Black Frog - the botnets keep coming
http://news.google.com/news?q=black+frog How do we make this folly stop? Now that these kids showed up with the Blue Security bsuiness plan plus a non-working anti-ddos idea (P2P), how long until the other 10 kiddies thinking about it show up? Who decides who these botnets attack, regardless of the ddos's being harmful and regardless of them being useless against spammers? Gadi.
* Gadi Evron:
http://news.google.com/news?q=black+frog
How do we make this folly stop?
Ignore it? It's an inactive Sourceforge project (with some Google forums attached), and news reports seem to be based on a Slashdot diary entry announcing it: <http://slashdot.org/~Spy+der+Mann/journal/135727> There are far more dangerous Sourceforge projects out there. 8-/
On Thu, 25 May 2006, Florian Weimer wrote:
* Gadi Evron:
http://news.google.com/news?q=black+frog
How do we make this folly stop?
Ignore it? It's an inactive Sourceforge project (with some Google forums attached), and news reports seem to be based on a Slashdot diary entry announcing it:
Ignoring is the high-road. How long are we going to cry about the Internet being a battle-ground, the wild west, or whatever else if we legitimize DDoS? Sometimes being quiet is not going to win the war. There will be other Blue Frogs.
<http://slashdot.org/~Spy+der+Mann/journal/135727>
There are far more dangerous Sourceforge projects out there. 8-/
On May 25, 2006, at 5:37 AM, Niels Bakker wrote:
* ge@linuxbox.org (Gadi Evron) [Thu 25 May 2006, 12:38 CEST]:
Sometimes being quiet is not going to win the war.
It would behoove you, however, to not cry wolf so often
Maybe it would behoove network operators to not encourage kids to build distributed botnet systems[1] in the name of vigilante justice: http://www.legrice.net/Okopipi/OkopipiNetworkFlow.jpg http://www.legrice.net/Okopipi/OkopipiBasicSystemOverview.jpg Blue Security shouldn't be glorified for what they did, they should be nailed for DoS'ing SixApart. -david 1: Granted, based on those pictures, we might not have a lot to worry about... ;)
On Thu, 25 May 2006, Niels Bakker wrote:
* ge@linuxbox.org (Gadi Evron) [Thu 25 May 2006, 12:38 CEST]:
Sometimes being quiet is not going to win the war.
It would behoove you, however, to not cry wolf so often
The fact that you believe that I cry wolf, shows just how sad the situation really is. Half a million new bots a day isn't that high of a number, I suppose. How long before ecommerce becomes impracticle? :) Far from relevant to NANOG. Or is it? DNS beind abused like there is no tomorrow on the operational level (not infrastructure level) and no one (almost) even noticing is obviously not operational. The Internet is not going to die tomorrow, but I care more about it as an inter network than any one network connected to it, which is the job of most people here. We are all techs, but the decision if for example, block ports at ISP's to stop worms isn't going to be a tech decision, much like hypocritically, ISP's these days block streaming media or P2P for extra cash. It's a business decision that will eventually save or kill the Internet, and to be honest, I see nothing wrong with it. I just am happy there are some people who hold back the tide of the war we already lost, before governments catch up. Gadi.
-- Niels.
Gadi, one of the main issues that people take regarding this is that it seems as though whenever we turn around, you're starting another "OMG! THE INTERNUT IS COMING TO AN END!!!!OMGNO!" And you get some people jumping around, and some people get all in a frenzy over whatever the perceived issue is. The rest of us just slap our heads, roll our eyes and go "Oh, great, here goes Gadi on another rant..." Many people in the internet security world, sorry to say, now have a hard time believing what you are saying, and believing whatever you believe. The credibility is just not there any more. It's slipping away, because there are only so many times someone can cry "FIRE!" in a crowded theater before people stop believing you. Unfortunetly, that _is_ starting to happen. It really seems as though every time we turn around, you're crying Wolf again, and it's bascially getting old.
Sometimes being quiet is not going to win the war.
It would behoove you, however, to not cry wolf so often
The fact that you believe that I cry wolf, shows just how sad the situation really is. I would say this is more of a sign of what is going on. People are starting to NOT believe you. Perhaps it is you who should change what is being said, and how you are saying it.
