BlueSecurity Fall-Out Reveals Larger Problem 366
mdrebelx writes "For anyone following the BlueSecurity story, sadly the anti-spam crusader has raised the white flag. Brian Krebs with the Washington Post is reporting that after BlueSecurity's announcement, Prolexic and UltraDNS, which were both linked with BlueSecurity through business relations came under a DNS amplification attack that brought down thousands of sites.
While much of the focus about the BlueSecurity story has been centered on the question of what can be done about spam, I think a bigger question has been raised - is the Internet really that fragile? What has been going on is essentially cyber-terrorism and from what has been reported so far the terrorist clearly have the upper hand."
Yes, the internet is that fragile (Score:3, Interesting)
Question (Score:1, Interesting)
Maybe I'm just cynical but somehow, I get the feeling that if this entire situation were a warez group punitively DOSing the MPAA offline, instead of a spam group punitively DOSing an anti-spam group offline, the federal government would have "dealt with" the problem already...
Fragile Internet? No... (Score:5, Interesting)
No, the Internet is robust and redundant. What is fragile are the tens of thousands of pwn3d Windows PC's that are being used without their owners' knowledge to perpetrate these massive DDOS attacks. If I were a lawyer for Blue Security, Yahoo, or anyone else who has been hit recently, I would be seriously looking in to the merits of a lawsuit against MS for gross negligence or something similar.
Re:Maybe they pay more for a tiered solution.... (Score:4, Interesting)
What isn't prohibited, is required. (Score:3, Interesting)
I keep thinking about the old saying, "what isn't prohibited, is required." Because the net doesn't prohibit these massive DDoS attacks, someone WILL do them, over and over, either because they are into extortion, or just because they're evil fucks and like creating mayhem. I almost believe that someone ought to just do it and break the net permanently so everyone will have to come to grips with this. So maybe the solution will mean that nobody with an insecure OS will be allowed back on the net. Maybe we need a catastrophic failure to force a total revamp of network protocols, and an excuse to exile all the lusers like people still using Win98. I dunno, it would probably be faster, cheaper, and ultimately more satisfying if we could just assassinate spamming assholes like PharmaMaster/Eran Reshef. [wired.com]
Re:Fragile Internet? No... (Score:5, Interesting)
More like "hundreds of thousands".
My spam traps have been hit by over 1.5 million unique IPs this year alone,
with an additional 30,000 never before seen IPs every day.
I estimate there are currently 3-4 million compromised machines world wide.
-- Should you believe authority without question?
The internet is not fragile, its abused (Score:5, Interesting)
The problem is the thousands of hacked PCs that are used in these attacks. The internet is working exactly the way it was designed and the bot nets take advantage of bottlenecks in the system.
What is being done to take out these bot nets? I've perused a few of these bot squads on IRC and while there are many zombied Windows machines there are also many *nix boxes which succumbed to the brute force ssh password attacks because they had user accounts with stupid passwords.
Aside from locating and neutralizing the individual boxes in the squads shouldn't we be creating and deploying self immunizing tools in our infrastructure that detects these boxes and quarantines them?
Shouldn't we also be holding people accountable for having vulnerable boxes connected to the net? Perhaps a bandwidth restriction will help for repeat offenders.
What laws were broken, anyway? (Score:2, Interesting)
2) If there were laws broken, a spokesperson for the appropriate government agency (agencies) needs to explain why not prompt action was taken. ISP's whose clients were part of the attacks should have been warned to shut down their clients who are participating, or be shut down.
If no laws were broken, smile!
Perhaps the Federal government should have the power to permanently shut down an ISP that doesn't respond to a demand to block clients until they demonstrate their computers are clean and free of "zombie" software. This would include permanently blocking all traffic to or from an overseas ISP.
Interesting how things change (Score:5, Interesting)
It's also interesting how questions change. We question: Is the internet really that fragile?
What happened to the baser question: Do we really depend so much on the internet?
Of course, now that we do, maybe we should look into making the internet even more resilient than the original creators envisioned. After all, it was made to endure nuclear war, but a few scriptkiddies can still take down any site with a little DDOSing and DNS-tweaks..
Just always remember where we came from.
what internet? (Score:2, Interesting)
Re:Dear Homeland Security (Score:2, Interesting)
The bigger picture on people identified as suspects in the spam and DDOS attacks on Blue Security is painted by Spamhaus / ROKSO. They maintain a global Top 10 list [spamhaus.org] and a global Top 200 list [spamhaus.org] of spammers.
A quick search on "bluesecurity" digs out
ROK6138 - Alex Blood / Alexander Mosh / AlekseyB / Alex Polyakov - Main Info [spamhaus.org]
ROK5514 - Christopher J. Brown / Swank AKA Dollar - Main Info [spamhaus.org]
ROK6643 - Joshua Burch - Interactive Adult Solutions / BulkEmailSchool.com - Main Info [spamhaus.org]
ROK4932 - Leo Kuvayev / BadCow - Main Info [spamhaus.org]
ROK5125 - Leo Kuvayev / BadCow - Partner-In-Spam: Vladislav "Vlad" Khokholkov / Apex Systems Ltd. [spamhaus.org]
What's the betting that Spamhaus, who dare to mount the evidence, won't be the next DDOS target? I doubt that the pharmamasters would have any success destroying that evidence. But they will be sure to try. Put your money on it.
