Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror

BlueSecurity Fall-Out Reveals Larger Problem 366

Posted by CowboyNeal
from the continuing-sagas dept.
mdrebelx writes "For anyone following the BlueSecurity story, sadly the anti-spam crusader has raised the white flag. Brian Krebs with the Washington Post is reporting that after BlueSecurity's announcement, Prolexic and UltraDNS, which were both linked with BlueSecurity through business relations came under a DNS amplification attack that brought down thousands of sites. While much of the focus about the BlueSecurity story has been centered on the question of what can be done about spam, I think a bigger question has been raised - is the Internet really that fragile? What has been going on is essentially cyber-terrorism and from what has been reported so far the terrorist clearly have the upper hand."
This discussion has been archived. No new comments can be posted.

BlueSecurity Fall-Out Reveals Larger Problem

Comments Filter:
  • Re:weakest link (Score:2, Informative)

    by rmallico (831443) on Thursday May 18, 2006 @06:37PM (#15361893) Homepage
    I think you missed the part where they mention the attackers take over poorly configured DNS servers on the internet to send bogus requests to/through...
  • by Anonymous Coward on Thursday May 18, 2006 @06:39PM (#15361902)
    BIND when used correctly can foil/hamper these DNS attacks from occuring.
    Any tool improperly used can possibly cause problems.
    This a proper way to secure a Bind nameserver.
    An example would be in your bind named.conf adding an acl section and adding to section options.

    //add your trusted networks
    acl "trusted_queries" { 127.0.0.1; 192.168.1.0/24; some.ip.network.outthere/8; };
    acl "trusted_recursion" { 127.0.0.1; 192.168.1.0/24; some.ip.network.outthere/8; };

    options {
    allow-query ( "trusted_queries" };
    allow-recursion { "trusted_recursion" };
    version "no version"; //protect your nameserver version
    };
    //and for your zones just add allow-query any
    zone "some.zone.com" IN {
    type master;
    file "pri/some.zone.com.zone";
    allow-query { any; }; //allow legitimate nameservers to get host info
    };
  • Re:To get in front.. (Score:4, Informative)

    by PDXNerd (654900) on Thursday May 18, 2006 @06:41PM (#15361916)
    Your choice of OS is no protection. If you run malicious software, your computer is a zombie. Period.

    Really? I looked around and can find no links through google for malicious zombie downloads on linux that will run on all flavors. Please post the link to one or a link to an article that disects one.

    I'm not making the argument that linux can't be hacked - it can and I've seen the results of root kits. How many linux zombies are there? Is it proporational to the number of linux vs. windows machines? (Assuming Linux desktops and servers total 2% of desktops, 2% of spam zombies should be Linux, right? Where are the 4% of OSX zombies?)

    It's about time to come up with a new type of server based messaging.

    For every lock, there is a new way to pick it. For every type of security, there is a new way to hack it. This is a band-aid. The real problem is the fact that there is money to be made from this.
  • by sorphin (14046) on Thursday May 18, 2006 @06:55PM (#15362002)
    I work for an unnamed backbone provider, and have currently been involved in blocking said DNS Amplification attack.. to give you a general idea of the size of the attack and the number of zombies involved.. When I left work... The attack was 14,768% of 9.8MBps... or.. over 13GBit/sec... Our infrastructure is holding up just fine, however.. Personally, I'd like to find the 'owner' of these zombies, and castrate him. I guess the guy doesn't have anything better to do with his life than trash the net...
  • reincarnation? (Score:5, Informative)

    by jefu (53450) on Thursday May 18, 2006 @06:56PM (#15362004) Homepage Journal
    Accorging to this [castlecops.com] the blue frog model will be open sourced as a peer-to-peer model available through sourceforge.net.
  • by mpcooke3 (306161) * on Thursday May 18, 2006 @07:03PM (#15362045) Homepage
    Sadly the internet is already compromised since the bot networks are already too large for most organisations to take on.

    I hope someone does something to deal with the botnet threats. Being able to suck multiple gigabits of bandwidth means 'they' can kill any small to medium sized internet operation if they want to via a range of attacks from the simple to the rather sophisticated.

    Tier1 ISPs usually don't care other than possibly to try and filter all your traffic to prevent their other customers from suffering.

    Some medium/larger sized companies use services like Akamai siteshield that are capable of sustaining a reasonable DDOS-ing but the botnet operators will eventually realise that the attacks are not just about knocking a site offline. Akamai will charge you for that traffic which will send the companies bankrupt anyway (and possibly quicker than going offline). In fact i was wondering how on earth bluesecurity were going to pay their bandwidth bill.

    The defences we have against such attacks are pathetic. I was amused in an episode of 24 when they came under an online attack from terrorists and their new "CISCO FIREWALL" protects them, i mean seriously the firewalls are the least of your problems these days. If you come under attack from one of these serious russian dudes - you'd be looking at trying to filter the traffic well before it reaches the firewalls since your line and network would be saturated.
  • by Original Replica (908688) on Thursday May 18, 2006 @07:37PM (#15362197) Journal
    Doesn't being a terrorist imply terrorizing people?
    Traditionally yes, this might be "economic terrorism"(tm) according to the Dept. of Defense terroism is "the unlawful use of -- or threatened use of -- force or violence against individuals or property to coerce or intimidate governments or societies, often to achieve political, religious, or ideological objectives." This would seem to apply here.
  • by Architect_sasyr (938685) on Thursday May 18, 2006 @08:06PM (#15362337)
    houldn't we be creating and deploying self immunizing tools in our infrastructure that detects these boxes and quarantines them?

