On Friday, March 15, one of the largest cyberattacks ever hit the website of Spamhaus, a European antispam group. That evening a massive data stream began flooding its site and those of other victims at a pace that eventually peaked at 300 billion bits per second, several times the size of the attacks against the websites of U.S. banks in late December and early January. As Spamhaus’s website crashed, reports of the hack began lighting up the Web, as did concerns that its unprecedented size would overwhelm the Internet itself. The following Monday, still offline, Spamhaus reached out to CloudFlare, a San Francisco-based security company. Spamhaus was finally up and running by the end of that day.
The attack was payback for Spamhaus blacklisting a handful of accused spammers who were clients of a firm known as CyberBunker, the website for a digital hosting company called cb3rob claims to work out of a Cold War-era nuclear bunker somewhere in the Netherlands. Sven Olaf Kamphuis, 35, a self-described Internet activist affiliated with CyberBunker, took credit for helping orchestrate the siege. In a post on his Facebook (FB) page, Kamphuis accused Spamhaus of trying “to control the Internet through underhanded extortion tactics.”
In the days following the attack, pictures of CyberBunker’s headquarters started circulating online, as did details posted on its website of an attempted raid by a Dutch SWAT team, thwarted by the bunker’s blast-resistant doors. Kamphuis portrayed himself as a cyber supervillain, a digital Lex Luthor answerable to no one. As hacks go, this one didn’t want for theatricality. And in this age of shadowy groups like Anonymous and ubiquitous Chinese, Iranian, and Russian cyberattacks, Kamphuis’s Net provocateur act seemed all too plausible.
At the end of a tree-lined driveway in the small Dutch town of Goes sits a hulking gray bunker, a communications center built by the Dutch military in 1955. Its 60 rooms are mostly bare save for a few relics, including a cinderblock-size phone and a giant board that used to record nuclear attack alert levels across Europe. There’s no sign of the high-tech nerve center depicted on the CyberBunker website: no racks of supersecure servers; no underground swimming pool. No Sven Olaf Kamphuis either.
“It was all Photoshop,” says Guido Blaauw, general manager of the bunker’s current tenant, a company called Bunkerinfra Datacenters, which plans to turn the site into a data facility for corporate and government clients. The building was full of junk when Bunkerinfra started renovations two years ago. “It took us three months to clean it out,” Blaauw says. Kamphuis lived there for a few years in the early 2000s, subletting a room from its owner at that time. According to Blaauw, Kamphuis seized on the image of the bunker as a marketing tool to attract Russian and Chinese clients who wanted a secure place to host their websites. “It’s time to put an end to the fairy tale,” Blaauw says.
CyberBunker is what’s known in the Internet underworld as a bulletproof hosting service. It doesn’t keep server logs, so if law enforcement presents a subpoena, there’s no record of its clients’ activities. When security companies identify websites that allow music or videos to be shared illegally, many hosting companies will take them down. Not CyberBunker. Its critics say it attracts clients involved in potentially illegal activity, including copyright violators and the spammers clogging in-boxes worldwide.
Reached on a Spanish cell phone number listed on CyberBunker’s Internet domain registration, Kamphuis says he didn’t directly start the hack but admits he did help coordinate a group of Spamhaus’s various antagonists. When one offered to launch the attack, “none of us had any objection,” says Kamphuis. He also maintains that the company still has a server at the bunker.
After the Spamhaus assault, reporters’ queries were answered by e-mailed statements from Jordan Robson, identified on CyberBunker’s website as its general manager. According to Kamphuis, however, Robson doesn’t exist. He’s a “virtual entity,” invented to prevent would-be spies from penetrating company security.
Although it’s tempting to dismiss Kamphuis as a fabulist, the type of assault he helped inspire is quite serious. Called a distributed denial of service attack, such incursions typically involve commandeering a network of computers (known as a botnet) to inundate a website’s servers with phony data requests to disrupt or shut it down. The twist in this latest incident is that the attackers exploited the underlying technology that governs how the Internet functions, making the hack far more powerful.
The invaders sent thousands of communication requests, disguised as coming from Spamhaus, to the Internet’s domain name system, or DNS. That system translates website names into the Internet protocol addresses that computers use to look up and access sites. DNS has a design flaw that can be exploited by hackers: Sending a routine data request to a DNS server from one computer, the attacker can trick the system into sending a monster file of IP addresses back to the intended target—in this case Spamhaus. Multiply that by tens of thousands of computers under the hackers’ control, and the wall of data that flooded back was enormous.
As big as the hit was, researchers have found very little evidence that it disrupted large portions of the Internet. “We have traffic from 180 countries, a pretty good global view, and we didn’t see any disruption,” says Michael Sutton, vice president of security research at Zscaler, a San Jose-based provider of cloud security services. “It may be the claims [by security firms] were simply exaggerated.”
CyberBunker’s trumped-up public image is all part of the game that hackers play. “A lot of hacker culture revolves around practices of parody, absurdity, play, and competition,” says Molly Sauter, a research fellow at Harvard’s Berkman Center for Internet & Society, where she studies anonymity in hacker culture. It’s about “the creation of a compelling, dramatic personal narrative and brand,” she says.
Dutch law enforcement authorities say they’re investigating the Spamhaus attack but would not give details. According to Blaauw, who says he regularly Skypes with Kamphuis, the activist fled Germany a few weeks ago, a step ahead of local tax authorities. Kamphuis is now in Barcelona, Blaauw says, sleeping in a storage container. Kamphuis wouldn’t describe his living quarters
The bottom line: A recent cyberattack with a data stream that peaked at 300 billion bits per second alarmed some cybersecurity experts.
