Spamhaus DDoS Attack Investigation Results in Arrest of Dutch Man

The suspect was arrested in Spain April 25 in connection with a massive distributed denial of service attack on the Web infrastructure of the Spamhaus organization that fights spam.

A 35-year-old man was arrested last week in Spain in connection with the massive distributed denial-of-service (DDoS) attack on Spamhaus in March.

The suspect was identified by authorities only as a Dutchman with the initials "SK," though he has been identified in reports as Sven Olaf Kamphuis, who has been tied to Web hosting company Cyberbunker that critics say does business with spammers and other cyber-criminals.

The arrest could be a significant break in the Spamhaus incident that some have called the biggest DDoS attack on record. The attack was initially directed at the infrastructure of Spamhaus, a non-profit organization dedicated to fighting spam.

Over the course of two weeks in March, the attacks escalated from targeting just Spamhaus' Websites, mail servers and name servers, to targeting Spamhaus' supporting networks and services—including various Internet exchanges. Leveraging open DNS resolvers, the attack was able to get control of massive amounts of traffic. At its height, the attack is said by some to have peaked at an estimated 300G bps.

"The attacks against Spamhaus used what techies call 'DNS amplification'," blogged Paul Ducklin, Sophos' head of technology for Asia-Pacific. "This relied on your home firewall, or your router at work, being wrongly configured. The attackers could then exchange tiny packets of data with you, asking you to get DNS information from Spamhaus; you'd then convert that into a much larger exchange of data packets with Spamhaus itself,” Ducklin wrote.

"By dispersing a few hundred bytes each to a few hundred misconfigured routers, the attackers could produce tens of megabytes of network traffic focused back onto [Spamhaus'] servers," he added.

According to Arbor Networks, which specializes in DDoS protection, the average size of DDoS attacks continues to grow every year. For example, the average attack size in 2012 was 1.48G bps, up more than 20 percent from 2011. In the first quarter of 2013, the average attack size jumped to 1.77G bps.

"Although volumetric DDoS attacks have grown in size over the past few years, the Spamhaus attack was definitely an outlier; however, attacks above 10 and even 20Gb/sec now occur multiple times per day somewhere in the world," blogged Darren Anstee, lead solution architect at Arbor Networks, April 22. "Every day hundreds, or even thousands, of attacks take place utilizing different attack vectors, having different levels of complexity and different motivations and resources behind them. For enterprise network operators, it is important to have a broad view of what is going on out there," Anstee wrote.

In the case of the Spamhaus attack, the suspect's house was searched at the request of the national prosecutor in Barcelona and computers, mobile phones and other equipment were seized. The investigation was conducted in the Netherlands by the High Tech Crime Team.

According to authorities, there is no evidence the attack on Spamhaus is related to attacks on iDeal or DigiD that happened after the incident targeting Spamhaus. Nor is there any apparent connection to a series of attacks known as Operation Ababil, which has struck financial institutions as varied as American Express, Citibank and Bank of America in waves during the past several months.