Forgot your password?
typodupeerror

BlueSecurity Fall-Out Reveals Larger Problem 366

Posted by CowboyNeal
from the continuing-sagas dept.
mdrebelx writes "For anyone following the BlueSecurity story, sadly the anti-spam crusader has raised the white flag. Brian Krebs with the Washington Post is reporting that after BlueSecurity's announcement, Prolexic and UltraDNS, which were both linked with BlueSecurity through business relations came under a DNS amplification attack that brought down thousands of sites. While much of the focus about the BlueSecurity story has been centered on the question of what can be done about spam, I think a bigger question has been raised - is the Internet really that fragile? What has been going on is essentially cyber-terrorism and from what has been reported so far the terrorist clearly have the upper hand."
This discussion has been archived. No new comments can be posted.

BlueSecurity Fall-Out Reveals Larger Problem

Comments Filter:
  • by drinkypoo (153816) <martin.espinoza@gmail.com> on Thursday May 18, 2006 @07:16PM (#15361771) Homepage Journal
    It seems like every week there's a new issue with DNS. Why can't DNS be secured? Is it just inertia? Is BIND really that pathetic, or are they just not using it correctly?
  • Question (Score:1, Interesting)

    by Anonymous Coward on Thursday May 18, 2006 @07:22PM (#15361801)
    I thought "cybersecurity" was a really big deal lately, right? Why isn't anything being done about this? Isn't this predicament the exact sort of thing that all these restrictive "cybersecurity" laws and enforcement groups are supposed to be dealing with?

    Maybe I'm just cynical but somehow, I get the feeling that if this entire situation were a warez group punitively DOSing the MPAA offline, instead of a spam group punitively DOSing an anti-spam group offline, the federal government would have "dealt with" the problem already...
  • by fbg111 (529550) on Thursday May 18, 2006 @07:26PM (#15361829)
    I think a bigger question has been raised - is the Internet really that fragile?

    No, the Internet is robust and redundant. What is fragile are the tens of thousands of pwn3d Windows PC's that are being used without their owners' knowledge to perpetrate these massive DDOS attacks. If I were a lawyer for Blue Security, Yahoo, or anyone else who has been hit recently, I would be seriously looking in to the merits of a lawsuit against MS for gross negligence or something similar.
  • by Biff Stu (654099) on Thursday May 18, 2006 @07:31PM (#15361854)
    The spammers don't pay for their bandwidth, the zombie owners do. Of course, if they noticed their internet bill go up, they might do something about it. However, with a large enough network of zombies, the individual computers could be used sparingly enough that the owners would never notics.
  • by sakusha (441986) on Thursday May 18, 2006 @07:34PM (#15361875)
    One of these days, some asshole is going to take down the entire net, just to prove that it can be done.

    I keep thinking about the old saying, "what isn't prohibited, is required." Because the net doesn't prohibit these massive DDoS attacks, someone WILL do them, over and over, either because they are into extortion, or just because they're evil fucks and like creating mayhem. I almost believe that someone ought to just do it and break the net permanently so everyone will have to come to grips with this. So maybe the solution will mean that nobody with an insecure OS will be allowed back on the net. Maybe we need a catastrophic failure to force a total revamp of network protocols, and an excuse to exile all the lusers like people still using Win98. I dunno, it would probably be faster, cheaper, and ultimately more satisfying if we could just assassinate spamming assholes like PharmaMaster/Eran Reshef. [wired.com]
  • by AnotherBlackHat (265897) on Thursday May 18, 2006 @07:35PM (#15361881) Homepage
    ... the tens of thousands of pwn3d Windows PC's ...


    More like "hundreds of thousands".

    My spam traps have been hit by over 1.5 million unique IPs this year alone,
    with an additional 30,000 never before seen IPs every day.
    I estimate there are currently 3-4 million compromised machines world wide.

    -- Should you believe authority without question?
  • by burnin1965 (535071) on Thursday May 18, 2006 @07:45PM (#15361937) Homepage
    From TFA "These massive assaults harness the power of thousands of hacked PCs to swamp sites with so much bogus traffic that they can no longer accommodate legitimate visitors."

    The problem is the thousands of hacked PCs that are used in these attacks. The internet is working exactly the way it was designed and the bot nets take advantage of bottlenecks in the system.

    What is being done to take out these bot nets? I've perused a few of these bot squads on IRC and while there are many zombied Windows machines there are also many *nix boxes which succumbed to the brute force ssh password attacks because they had user accounts with stupid passwords.

    Aside from locating and neutralizing the individual boxes in the squads shouldn't we be creating and deploying self immunizing tools in our infrastructure that detects these boxes and quarantines them?

    Shouldn't we also be holding people accountable for having vulnerable boxes connected to the net? Perhaps a bandwidth restriction will help for repeat offenders.
  • by Anonymous Coward on Thursday May 18, 2006 @07:45PM (#15361938)
    1) someone needs to list state or federal laws that were broken.

    2) If there were laws broken, a spokesperson for the appropriate government agency (agencies) needs to explain why not prompt action was taken. ISP's whose clients were part of the attacks should have been warned to shut down their clients who are participating, or be shut down.

