Police in Barcelona, Spain, arrested a Dutch man on Friday at the request of Netherlands police, who say he launched "unprecedented heavy attacks on the non-profit organization Spamhaus," which tracks the Internet's worst spammers.
Dutch prosecutors identified the suspect as S.K., and some news outlets reported his name as Sven Olaf Kamphuis, 35. He is expected to be sent to the Netherlands.
Kamphuis had previously been identified as a spokesman for CyberBunker, which is accused of a massive distributed denial of service attack against Spamhaus in late March. CyberBunker was on the Spamhaus list of notorious spammers and supposedly launched the DDoS attacks in retaliation.
The attacks, which made use of legitimate Internet DNS servers to flood systems with spurious traffic, slowed large portions of the Internet, and at the time was called the biggest cyberattack in history.
Some security researchers later questioned whether CyberBunker's move was just a public-relations stunt. Others say this signals the beginning of a new wave of such attacks.
Good News, Bad News
David Britton, vice president of Industry Solutions at 41st Parameter, said there is good news and bad news with the arrest. The good news is that the authorities may have removed one perpetrator from the mix. The bad news is that there are many more out there who are acting with impunity.
"I believe that we may have been lucky in this case, but we cannot rely on reactive measures to stop these attacks," Britton said. "We must be putting layers in place to prevent them from disrupting business on the front end."
Britton also pointed to DDoS attacks being used to create a diversion within the financial services industry. He offers an example: While the sites are down, fraudsters will submit a large number of wire transfers so when the site is back up the system is overloaded with pending transactions, and they are forced to process them without running the proper fraud screening.
"With the increased volume of these types of sophisticated attacks, and the sheer size of the attacks, it is clear that organizations must use all tools at their disposal to fend off attackers," Britton told us. "This includes not just the traditional firewall systems that must be in place, but leveraging tools that can also deflect the traffic that is being routed at the application layer, designed to simulate legitimate application traffic."
ISP Involvement Needed
Alex Horan, a senior product manager at Core Security, said the levels of data sent in this DDoS attack were some of the highest ever seen. And, he added, if that is a sign of the levels that are possible in the future, organizations need to revisit how they expected to handle a DDoS attack against their servers.
"The fact is they cannot be expected to handle it alone. The key is to move attack detection and defense as close to the attacking machines as possible," Horan told us. "Ideally, the ISPs of the attacking parties, most of whom probably don't even know their compromised machines are participating in the attack, would drop the traffic before it even gets out onto the Internet proper. The further onto the Internet this traffic gets, the greater an effect it has."
As Horan sees it, ISPs should do this -- and potentially the legislative bodies of the countries they reside on, to take proactive action. They must analyze and filter this traffic in response to requests by the ISPs hosting the servers being attacked. Until there is this coordinated response, he said, DDoS attacks will keep being a threat to legitimate servers on the Internet.