How long before ecommerce becomes impracticle? :) Far from relevant to NANOG. Or is it? What makes you believe that e-commerce is becoming impractical? Are there that many attacks against those companies? If so, then why has the press not picked it up? The DoS against SixApart hardly made the convential (BBC, CNN, etc) news.
DNS beind abused like there is no tomorrow on the operational level (not infrastructure level) and no one (almost) even noticing is obviously not operational. I run my own publically accessable DNS servers, and they aren't being abused. You're making it sound like all DNS servers everywhere are being abused, and that we should all stop using DNS.
We are all techs, but the decision if for example, block ports at ISP's to stop worms isn't going to be a tech decision, much like hypocritically, ISP's these days block streaming media or P2P for extra cash. It's a business decision that will eventually save or kill the Internet, and to be honest, I see nothing wrong with it. In other words, it seems as though you are for blocking of traffic, and making the internet just another Government-mandated and Gov't-regulated environment? It seems as though that goes against Postel's ideals.
From my perspective, you just want to create big huge firewall, where nothing is allowed, and everything is scrutinized. That's not what the internet is all about. That's not what it was created for. It seems as though we should perhaps no longer call it the "Big Firewall of China", but perhaps, the "Big Firewall of Gadi".
I just am happy there are some people who hold back the tide of the war we already lost, before governments catch up. Even though you are losing credibility amongst your colleagues around the world?
This isn't meant to be a personal attack against you Gadi, but a wake up call to not change your tune, but to perhaps start singing a different song...the song that actually gets things done. Stop fighting with network operators, and start working with them. That tends to get things done more quickly, and also does not burn your bridges (and credibility) in the process. I think some of the ideas you have are very good, and others not so good. Either way, you have a good start. Gadi, I'm not saying to stop doing what you are doing, but perhaps to change around how you go about doing what you are doing, and to stop alienating so many of your other colleagues. Instead of working against groups like nsp-sec and NANOG, start working with them. If you can't get vetted, then work towards getting vetted. Work towards repairing the bridges. Quite a bit of what people see is perception, and right now the perception is one of more of a "panic monkey", rather than a calm, logical, "We should really do this, or else bad stuff like example 1, 2, and 3, can happen, and here's the reasoning behind it." Being calm, logical, and working with other network operators tends to get things done more quickly. NANOG mods, if I am out of line, I apologize, but I feel as though this needs to be said. I am not trying to do a character assassination, just voice my opinion on the latest network issue. If you have issue with it, please send me an email off list, and we can discuss. Thanks, -Eric
Personally as a manager I want to know the problem and then the workable solution. I just don't see that many bot nets happening anymore.
From my vantage point I do see students writing bot nets more for programming skills than for malicious attacks.
With several hundred million people and computers on the inter network, there will always be an aberration, caused by some social or mental or emotional defect. Workable technical solutions, not new laws or rants will make these issues, less of an issue operationally in the long run. -Henry --- Eric White hill <Eric@bot bay.net> wrote:
Gadi, one of the main issues that people take regarding this is that it seems as though whenever we turn around, you're starting another "OMG! THE INTERNUT IS COMING TO AN END!!!!OMGNO!"
And you get some people jumping around, and some people get all in a frenzy over whatever the perceived issue is. The rest of us just slap our heads, roll our eyes and go "Oh, great, here goes Gadi on another rant..."
Many people in the internet security world, sorry to say, now have a hard time believing what you are saying, and believing whatever you believe. The credibility is just not there any more. It's slipping away, because there are only so many times someone can cry "FIRE!" in a crowded theater before people stop believing you. Unfortunetly, that _is_ starting to happen.
It really seems as though every time we turn around, you're crying Wolf again, and it's bascially getting old.
Sometimes being quiet is not going to win the war.
It would behoove you, however, to not cry wolf so often
The fact that you believe that I cry wolf, shows just how sad the situation really is. I would say this is more of a sign of what is going on. People are starting to NOT believe you. Perhaps it is you who should change what is being said, and how you are saying it.
