Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

3/28/2013
02:34 PM
Larry Seltzer
Larry Seltzer
Commentary
Connect Directly
Twitter
Facebook
Google+
LinkedIn
RSS
E-Mail
50%
50%

Who Supplies CyberBunker?

The hosting company behind CyberBunker, the company allegedly behind the DDOS attacks on Spamhaus, connects to the Internet through other providers. Perhaps the only way to pressure those responsible for the attacks is to put pressure on the upstream providers

Reputable businesses don't like to have customers using their services to facilitate crimes. Sadly, not all businesses are reputable. Some don't even pretend to be.

Consider CyberBunker. (The site has been offline a lot today.) Their website says they will sell hosting services to any website "except child porn and anything related to terrorism." They brag about it. Is it any wonder that spammers and other such miscreants use their services? Spamhaus, one of the most popular DNSRBLs (DNS-based Blackhole List; they are a service which provide lists of IP addresses of hosts known to spam), called them on it and when their direct ISP, A2B Internet, didn't comply with Spamhaus's requests, Spamhaus put their network on the SBL and that's when things got really ugly. Attackers, claiming to be acting on CyberBunker's behalf, conducted a major DDOS against Spamhaus and their hosts.

You might think that this is obviously a case for law enforcement or maybe we should just send in the marines, but it turns out that the authorities are largely ineffective in such cases. It's rare enough that law enforcement takes down attackers that you hear about it when it happens, and you don't hear much. And the laws are not at all universal. What CyberBunker and A2B are doing may not even be against the law in The Netherlands. The only thing that will move these companies is market and media pressure.

I was talking to Dave Rand, Technical Fellow at Trend Micro. Rand is a pioneer of many Internet technologies, DNSBLs among them. He reminded me of another situation which could be instructive for this one.

Back in late 2008, the world volume of spam dropped precipitously for a while after McColo, a dirty Web hosting provider, was cut off the Internet by their upstream service providers (Global Crossing and Hurricane Electric). McColo was infamous in security circles but after Brian Krebs of the Washington Post contacted Global Crossing and Hurricane Electric, they cut off service.

So the answer would seem to be to get CyberBunker's upstream providers to shut them off. Who are these providers? There's a bit of dispute over that, but I think it's pretty clear.

Looking at Internet routing data with the help of Dave Rand, we see that CyberBunker's IP addresses are part of ASN 51088 which, as I mention above, is registered to A2B Internet BV, a Dutch ISP. A2B is in the thick of this and, while their own Web page seems derelict, they do defend themselves on a web page put up by CyberBunker calling out Spamhaus for "blackmail." Interestingly, on this page Erik Bais, a director at A2B Internet is quoted as saying: "CyberBunker isn't even a customer of ours, but is rather a customer of DataHouse (who also has their own network and IP addresses)..."

Who is DataHouse? They appear to be this Dutch colocation company. The routing information suggests that DataHouse is either a customer of A2B or a closely-related organization. The IP block 217.67.224.0/19 is allocated by RIPE (the European IP registry) to DataHouse, but it is announced by A2B in the routing system. In any case, CyberBunker.com itself is currently pointing to 46.244.10.26 which is not a DataHouse address, but an A2B address.

My attempts to contact A2B and DataHouse were unsuccessful

Who's next up the chain? Who does A2B get their bandwidth from? There are two principal providers: Tata Communications and Inteliquent. My attempts to contact Inteliquent were unsuccessful, but I got through to Tata Communications. They provided a statement:

Tata Communications has AUP (Acceptable Use Policy) which governs the use of our services including Internet Access. We regularly monitor our Internet Backbone and make sure the traffic behaviour of our direct connected customer is in compliance with our AUP. We cannot comment on individual cases, but Tata Communications will perform necessary action to mitigate the situation which includes DDoS attack, spam and other malicious action listed in the AUP.

This isn't surprising. They're not our customer, they're our customer's customer. It's also not enough. It allows, for example, any ISP to evade responsibility for a customer's actions even if the intermediary between them exists only on paper. At least they say they'll follow up, but it can't end there.

It's worth noting, as I mentioned above, that CyberBunker is vaguely denying the charges and A2B is claiming that they haven't received sufficient documentation from Spamhaus to shut down CyberBunker. I don't have the data on which Spamhaus relied to blacklist A2B. I am more inclined to trust their statements than I am CyberBunker's. And there's other evidence against CyberBunker: For example, Rand says "Trend Micro has numerous listings for the address space allocated to CB3ROB/CyberBunker on our anti-spam services, as we have spam on file for these address ranges." ("CB3ROB Ltd." is given as a name in RIPE records for networks used by CyberBunker.)

If anything is to be done about companies like Cyberbunker, it has to be done by companies like Tata Communications and Inteliquent. What would cause them to step up?

Follow Larry Seltzer and BYTE on Twitter, Facebook, LinkedIn, and Google+: - @lseltzer @BYTE - Larry Seltzer BYTE - Larry Seltzer on LinkedIn BYTE - Larry Seltzer on Google+ View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5615
PUBLISHED: 2020-08-04
Cross-site request forgery (CSRF) vulnerability in [Calendar01] free edition ver1.0.0 and [Calendar02] free edition ver1.0.0 allows remote attackers to hijack the authentication of administrators via unspecified vectors.
CVE-2020-5616
PUBLISHED: 2020-08-04
[Calendar01], [Calendar02], [PKOBO-News01], [PKOBO-vote01], [Telop01], [Gallery01], [CalendarForm01], and [Link01] [Calendar01] free edition ver1.0.0, [Calendar02] free edition ver1.0.0, [PKOBO-News01] free edition ver1.0.3 and earlier, [PKOBO-vote01] free edition ver1.0.1 and earlier, [Telop01] fre...
CVE-2020-5617
PUBLISHED: 2020-08-04
Privilege escalation vulnerability in SKYSEA Client View Ver.12.200.12n to 15.210.05f allows an attacker to obtain unauthorized privileges and modify/obtain sensitive information or perform unintended operations via unspecified vectors.
CVE-2020-11583
PUBLISHED: 2020-08-03
A GET-based XSS reflected vulnerability in Plesk Obsidian 18.0.17 allows remote unauthenticated users to inject arbitrary JavaScript, HTML, or CSS via a GET parameter.
CVE-2020-11584
PUBLISHED: 2020-08-03
A GET-based XSS reflected vulnerability in Plesk Onyx 17.8.11 allows remote unauthenticated users to inject arbitrary JavaScript, HTML, or CSS via a GET parameter.