Dutch Officials Nab Suspect In Spamhaus DDoS Attacks


A 35-year-old Dutchman was arrested in Spain in connection with the Distributed Denial of Service attacks aimed at antispam blacklisting service Spamhaus.

The National Office of Public Ministry in the Netherlands announced the arrest of a man it calls "SK," indicating the man was arrested on a European arrest warrant.

"[SK] is suspected of unprecedented heavy attacks on the nonprofit organization Spamhaus, where antispam databases are managed," according to a translated release issued by Dutch law enforcement officials. "[These] so-called DDoS attacks last month were also performed on Spamhaus partners in the United States, the Netherlands and Great Britain."

[Related: 5 Reasons DDoS Attacks Are Gaining Strength]

The high-profile Spamhaus DDoS attacks took place March 19 and made news globally for the massive scale of the traffic directed at the antispam service. The attacks are believed to be over a dispute between Spamhaus and Dutch company Cyberbunker, which had been added to the organization's blacklist.

The man is being transferred to the Dutch Public Prosecution Service. The attackers used forged IP addresses in the attacks, the release said. Police seized computers, data carriers and mobile phones from a house in Barcelona in connection with the arrest.

The arrest in Spain was made possible through Eurojust, a collaboration between judicial authorities within the European Union, the release said.

"There is no evidence that the attack on Spamhaus related to later deployed cyberattacks, among other banks, the payment system iDeal and DigiD," the law enforcement officials said.

Law enforcement authorities believe the man played a role in exploiting domain name system servers, part of the Internet's internal infrastructure, to bolster the attack size against Spamhaus. DNS Reflection attacks are a common technique that produce a higher volume of traffic than leveraging a botnet to carry out DDoS attack. The technique has been in play for about a decade and takes advantage of poorly configured DNS servers, according to anti-DDoS appliance maker Prolexic.

The Hollywood, Fla.-based firm, which tracks DoS attacks on its customer base, said the threat is increasing, fueled in part by freely available and easy-to-use automated tools. The ongoing DDoS campaigns against many U.S.-based banks and financial services have compounded the problem, Prolexic said.

Prolexic found the average attack bandwidth increasing from 5.9 Gbps to 48.25 Gbps in the first quarter of 2013. The average attack duration also shot up more than 7 percent to 34.5 hours, the firm said.

DDoS is typically used by hacktivists in an attempt to cripple a website to make a statement. Security experts told CRN the biggest threat comes from smaller, focused attacks.

Dell-SecureWorks, which issued its 2012 Threatscape Review report last week, found DDoS attacks being used by financially motivated cybercriminals. The security firm said it tracked fraudulent money wire transfers being made to banks located in Russia, Cyprus and China in connection with DDoS attacks designed to immobilize processes in place to oversee bank transfers.

PUBLISHED APRIL 30, 2013