    We already do. They are refferred to as Nematodes. The primary paper on them is available online: http://www.blackhat.com/presentations/bh-federal-0 6/BH-Fed-06-Aitel.pdf [blackhat.com]

    I maintain some of these for my internal network. Difficult to code, but when you get it (and I haven't yet, I have just coded some well) they are awesome for security.

    Also handy to do automatic analysis of open ports, and alerting etc. The world is your oyster, and these help prevent people stealing your pearl.
  • by sconeu (64226) on Thursday May 18, 2006 @08:26PM (#15362432) Homepage Journal
    After all, it was made to endure nuclear war,

    Myth. See the entry on Paul Baran here [ibiblio.org]
  • by plenTpak (543323) on Thursday May 18, 2006 @09:10PM (#15362606) Homepage
    "...it would probably be faster, cheaper, and ultimately more satisfying if we could just assassinate spamming assholes like PharmaMaster/Eran Reshef."

    Eran Reshef is the CEO of Blue Security, according to the article: "Earlier this week, Blue Security's CEO, Eran Reshef, said a Russian spammer operating under the name PharmaMaster orchestrated a string of attacks this week that disabled its site and sent threatening messages to its users."

    PharmaMaster is not Eran Reshef.

    Just in case someone decides to harrass him....
  • by X0563511 (793323) * on Thursday May 18, 2006 @09:25PM (#15362662) Homepage Journal
    http://www.opennic.unrated.net/public_servers.html [unrated.net]

    Don't rely on your ISP's DNS.

    Lots of times my ISP's DNS has gone down and opennic has saved the day. Of course, they can go down too, but usually ONE of the two work.
  • by MarkRose (820682) on Thursday May 18, 2006 @10:17PM (#15362968) Homepage

    Do we really depend so much on the internet?

    Yes! Last holiday season, over 10% of purchases made using Visa were online (Source [visa.com] - PDF). If you are familiar with trends, 10% is critical mass, the point at which a concept takes off. The Internet is very much an entrenched part of the first-world economy.

  • Re:reincarnation? (Score:3, Informative)

    by ajv (4061) on Thursday May 18, 2006 @10:33PM (#15363031) Homepage
    I blogged about this yesterday:


    We need to set up a (de-)centralized place for spammers to check the "do not intrude" list without blowing their cover or exposing e-mail addresses, and a totally anonymous decentralized categorization effort without causing any harm to innocent bystanders (such as Tucows or Typepad).


    http://www.greebo.net/?p=339 [greebo.net]
  • Re:motivation (Score:3, Informative)

    by Jah-Wren Ryel (80510) on Friday May 19, 2006 @01:07AM (#15363596)
    and what law is that? what law, specifically, has been broken?

    Title III of the Electronic Communications Privacy Act -- also known as the Pen Register Act.

    The Pen Register Act requires that law enforcement obtain a court order from a judge before using a pen register or trap and trace device for surveillance.

    The terms "pen register or trap and trace device" refer to a device which records or decodes dialing, routing, addressing or signaling information transmitted by an instrument or facility from which a a wire or electronic communication is transmitted.

  • Re:weakest link (Score:3, Informative)

    by everflow (635196) on Friday May 19, 2006 @07:22AM (#15364589) Journal
    The attack was carried out by misconfigured BIND servers.

    i didnt read that in the article so how do you know? besides, last time i checked UltraDNS uses non-BIND name server software.
  • by jonwithoutanh (947507) on Friday May 19, 2006 @08:53AM (#15365107)
    http://www.google.com/search?q=define%3ATerrorism [google.com]
    http://www.google.com/search?q=define%3AState+Spon sored+Terrorism [google.com]

    Terrorism is defined by the U.S. Department of Defense as "the unlawful use of -- or threatened use of -- force or violence against individuals or property to coerce or intimidate governments or societies, often to achieve political, religious, or ideological objectives."

    The criteria of unlawfulness would generally rule out the prospect of terrorism being practiced by a government as it is the government that makes the laws. It may be practiced by individuals or groups within the government, if their actions are unlawful. Likewise you may believe that the laws enacted by your government are immoral or "evil"; however it does not fit the definition of terrorism. A government's actions may fit the definition of state terrorism or state-sponsored terrorism which as stated by the OP are separate concepts.

    Perhaps you want to define terrorism differently; in any case if you want to have a dialogue about something, you first have to clearly agree on the definitions of the words you're going to use, and use the correct words to describe what you're talking about.
  • by richlv (778496) on Friday May 19, 2006 @09:27AM (#15365333)
    hmm. most if not all linux distributions come with a nameserver, usually - bind.
    the functionality you describe is that of a very simple caching dns server, so - yes :)

When you make your mark in the world, watch out for guys with erasers. -- The Wall Street Journal

Working...