Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

3/28/2013
02:34 PM
Larry Seltzer
Larry Seltzer
Commentary
Connect Directly
Twitter
Facebook
Google+
LinkedIn
RSS
E-Mail
50%
50%

Who Supplies CyberBunker?

The hosting company behind CyberBunker, the company allegedly behind the DDOS attacks on Spamhaus, connects to the Internet through other providers. Perhaps the only way to pressure those responsible for the attacks is to put pressure on the upstream providers

Reputable businesses don't like to have customers using their services to facilitate crimes. Sadly, not all businesses are reputable. Some don't even pretend to be.

Consider CyberBunker. (The site has been offline a lot today.) Their website says they will sell hosting services to any website "except child porn and anything related to terrorism." They brag about it. Is it any wonder that spammers and other such miscreants use their services? Spamhaus, one of the most popular DNSRBLs (DNS-based Blackhole List; they are a service which provide lists of IP addresses of hosts known to spam), called them on it and when their direct ISP, A2B Internet, didn't comply with Spamhaus's requests, Spamhaus put their network on the SBL and that's when things got really ugly. Attackers, claiming to be acting on CyberBunker's behalf, conducted a major DDOS against Spamhaus and their hosts.

You might think that this is obviously a case for law enforcement or maybe we should just send in the marines, but it turns out that the authorities are largely ineffective in such cases. It's rare enough that law enforcement takes down attackers that you hear about it when it happens, and you don't hear much. And the laws are not at all universal. What CyberBunker and A2B are doing may not even be against the law in The Netherlands. The only thing that will move these companies is market and media pressure.

I was talking to Dave Rand, Technical Fellow at Trend Micro. Rand is a pioneer of many Internet technologies, DNSBLs among them. He reminded me of another situation which could be instructive for this one.

Back in late 2008, the world volume of spam dropped precipitously for a while after McColo, a dirty Web hosting provider, was cut off the Internet by their upstream service providers (Global Crossing and Hurricane Electric). McColo was infamous in security circles but after Brian Krebs of the Washington Post contacted Global Crossing and Hurricane Electric, they cut off service.

So the answer would seem to be to get CyberBunker's upstream providers to shut them off. Who are these providers? There's a bit of dispute over that, but I think it's pretty clear.

Looking at Internet routing data with the help of Dave Rand, we see that CyberBunker's IP addresses are part of ASN 51088 which, as I mention above, is registered to A2B Internet BV, a Dutch ISP. A2B is in the thick of this and, while their own Web page seems derelict, they do defend themselves on a web page put up by CyberBunker calling out Spamhaus for "blackmail." Interestingly, on this page Erik Bais, a director at A2B Internet is quoted as saying: "CyberBunker isn't even a customer of ours, but is rather a customer of DataHouse (who also has their own network and IP addresses)..."

Who is DataHouse? They appear to be this Dutch colocation company. The routing information suggests that DataHouse is either a customer of A2B or a closely-related organization. The IP block 217.67.224.0/19 is allocated by RIPE (the European IP registry) to DataHouse, but it is announced by A2B in the routing system. In any case, CyberBunker.com itself is currently pointing to 46.244.10.26 which is not a DataHouse address, but an A2B address.

My attempts to contact A2B and DataHouse were unsuccessful

Who's next up the chain? Who does A2B get their bandwidth from? There are two principal providers: Tata Communications and Inteliquent. My attempts to contact Inteliquent were unsuccessful, but I got through to Tata Communications. They provided a statement:

Tata Communications has AUP (Acceptable Use Policy) which governs the use of our services including Internet Access. We regularly monitor our Internet Backbone and make sure the traffic behaviour of our direct connected customer is in compliance with our AUP. We cannot comment on individual cases, but Tata Communications will perform necessary action to mitigate the situation which includes DDoS attack, spam and other malicious action listed in the AUP.

This isn't surprising. They're not our customer, they're our customer's customer. It's also not enough. It allows, for example, any ISP to evade responsibility for a customer's actions even if the intermediary between them exists only on paper. At least they say they'll follow up, but it can't end there.

It's worth noting, as I mentioned above, that CyberBunker is vaguely denying the charges and A2B is claiming that they haven't received sufficient documentation from Spamhaus to shut down CyberBunker. I don't have the data on which Spamhaus relied to blacklist A2B. I am more inclined to trust their statements than I am CyberBunker's. And there's other evidence against CyberBunker: For example, Rand says "Trend Micro has numerous listings for the address space allocated to CB3ROB/CyberBunker on our anti-spam services, as we have spam on file for these address ranges." ("CB3ROB Ltd." is given as a name in RIPE records for networks used by CyberBunker.)

If anything is to be done about companies like Cyberbunker, it has to be done by companies like Tata Communications and Inteliquent. What would cause them to step up?

Follow Larry Seltzer and BYTE on Twitter, Facebook, LinkedIn, and Google+: - @lseltzer @BYTE - Larry Seltzer BYTE - Larry Seltzer on LinkedIn BYTE - Larry Seltzer on Google+ View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15037
PUBLISHED: 2020-07-07
NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Reports-Devices.php page st[] parameter.
CVE-2019-4323
PUBLISHED: 2020-07-07
"HCL AppScan Enterprise advisory API documentation is susceptible to clickjacking, which could allow an attacker to embed the contents of untrusted web pages in a frame."
CVE-2019-4324
PUBLISHED: 2020-07-07
"HCL AppScan Enterprise is susceptible to Cross-Site Scripting while importing a specially crafted test policy."
CVE-2020-15036
PUBLISHED: 2020-07-07
NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Topology-Linked.php dv parameter.
CVE-2020-15577
PUBLISHED: 2020-07-07
An issue was discovered on Samsung mobile devices with P(9.0) and Q(10.0) software. Cameralyzer allows attackers to write files to the SD card. The Samsung ID is SVE-2020-16830 (July 2020).