltzer
Larry Seltzer
Commentary
Connect Directly
Twitter
Facebook
LinkedIn
RSS
E-Mail
50%
50%

Who Supplies CyberBunker?

The hosting company behind CyberBunker, the company allegedly behind the DDOS attacks on Spamhaus, connects to the Internet through other providers. Perhaps the only way to pressure those responsible for the attacks is to put pressure on the upstream providers

Reputable businesses don't like to have customers using their services to facilitate crimes. Sadly, not all businesses are reputable. Some don't even pretend to be.

Consider CyberBunker. (The site has been offline a lot today.) Their website says they will sell hosting services to any website "except child porn and anything related to terrorism." They brag about it. Is it any wonder that spammers and other such miscreants use their services? Spamhaus, one of the most popular DNSRBLs (DNS-based Blackhole List; they are a service which provide lists of IP addresses of hosts known to spam), called them on it and when their direct ISP, A2B Internet, didn't comply with Spamhaus's requests, Spamhaus put their network on the SBL and that's when things got really ugly. Attackers, claiming to be acting on CyberBunker's behalf, conducted a major DDOS against Spamhaus and their hosts.

You might think that this is obviously a case for law enforcement or maybe we should just send in the marines, but it turns out that the authorities are largely ineffective in such cases. It's rare enough that law enforcement takes down attackers that you hear about it when it happens, and you don't hear much. And the laws are not at all universal. What CyberBunker and A2B are doing may not even be against the law in The Netherlands. The only thing that will move these companies is market and media pressure.

I was talking to Dave Rand, Technical Fellow at Trend Micro. Rand is a pioneer of many Internet technologies, DNSBLs among them. He reminded me of another situation which could be instructive for this one.

Back in late 2008, the world volume of spam dropped precipitously for a while after McColo, a dirty Web hosting provider, was cut off the Internet by their upstream service providers (Global Crossing and Hurricane Electric). McColo was infamous in security circles but after Brian Krebs of the Washington Post contacted Global Crossing and Hurricane Electric, they cut off service.

So the answer would seem to be to get CyberBunker's upstream providers to shut them off. Who are these providers? There's a bit of dispute over that, but I think it's pretty clear.

Looking at Internet routing data with the help of Dave Rand, we see that CyberBunker's IP addresses are part of ASN 51088 which, as I mention above, is registered to A2B Internet BV, a Dutch ISP. A2B is in the thick of this and, while their own Web page seems derelict, they do defend themselves on a web page put up by CyberBunker calling out Spamhaus for "blackmail." Interestingly, on this page Erik Bais, a director at A2B Internet is quoted as saying: "CyberBunker isn't even a customer of ours, but is rather a customer of DataHouse (who also has their own network and IP addresses)..."

Who is DataHouse? They appear to be this Dutch colocation company. The routing information suggests that DataHouse is either a customer of A2B or a closely-related organization. The IP block 217.67.224.0/19 is allocated by RIPE (the European IP registry) to DataHouse, but it is announced by A2B in the routing system. In any case, CyberBunker.com itself is currently pointing to 46.244.10.26 which is not a DataHouse address, but an A2B address.

My attempts to contact A2B and DataHouse were unsuccessful

Who's next up the chain? Who does A2B get their bandwidth from? There are two principal providers: Tata Communications and Inteliquent. My attempts to contact Inteliquent were unsuccessful, but I got through to Tata Communications. They provided a statement:

Tata Communications has AUP (Acceptable Use Policy) which governs the use of our services including Internet Access. We regularly monitor our Internet Backbone and make sure the traffic behaviour of our direct connected customer is in compliance with our AUP. We cannot comment on individual cases, but Tata Communications will perform necessary action to mitigate the situation which includes DDoS attack, spam and other malicious action listed in the AUP.

This isn't surprising. They're not our customer, they're our customer's customer. It's also not enough. It allows, for example, any ISP to evade responsibility for a customer's actions even if the intermediary between them exists only on paper. At least they say they'll follow up, but it can't end there.

It's worth noting, as I mentioned above, that CyberBunker is vaguely denying the charges and A2B is claiming that they haven't received sufficient documentation from Spamhaus to shut down CyberBunker. I don't have the data on which Spamhaus relied to blacklist A2B. I am more inclined to trust their statements than I am CyberBunker's. And there's other evidence against CyberBunker: For example, Rand says "Trend Micro has numerous listings for the address space allocated to CB3ROB/CyberBunker on our anti-spam services, as we have spam on file for these address ranges." ("CB3ROB Ltd." is given as a name in RIPE records for networks used by CyberBunker.)

If anything is to be done about companies like Cyberbunker, it has to be done by companies like Tata Communications and Inteliquent. What would cause them to step up?

Follow Larry Seltzer and BYTE on Twitter, Facebook, LinkedIn, and Google+: - @lseltzer @BYTE - Larry Seltzer BYTE - Larry Seltzer on LinkedIn BYTE - Larry Seltzer on Google+ View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29367
PUBLISHED: 2020-11-27
blosc2.c in Blosc C-Blosc2 through 2.0.0.beta.5 has a heap-based buffer overflow when there is a lack of space to write compressed data.
CVE-2020-26245
PUBLISHED: 2020-11-27
npm package systeminformation before version 4.30.5 is vulnerable to Prototype Pollution leading to Command Injection. The issue was fixed with a rewrite of shell sanitations to avoid prototyper pollution problems. The issue is fixed in version 4.30.5. If you cannot upgrade, be sure to check or sani...
CVE-2017-15682
PUBLISHED: 2020-11-27
In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to inject malicious JavaScript code resulting in a stored/blind XSS in the admin panel.
CVE-2017-15683
PUBLISHED: 2020-11-27
In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to create a site with specially crafted XML that allows the retrieval of OS files out-of-band.
CVE-2017-15684
PUBLISHED: 2020-11-27
Crafter CMS Crafter Studio 3.0.1 has a directory traversal vulnerability which allows unauthenticated attackers to view files from the operating system.