How long before ecommerce becomes impracticle? :) Far from relevant to NANOG. Or is it? What makes you believe that e-commerce is becoming impractical? Are there that many attacks against those companies? If so, then why has the press not picked it up? The DoS against SixApart hardly made the convential (BBC, CNN, etc) news.
DNS beind abused like there is no tomorrow on the operational level (not infrastructure level) and no one (almost) even noticing is obviously not operational. I run my own publically accessable DNS servers, and they aren't being abused. You're making it sound like all DNS servers everywhere are being abused, and that we should all stop using DNS.
We are all techs, but the decision if for example, block ports at ISP's to stop worms isn't going to be a tech decision, much like hypocritically, ISP's these days block streaming media or P2P for extra cash. It's a business decision that will eventually save or kill the Internet, and to be honest, I see nothing wrong with it. In other words, it seems as though you are for blocking of traffic, and making the internet just another Government-mandated and Gov't-regulated environment? It seems as though that goes against Postel's ideals.
From my perspective, you just want to create big huge firewall, where nothing is allowed, and everything is scrutinized. That's not what the internet is all about. That's not what it was created for. It seems as though we should perhaps no longer call it the "Big Firewall of China", but perhaps, the "Big Firewall of Gadi".
I just am happy there are some people who hold back the tide of the war we already lost, before governments catch up. Even though you are losing credibility amongst your
colleagues around the world?
This isn't meant to be a personal attack against you Gadi, but a wake up call to not change your tune, but to perhaps start singing a different song...the song that actually gets things done. Stop fighting with network operators, and start working with them. That tends to get things done more quickly, and also does not burn your bridges (and credibility) in the process.
I think some of the ideas you have are very good, and others not so good. Either way, you have a good start.
Gadi, I'm not saying to stop doing what you are doing, but perhaps to change around how you go about doing what you are doing, and to stop alienating so many of your other colleagues. Instead of working against groups like nsp-sec and NANOG, start working with them. If you can't get vetted, then work towards getting vetted. Work towards repairing the bridges. Quite a bit of what people see is perception, and right now the perception is one of more of a "panic monkey", rather than a calm, logical, "We should really do this, or else bad stuff like example 1, 2, and 3, can happen, and here's the reasoning behind it." Being calm, logical, and working with other network operators tends to get things done more quickly.
NANOG mods, if I am out of line, I apologize, but I feel as though this needs to be said. I am not trying to do a character assassination, just voice my opinion on the latest network issue. If you have issue with it, please send me an email off list, and we can discuss.
Thanks,
-Eric
On Thu, 25 May 2006, Henry Linneweh wrote:
Personally as a manager I want to know the problem and then the workable solution. I just don't see that many bot nets happening anymore.
From my vantage point I do see students writing bot nets more for programming skills than for malicious attacks.
With several hundred million people and computers on the inter network, there will always be an aberration, caused by some social or mental or emotional defect.
Workable technical solutions, not new laws or rants will make these issues, less of an issue operationally in the long run.
Hello Henry, I quite agree. However, as far as I see the Internet is no longer the altruistic friendly place it was built to be, and technical solutions are either 10 years late or dependant on who implements them. Do I want to see the government(s) meddle with the Internet? No. Is it going to happen? Yes, although I wish for it not to, as I am not sure what effect that will have. What alternative do you see? As to botnets, the numbers, unfortunately, speak for themselves. Half a million new bots a day (give or take a few hundred thousand), which is really not a relevant number in my opinion. I'm just happy there are communities such as NANOG out there, but when it comes down to it, the Good online is based on good faith. The Bad is based on cold Cash. Some lose as much as a million dollars a day on phishing, as an example.
-Henry
Gadi.
On Thu, 25 May 2006 10:17:56 CDT, Gadi Evron said:
I'm just happy there are communities such as NANOG out there, but when it comes down to it, the Good online is based on good faith. The Bad is based on cold Cash. Some lose as much as a million dollars a day on phishing, as an example.
Citation on the $1M/day, please? (I'm sure the *aggregate* take is well over that, but what *single entity* is seeing that magnitude losses?)
At 11:33 AM 5/25/2006, you wrote:
Citation on the $1M/day, please? (I'm sure the *aggregate* take is well over that, but what *single entity* is seeing that magnitude losses?)
