What Happened to Blue Security 293
shadowknot writes "Blue Security has published a detailed account of the attack on their servers perpetrated by spammer "PharmaMaster". The attack included a DDoS attack on the Blue Security operational system and a Black Hole filtering attack on the Blue Security website. From the article: "The first attack was to block worldwide access to Blue Security's corporate website (www.bluesecurity.com) by tampering with the Internet backbone using a technique called "Blackhole Filtering". The Second attack was a DDoS attack on Blue Security's operational system."
publicity! (Score:4, Interesting)
Heck, I even signed up; shall have to wait and see if it's worth it though.
Pharma master identity (Score:1, Interesting)
Lets find him and show him some "affection".
This isn't just between PharmaMaster & Bluefro (Score:5, Interesting)
Backbone level blackholing? (Score:5, Interesting)
No offence to the Blue guys' disrupted service, but I think this is the most interesting bit. I wonder whether this description is correct and if so, how the spammer achieved THAT.
Client List NOT Compromised!!! (Score:5, Interesting)
Blue Security is up and running again. Not only will I continue to use the Blue Frog, I will also promote it now. I do not like bullies, and will do whatever I can to stop them. Blue Security and others that help people punch back against spammers should be commended. I myself have written a signed applet that also punishes spammers.
One can look at it by visiting http://www.plaza1.net/SpammerSlapper [plaza1.net] .
The applet is GPL, and the source code is embedded in the applet. If you do not want to actually punish spammers, do not accept the certificate. I am also thinking about creating a java application that works in a similar way to Blue Frog - only the complaint instructions will be distributed via a peer to peer protocol and cryptographically signed. Any ideas on this one?
What is? (Score:2, Interesting)
Re:DNS Vulnerabilities (Score:5, Interesting)
DDoS Extortionists (Score:5, Interesting)
Re:Backbone level blackholing? (Score:4, Interesting)
"
* ICQ Message: "Support [tier-1 ISP name withheld] says: Yes wont be a problem, i'll make sure to block all traffic to this domain very soon just get me reports mate"
* "[tier-1 ISP name withheld] will block traffic to your websites god i love this war
This was more clear on some other article, but I can't find it at the moment. The spammers supposedly have an engineer on a backbone helping them. All I want to know is how the engineer expected not to be caught (I'm assuming he is caught... or there is a whole heck of lot more corruption out there than I thought)
Re:DNS Vulnerabilities (Score:5, Interesting)
Um, how about "no such thing as bad publicity"?
In my journal i commented that the attack on Six Apart was the web equivalent of Pearl Harbor [slashdot.org]. It not only (possibly) called the attention of the authorities towards PharmaMaster, it also became worldwide famous: I've been searching blogs [google.com] for "blue security" and I've seen a lot of comments from people wanting to sign up when they're back online. One blogger in particular (forgot the url) said that "Blue Security" became the top technorati search during the attacks.
Re:publicity! (Score:3, Interesting)
Looks to me like this Pharma dude really shot himself in the foot.
Sad state of backbone administration (Score:2, Interesting)
Of course if the attack had occurred against a company like General Electric or Eli Lilly, the perpetrator would be in jail right now.
It seems obvious the perp is an American. It shouldn't be that difficult to track him down, especially since he's IM'ing the victims.
_Detailed_ timeline? (Score:4, Interesting)
"Some shit happened."
As a security guy, this could have been really interesting, but it's not.
Re:Backbone level blackholing? (Score:2, Interesting)
Re:Client List NOT Compromised!!! (Score:3, Interesting)
Re:For the lazy :) (Score:4, Interesting)
But!
Reading the account in TFA reveals that Blue Security was not undergoing a DDOS attack and that the DDOS attack on Typepad starts well after the address is redirected. Then the spammer seems to have widened the attack to bring down as many people as possible to make it look like Blue Security is at fault (which, at least according to their story - be nice to hear PharmaMaster's account, if he/they are not too cowardly to say anything) they were not.
I'm not a Blue Security user, but if they've managed to make a spammer this cranky, I'm going to seriously consider it.
Not technically accurate... (Score:4, Interesting)
Notice that the bluesecurity.com website was *NOT* being flooded with packets. On the countrary, it was routed to null for all the internet except Israel. In summary, there were 4 different DOS attacks:
* Packet flooding (lots of traffic) the operational servers (the ones doing the opt-outs)
* Null routing blue's www (no traffic)
* Packet flooding the redirected www at Six Apart (lots of traffic)
* Packet flooding Tucow's DNS servers (lots of traffic)
So, technically, blue security didn't redirect the attack.
Re:For the lazy :) (Score:4, Interesting)
If I'm reading correctly -- Up to that point, the DDoS was on BS's dedicated machines, the site itself was blackholed rather than under attack; hence they weren't redirecting an attack, just redirecting users who wanted to know what was going on.
Also, I note the URL you have on your post...
?H?uh??? (Score:0, Interesting)
This was from IE 6.0.2800. As I'm at work I haven't looked in Firefox to see if it's equally retarded..
If they can't write HTML that will display properly in all browsers, particularly with the one 80% of surfers use, can they really be "good with computers?"