Re:Not fragile, just vulnerable (Score:3, Interesting)
Tell me about it.
rant
So I have a catch-all email on my domain name (say 'example.com'). A couple of weeks ago, I started to receive bounced email which had a return address like 'wert@example.com' and 'nrtp@example.com'. Great, this is the second time this is happening, only now it seems to be persistent for several weeks.
So you think, well some asshole is obviously responsible for this, lets try to find out. But everything traces back to different originators. So this spammer controlling a whole bunch of zombies is impersonating fake email addresses at my domain, and sending it from systems all over the world. (and you got to wonder, even if he only impersonated 1 real address (say myname@example.com) it would be the same problem)
Now I'm starting to receive spam at random emails @ my domain as well. It's driving me nuts. Of course I can close my catch all account, and only let through legit addresses. But wtf?
I understand the 'need' for anonymity, but impersonation is something else. Why is this accepted? Why can't we have protocols that don't allow that?
Also why the fsck are email servers bouncing email back to an address that obviously can be easily spoofed?
I know there's tons of excuses, but you just wait until you get bombarded with crap and there's no way telling who's responsible for it. You seriously start to wonder about the validity of the email protocols we are using today.
~rant
Re:interesting question about fragile (Score:5, Interesting)
Re:interesting question about fragile (Score:3, Interesting)
I wouldn't be so concerned with the 'Net as a primary target of terrorism or deliberate hostile acts, but I think it could be a viable secondary target. Coupled with attacks on physical bottlenecks (Panama or Suez canal, the straits of Gilbraltar, the Malacca Straits, the Bosporus, any of the top 5 major ports in the world) a small nation-state or well-funded terrorist group could have a huge economic effect.
Or it might be part of the collateral damage from a larger attack on a specific country. Taking out telecoms, underwater cable landing sites and satellite uplinks is part and parcel of damaging a country's C4I infrastructure. Any bits traversing those links (or neighboring ones which suffered damage as well) to or from the Internet would just be civilian casualties, in a matter of speaking.
Fixing the DNS problem (Score:4, Interesting)
The basic requirement here is that DNS servers shouldn't be accepting queries from clients outside their local organizations. This is like the old "open relay" problem with SMTP. Obviously, such DNS servers have to be fixed. To force the issue, DNS servers queried by other DNS servers should find out if the querying server incorrectly accepts queries from the outside. If it does, that server is marked as a loser, and its queries get processed only after any other queries, and maybe with a deliberate delay. That should deal with the problem in the near term.
The stronger form of this protection is that many queries from loser servers are answered with an address that returns a page saying something like "Your DNS server at [xxx.xxx.xxx.xxx] has a problem and must be upgraded." The screaming users will get the problem fixed.
Shut off the supplier (Score:1, Interesting)
For example, my PC connects to an ISP who connects to a wholesaler (is that the right term?) etc. If the wholesaler detects packets coming from the ISP which do not originate from that ISP's IP range, then the ISP should be shut off. In turn, the ISP would have the responsibility for ensuring that all packets exiting its network had valid IP return addresses, and if my PC did not comply it would be shut off.
This would give us a guaranteed trace to the originators of so many attacks, and a means of removing them from the internet.
Yes, there would be massive network outages in the short term, but it would create a great incentive to identify and remove the rogue ISPs, and finally the rogue / owned computers.
Re:Yes, the internet is that fragile (Score:3, Interesting)
Here's a performance comparison [www.sics.se] of the ubiquitous Apache web server with Yaws [hyber.org], an Erlang-based web server. (Erlang is a programming language and virtual machine designed for distributed processing.) To summarize, "Apache dies at about 4,000 parallel sessions. Yaws is still functioning at over 80,000 parallel connections." The author goes on to speculate that the reason Apache dies so quickly is due to limitations in the host operating system.
If Erlang can keep a web server going under nearly infinite load, imagine what it could do for DNS.
Re:Terrorism too strong a word (Score:2, Interesting)
I'm not saying that a criminal can't terroise someone, but I don't think that makes them a terrorist. Terrorists (the ones we have all these new laws to protect ourselves from) are people who believe in a cause, people who have supporters that believe they are freedom fighters. They are far more dangerous than normal criminals, because their cause is larger than them, and even if you kill one you make a martyr who helps recruiting the next.
Maybe we need stronger laws to catch these kinds of criminals, but if so a case should be made for it on the merits. Labling suspected criminals as terrorists and then using existing anti-terrorism legislation to go after them is a very slippery slope IMO.
Re:Well that is easily explained (Score:4, Interesting)
No, the problem is that the Internet was created as a trusted network between universities. IPv6 has been created as an untrusted network and many of these problems would disappear if everyone switched.