Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

checkLoop 1checkLoop 2checkLoop 3
3/28/2013
02:34 PM
Larry Seltzer
Larry Seltzer
Commentary
Connect Directly
Twitter
Facebook
Google+
LinkedIn
RSS
E-Mail
50%
50%

Who Supplies CyberBunker?

The hosting company behind CyberBunker, the company allegedly behind the DDOS attacks on Spamhaus, connects to the Internet through other providers. Perhaps the only way to pressure those responsible for the attacks is to put pressure on the upstream providers

Reputable businesses don't like to have customers using their services to facilitate crimes. Sadly, not all businesses are reputable. Some don't even pretend to be.

Consider CyberBunker. (The site has been offline a lot today.) Their website says they will sell hosting services to any website "except child porn and anything related to terrorism." They brag about it. Is it any wonder that spammers and other such miscreants use their services? Spamhaus, one of the most popular DNSRBLs (DNS-based Blackhole List; they are a service which provide lists of IP addresses of hosts known to spam), called them on it and when their direct ISP, A2B Internet, didn't comply with Spamhaus's requests, Spamhaus put their network on the SBL and that's when things got really ugly. Attackers, claiming to be acting on CyberBunker's behalf, conducted a major DDOS against Spamhaus and their hosts.

You might think that this is obviously a case for law enforcement or maybe we should just send in the marines, but it turns out that the authorities are largely ineffective in such cases. It's rare enough that law enforcement takes down attackers that you hear about it when it happens, and you don't hear much. And the laws are not at all universal. What CyberBunker and A2B are doing may not even be against the law in The Netherlands. The only thing that will move these companies is market and media pressure.

I was talking to Dave Rand, Technical Fellow at Trend Micro. Rand is a pioneer of many Internet technologies, DNSBLs among them. He reminded me of another situation which could be instructive for this one.

Back in late 2008, the world volume of spam dropped precipitously for a while after McColo, a dirty Web hosting provider, was cut off the Internet by their upstream service providers (Global Crossing and Hurricane Electric). McColo was infamous in security circles but after Brian Krebs of the Washington Post contacted Global Crossing and Hurricane Electric, they cut off service.

So the answer would seem to be to get CyberBunker's upstream providers to shut them off. Who are these providers? There's a bit of dispute over that, but I think it's pretty clear.

Looking at Internet routing data with the help of Dave Rand, we see that CyberBunker's IP addresses are part of ASN 51088 which, as I mention above, is registered to A2B Internet BV, a Dutch ISP. A2B is in the thick of this and, while their own Web page seems derelict, they do defend themselves on a web page put up by CyberBunker calling out Spamhaus for "blackmail." Interestingly, on this page Erik Bais, a director at A2B Internet is quoted as saying: "CyberBunker isn't even a customer of ours, but is rather a customer of DataHouse (who also has their own network and IP addresses)..."

Who is DataHouse? They appear to be this Dutch colocation company. The routing information suggests that DataHouse is either a customer of A2B or a closely-related organization. The IP block 217.67.224.0/19 is allocated by RIPE (the European IP registry) to DataHouse, but it is announced by A2B in the routing system. In any case, CyberBunker.com itself is currently pointing to 46.244.10.26 which is not a DataHouse address, but an A2B address.

My attempts to contact A2B and DataHouse were unsuccessful

Who's next up the chain? Who does A2B get their bandwidth from? There are two principal providers: Tata Communications and Inteliquent. My attempts to contact Inteliquent were unsuccessful, but I got through to Tata Communications. They provided a statement:

Tata Communications has AUP (Acceptable Use Policy) which governs the use of our services including Internet Access. We regularly monitor our Internet Backbone and make sure the traffic behaviour of our direct connected customer is in compliance with our AUP. We cannot comment on individual cases, but Tata Communications will perform necessary action to mitigate the situation which includes DDoS attack, spam and other malicious action listed in the AUP.

This isn't surprising. They're not our customer, they're our customer's customer. It's also not enough. It allows, for example, any ISP to evade responsibility for a customer's actions even if the intermediary between them exists only on paper. At least they say they'll follow up, but it can't end there.

It's worth noting, as I mentioned above, that CyberBunker is vaguely denying the charges and A2B is claiming that they haven't received sufficient documentation from Spamhaus to shut down CyberBunker. I don't have the data on which Spamhaus relied to blacklist A2B. I am more inclined to trust their statements than I am CyberBunker's. And there's other evidence against CyberBunker: For example, Rand says "Trend Micro has numerous listings for the address space allocated to CB3ROB/CyberBunker on our anti-spam services, as we have spam on file for these address ranges." ("CB3ROB Ltd." is given as a name in RIPE records for networks used by CyberBunker.)

If anything is to be done about companies like Cyberbunker, it has to be done by companies like Tata Communications and Inteliquent. What would cause them to step up?

Follow Larry Seltzer and BYTE on Twitter, Facebook, LinkedIn, and Google+: - @lseltzer @BYTE - Larry Seltzer BYTE - Larry Seltzer on LinkedIn BYTE - Larry Seltzer on Google+ View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12420
PUBLISHED: 2019-12-12
In Apache SpamAssassin before 3.4.3, a message can be crafted in a way to use excessive resources. Upgrading to SA 3.4.3 as soon as possible is the recommended fix but details will not be shared publicly.
CVE-2019-16774
PUBLISHED: 2019-12-12
In phpfastcache before 5.1.3, there is a possible object injection vulnerability in cookie driver.
CVE-2018-11805
PUBLISHED: 2019-12-12
In Apache SpamAssassin before 3.4.3, nefarious CF files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA 3.4.3, we recommend that users should only use update channels or 3rd party .cf ...
CVE-2019-5061
PUBLISHED: 2019-12-12
An exploitable denial-of-service vulnerability exists in the hostapd 2.6, where an attacker could trigger AP to send IAPP location updates for stations, before the required authentication process has completed. This could lead to different denial of service scenarios, either by causing CAM table att...
CVE-2019-5062
PUBLISHED: 2019-12-12
An exploitable denial-of-service vulnerability exists in the 802.11w security state handling for hostapd 2.6 connected clients with valid 802.11w sessions. By simulating an incomplete new association, an attacker can trigger a deauthentication against stations using 802.11w, resulting in a denial of...
checkLoop 4