    If no laws were broken, smile!

    Perhaps the Federal government should have the power to permanently shut down an ISP that doesn't respond to a demand to block clients until they demonstrate their computers are clean and free of "zombie" software. This would include permanently blocking all traffic to or from an overseas ISP.
  • by Steeltoe (98226) on Thursday May 18, 2006 @07:57PM (#15362013) Homepage
    A few years back we would have laughed that someone is calling this terrorism, and just saying it's just a few scriptkiddies having fun with DDOS and whatnot. Computers are just a fun box, nothing serious about it. Relax. Nothing of value is lost, and if you don't have a backup, you deserve it. Darwinism at work.

    It's also interesting how questions change. We question: Is the internet really that fragile?

    What happened to the baser question: Do we really depend so much on the internet?

    Of course, now that we do, maybe we should look into making the internet even more resilient than the original creators envisioned. After all, it was made to endure nuclear war, but a few scriptkiddies can still take down any site with a little DDOSing and DNS-tweaks..

    Just always remember where we came from.
  • what internet? (Score:2, Interesting)

    by cez (539085) <info@historystLI ... com minus langua> on Thursday May 18, 2006 @08:02PM (#15362037) Homepage
    dns has always had inherrent weaknesses due to its universal standards and how the interenet relies on it as it does. scary how the internet is only the internet that you can view through whatever controls your DNS...
  • by RedToad (972413) on Thursday May 18, 2006 @08:04PM (#15362050)
    When in doubt, blame Microsoft. Screw intelligent research. Maybe somebody somewhere has done some tracking down to see who are the most likely suspects.

    The bigger picture on people identified as suspects in the spam and DDOS attacks on Blue Security is painted by Spamhaus / ROKSO. They maintain a global Top 10 list [spamhaus.org] and a global Top 200 list [spamhaus.org] of spammers.

    A quick search on "bluesecurity" digs out

    ROK6138 - Alex Blood / Alexander Mosh / AlekseyB / Alex Polyakov - Main Info [spamhaus.org]

    ROK5514 - Christopher J. Brown / Swank AKA Dollar - Main Info [spamhaus.org]

    ROK6643 - Joshua Burch - Interactive Adult Solutions / BulkEmailSchool.com - Main Info [spamhaus.org]

    ROK4932 - Leo Kuvayev / BadCow - Main Info [spamhaus.org]

    ROK5125 - Leo Kuvayev / BadCow - Partner-In-Spam: Vladislav "Vlad" Khokholkov / Apex Systems Ltd. [spamhaus.org]

    What's the betting that Spamhaus, who dare to mount the evidence, won't be the next DDOS target? I doubt that the pharmamasters would have any success destroying that evidence. But they will be sure to try. Put your money on it.
  • by slashdot.org (321932) on Thursday May 18, 2006 @08:53PM (#15362270) Homepage Journal
    The only thing that's happened is that, because of the inherent insecurity of Windows machines and the increasing number of them with broadband connections, the bad guys now have access to orders of magnitude more bandwidth and horsepower than any single server can have.

    Tell me about it.

    rant
    So I have a catch-all email on my domain name (say 'example.com'). A couple of weeks ago, I started to receive bounced email which had a return address like 'wert@example.com' and 'nrtp@example.com'. Great, this is the second time this is happening, only now it seems to be persistent for several weeks.

    So you think, well some asshole is obviously responsible for this, lets try to find out. But everything traces back to different originators. So this spammer controlling a whole bunch of zombies is impersonating fake email addresses at my domain, and sending it from systems all over the world. (and you got to wonder, even if he only impersonated 1 real address (say myname@example.com) it would be the same problem)

    Now I'm starting to receive spam at random emails @ my domain as well. It's driving me nuts. Of course I can close my catch all account, and only let through legit addresses. But wtf?

    I understand the 'need' for anonymity, but impersonation is something else. Why is this accepted? Why can't we have protocols that don't allow that?

    Also why the fsck are email servers bouncing email back to an address that obviously can be easily spoofed?

    I know there's tons of excuses, but you just wait until you get bombarded with crap and there's no way telling who's responsible for it. You seriously start to wonder about the validity of the email protocols we are using today.
    ~rant
  • by 0xC2 (896799) on Thursday May 18, 2006 @09:00PM (#15362306) Homepage
    "Terrorists are interested in killing people to get their message across, not inconveniencing them." Totally wrong. Why do you think the most secure facilities in the world are the oil refineries? Terrorists absolutely love to take out pipelines, interrupt utilities, railroads, etc.. Look at the attacks on the Christian stores in Bagdad selling liquor. The affected people are also much more likely to blame the government for failing to protect services taken out by these attacks. For the money we have spent so far fighting "terrorists" we could have saved tens of thousands of lives, just by building safer, more expensive cars. from http://www.scienceservingsociety.com/p/141.htm [scienceser...ociety.com] : More than a million people are killed on the world's roads each year, the victims overwhelmingly young. In the United States more people die in a typical month in traffic crashes than died in the September 11 terrorist attacks. And for every fatality in a traffic crash, about 40 injuries occur, many of them severe. These traffic deaths and injuries include those among pedestrians and cyclists, as long as a motorized vehicle was involved. The number of traffic deaths worldwide continues to increase as more nations motorize. In the United States the number of traffic deaths has remained relatively constant at about 41,000 per year for the last decade. The economic impact of terrorism is much larger than its mortal impact.
  • by Morrigu (29432) on Thursday May 18, 2006 @09:02PM (#15362317) Homepage Journal
    Imagine the economic impact if you "broke the internet". Even just cutting off some vulnerable bits for a while could do a lot of monetary damage.

