Dec 20, 2010 17:58 GMT  ·  By

The Spamhaus Project, one of the world's leading anti-spam outfits, was the target of a distributed denial of service (DDoS) attack this weekend after it publicly outed a Russian hosting provider harboring cybercriminal operations.

Last Tuesday, the organization issued a warning about a WikiLeaks mirror website, wikileaks.info, which was hosted inside the IP space of Webalta (Wahome), a well known "bulletproof" hosting company used by Russian cybercriminals.

A dispute about the significance of this aspect ensued between Spamhaus and the wikileaks.info owners, with the latter explaining that they chose this provider because it is resilient to takedowns, a problem that has affected WikiLeaks lately.

On Saturday, the www.spamhaus.org website was hit by a moderate 2.1 Gbps DDoS attack and in first instance it was assumed that Anonymous, whose IRC server is also hosted at Webalta, was responsible.

However, a more detailed analysis of the rogue traffic revealed that it didn't match the type of requests sent by the Low Orbit Ion Canon (LOIC) DDoS tool normally used by the hacktivist group.

"The attack against us consists of UDP and Syn flood packets, which are not the profile of the *OIC tools. In addition, in some semi-private forums AnonOps members have denied responsibility for the DDoS," Spamhaus notes in an update posted on its website.

"They have stated how much they hate spam and would not attack Spamhaus. It would seem some actually read and understood what our warning message was about," the organization adds.

The other reasonable explanation is that the attack was launched by cyber criminals who did not appreciate the media attention resulting from Spamhaus' wikileaks.info story.

"When one hosts malware, Zeus/SpyEye and other botnet command and control (C&C) servers, phish sites and 'backends', child pornography sites, and other types of abusive web sites, avoiding attention is a must," Spamhaus explains, expressing its hope that Russian authorities will now take a closer look at Webalta.