And if the question mark in "spammer?s" is supposed to be an apostrophe, they're not only incompetent but illiterate.
Perhaps the spammer took them on because they were an easy mark? These folks should hire a web designer that knows HTML and what it's for (hint: conveying information), and if that one question mark is supposed to be an apostrophe, a copyrighter who isn't a retarded illiterate.
However, the fact that they were complicit in the spammer's taking blogs down also shows their lack of competence.
That said, who is this "PharmaMaster?" I'd like a real name and meatspece home address so I can forward all of my snail junk mail to him and encourage arsonists to burn his house down preferably with him in it. It's time for a little bloody vigilantism, folks. Lets kill some spammers. Blue Security, who is this guy and why are you helping him stay anonymous?
Re:Tucow bad behavior? (Score:4, Interesting)
Look at it this way - are you going to forget that Tucows turned off a legitimate client? Me neither. Are you going to consider Tucows next time you need a corporate provider? Me either.
this is black hole filtering: (Score:3, Interesting)
Re:This isn't just between PharmaMaster & Blue (Score:2, Interesting)
Summary for the lazy: (Score:2, Interesting)
For those new to this whole "BlueFrog" story, unsure who is the "good guy":
Pro:
Con:
Re:"operational system" (Score:2, Interesting)
time for an apology from Typepad? (Score:1, Interesting)
How about it Todd? Ready to blame the criminal and stop blaming the victim or what?
Re:What nonsense (Score:3, Interesting)
My letter to tucows (Score:2, Interesting)
May 8th, 2006
Tucows, Inc.
96 Mowat Avenue
Toronto, ON
Canada M6K 3M1
To whom it may concern,
I just wanted to express my extreme disappointment regarding your recent actions to disable Blue Security's account in an attempt to stop the attacks of a notorious spammer. I fully understand that the attacks were a technical nightmare for your team, however, it is unbelievable that you would rather give in to a criminal and follow their demands and step on an organization that aims to protect innocent citizens from around the globe. Regardless of what your motive was, this action clearly states that you are more interested in profit than you are about ethics. As a result, I am recommending that all contacts I have that use Tucow's services remove their accounts and utilize a service which supports consumer protection. It is my sincere hope that should a similar situation arise, you will think of the company that is trying to protect the Internet.
Re:DNS Vulnerabilities (Score:5, Interesting)
Now if the spammer sends that message to 1000 BlueSecurity members, they will get 1000 messages generated and sent, one from each of the users they spammed. If they send it to 5000 users, well you get the idea. The more Blue people they spam, the more opt-out requests they get. One for one.
You have a right to do it by yourself, tracking filling out forms on the spammer's ordering site, forwarding a copy to the ISP of the originating IP and/or mail server, forwarding it to the FDA if it is a drug relates spam, etc. How long will that take you? You could easily spend a few hours a day or more doing that.
Enter BlueSecurity stage right. They hire staff to track down the senders of that spam message you just received, just like you would have done. The difference is they take that information and distribute it to everybody else they know received that spam as well.
The thing is, these spammers should understand they have absolutely 0% of a chance of selling that item to any of the members of the Blue community. Why are they bothering to do this when it has no chance whatsoever of giving them even a single cent of profit? They should be happy to have the chance to clean their leads list. I've done telephone sales in the past (calling existing members about renewals) and I was happy to remove people who didn't want to be called from the list. For every person I removed from the list, it meant one less guaranteed no-sale next time the membership list cycled. In the long run I made more sales, and actually helped more people save money (it was cheaper to renew via phone than via the normal process) on a product they wanted.
I understand the calling I was doing is completely different than the spamming in this topic, but the end result is the same. The more guaranteed "no" leads you remove, the higher you sales percentage will be, and the more profits in the long run.
I had heard about Blue before this mess, but never got around to checking into their methods and signing up. Now that I see they are effective, and feel comfortable on how their network and client works (I also thought they DDoS'd the sites until I looked into it,) I have signed up. Now I'm waiting for their system to become fully functionable again so I can verify my account and start kicking spammer tail!
Jeremy
Re:This isn't just between PharmaMaster & Blue (Score:3, Interesting)
LOL!
Sure we don't let our software be used by spammers!
Could be a BGP blackhole route (Score:3, Interesting)
Netvision also seems to have GlobalXing/AS3549 as a transit provider.
My suspicion (since I don't have a looking glass with a historical search), is that someone with access to the main BGP reflectors inside of either UUNET or GlobalXing managed to make an announcement that they had a local router with a route to AS1680, and then that router just blackholed any traffic to those netblocks. It was happening during the L3/Cogent wars last year, L3 was announcing Cogent netblocks, and blackholing the traffic. If one major backbone such as UUNet makes a false BGP announcement, it could effectively block much traffic from the US to Israel, but European sites would still mostly see Israel as closer.
My next best theory is that someone at LimeLight Networks(AS3549, a GLBX reseller) is sending poison BGP announcements, but I don't see any in looking glasses.
That kind of technically advanced activity, especially with the potential for huge economic losses, should trigger an FBI investigation. Of course, the FBI isn't going to admit anything or post updates on
the AC
Re:Tucows are cowards! (Score:2, Interesting)