    I wouldn't be so concerned with the 'Net as a primary target of terrorism or deliberate hostile acts, but I think it could be a viable secondary target. Coupled with attacks on physical bottlenecks (Panama or Suez canal, the straits of Gilbraltar, the Malacca Straits, the Bosporus, any of the top 5 major ports in the world) a small nation-state or well-funded terrorist group could have a huge economic effect.

    Or it might be part of the collateral damage from a larger attack on a specific country. Taking out telecoms, underwater cable landing sites and satellite uplinks is part and parcel of damaging a country's C4I infrastructure. Any bits traversing those links (or neighboring ones which suffered damage as well) to or from the Internet would just be civilian casualties, in a matter of speaking.
  • by Animats (122034) on Thursday May 18, 2006 @09:19PM (#15362384) Homepage
    OK, now we have to fix the DNS problem.

    The basic requirement here is that DNS servers shouldn't be accepting queries from clients outside their local organizations. This is like the old "open relay" problem with SMTP. Obviously, such DNS servers have to be fixed. To force the issue, DNS servers queried by other DNS servers should find out if the querying server incorrectly accepts queries from the outside. If it does, that server is marked as a loser, and its queries get processed only after any other queries, and maybe with a deliberate delay. That should deal with the problem in the near term.

    The stronger form of this protection is that many queries from loser servers are answered with an address that returns a page saying something like "Your DNS server at [xxx.xxx.xxx.xxx] has a problem and must be upgraded." The screaming users will get the problem fixed.

  • by Anonymous Coward on Thursday May 18, 2006 @10:29PM (#15362686)
    I've long held the view that the solution to attacks is to shut off any server which supplies a packet with a spoofed originating address. Only when the downstream supplier of that packet has been identified and shut off can the parent be reinstated.

    For example, my PC connects to an ISP who connects to a wholesaler (is that the right term?) etc. If the wholesaler detects packets coming from the ISP which do not originate from that ISP's IP range, then the ISP should be shut off. In turn, the ISP would have the responsibility for ensuring that all packets exiting its network had valid IP return addresses, and if my PC did not comply it would be shut off.

    This would give us a guaranteed trace to the originators of so many attacks, and a means of removing them from the internet.

    Yes, there would be massive network outages in the short term, but it would create a great incentive to identify and remove the rogue ISPs, and finally the rogue / owned computers.
  • by Ichijo (607641) on Thursday May 18, 2006 @10:36PM (#15362727) Homepage Journal
    > Is BIND really that pathetic, or are they just not using it correctly?

    Here's a performance comparison [www.sics.se] of the ubiquitous Apache web server with Yaws [hyber.org], an Erlang-based web server. (Erlang is a programming language and virtual machine designed for distributed processing.) To summarize, "Apache dies at about 4,000 parallel sessions. Yaws is still functioning at over 80,000 parallel connections." The author goes on to speculate that the reason Apache dies so quickly is due to limitations in the host operating system.

    If Erlang can keep a web server going under nearly infinite load, imagine what it could do for DNS.

  • by mike2R (721965) on Friday May 19, 2006 @03:10AM (#15363762)
    The use of force (taking down servers) by a group (spammers) against people/property (blue & others) with the intention of intimidating socieities (blues users) for ideological (financial too) reasons.
    I disagree that these reasons are ideological - the motive is money, even if intimidation is being used. If Al Quida or whoever started trying to bring down the internet, that would be terrorism, but this isn't.

    I'm not saying that a criminal can't terroise someone, but I don't think that makes them a terrorist. Terrorists (the ones we have all these new laws to protect ourselves from) are people who believe in a cause, people who have supporters that believe they are freedom fighters. They are far more dangerous than normal criminals, because their cause is larger than them, and even if you kill one you make a martyr who helps recruiting the next.

    Maybe we need stronger laws to catch these kinds of criminals, but if so a case should be made for it on the merits. Labling suspected criminals as terrorists and then using existing anti-terrorism legislation to go after them is a very slippery slope IMO.
  • by vandon (233276) on Friday May 19, 2006 @10:50AM (#15365500) Homepage
    So yes the Internet is that fragile. It was designed to deal with outside threaths, not inside.

    No, the problem is that the Internet was created as a trusted network between universities. IPv6 has been created as an untrusted network and many of these problems would disappear if everyone switched.

Repel them. Repel them. Induce them to relinquish the spheroid. - Indiana University fans' chant for their perennially bad football team

Working...