Although we all see lots of attempts at phishing and it gets lots of press coverage, it is very small compared to regular credit card and bank fraud which happens all the time. According to a study which I recently read (I wish I could remember where) phishing accounts for less than 1-2% of all banking and credit card fraud in the US. -Robert Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com | 888-TELLURIAN | 973-300-9211 "Well done is better than well said." - Benjamin Franklin
On Thu, 25 May 2006 Valdis.Kletnieks@vt.edu wrote:
On Thu, 25 May 2006 10:17:56 CDT, Gadi Evron said:
I'm just happy there are communities such as NANOG out there, but when it comes down to it, the Good online is based on good faith. The Bad is based on cold Cash. Some lose as much as a million dollars a day on phishing, as an example.
Citation on the $1M/day, please? (I'm sure the *aggregate* take is well over that, but what *single entity* is seeing that magnitude losses?)
You can quote me. Phishing in the US is by far lkess sophisticated than, for example, in Europe. There the banks are a bit more sophisticated as well in defensive tech. I hate for this to be a quote by me, but Super Worms which steal credit card, account data, login info. etc. for banks, credit card companies and ecommerce sites online number at the millions a day. Including repeat customers. As to signle banks, forget my numbers for a second, I am willing to accept yours for the sake of argument (we can argue digits over the phone). A million in losses a day is enough. Gadi.
On Thu, 25 May 2006, Gadi Evron wrote:
I hate for this to be a quote by me, but Super Worms which steal credit card, account data, login info. etc. for banks, credit card companies and ecommerce sites online number at the millions a day. Including repeat customers.
As to signle banks, forget my numbers for a second, I am willing to accept yours for the sake of argument (we can argue digits over the phone). A million in losses a day is enough.
According to you, 500,000 bots a day and $1,000,000 in losses a day; so there is about 50 cents of potential savings per bot to pay for fixing those computers. How much does it cost to repair the average compromised computer? For some people its cheaper to buy a new computer than to fix the old one. I don't believe most of the numbers published, but lets use some other people's numbers. One consulting firm estimates $2 Billion in losses a year. That results in less than $10 of savings per new bot (assuming 500,000/day) to fix the computers. If there are even more bots, the numbers just get worse. For comparison, Cardweb's estimate of credit card fraud is about $14 Billion in 2004. Merchants are hit with about 90% of credit card fraud, and banks about 10%. CFCA's estimate for telecommunications fraud is about $55-60 Billion in 2003. Regardless of the numbers, I think we are currently stuck in a very nasty spot 1. Reduce the cost of fixing/protecting a computer 2. or increase the losses from compromised computers Either way, the consumer will eventually end up paying for it.
On Thu, 25 May 2006, Sean Donelan wrote:
Regardless of the numbers, I think we are currently stuck in a very nasty spot
1. Reduce the cost of fixing/protecting a computer 2. or increase the losses from compromised computers
Either way, the consumer will eventually end up paying for it.
Systems eventually get replaced (including home ones), so to keep up the bot numbers new systems need to be able to be just as unsecure and infectable as old ones. If new systems were 100% protected the number of bots should in theory start to decrease in the same in the rate opposite or close to the rate of infection. That it does not happen means that either: 1. New systems are still badly engineered as far as security or 2. The infections are not as much product of bad system security design as it is result of social engineering schemes that certain percent of users are vulnerable to -- William Leibzon Elan Networks william@elan.net
On Thu, 25 May 2006, Sean Donelan wrote:
On Thu, 25 May 2006, Gadi Evron wrote:
I hate for this to be a quote by me, but Super Worms which steal credit card, account data, login info. etc. for banks, credit card companies and ecommerce sites online number at the millions a day. Including repeat customers.
As to signle banks, forget my numbers for a second, I am willing to accept yours for the sake of argument (we can argue digits over the phone). A million in losses a day is enough.
According to you, 500,000 bots a day and $1,000,000 in losses a day; so there is about 50 cents of potential savings per bot to pay for fixing those computers.
How much does it cost to repair the average compromised computer? For some people its cheaper to buy a new computer than to fix the old one.
I don't believe most of the numbers published, but lets use some other people's numbers. One consulting firm estimates $2 Billion in losses a year. That results in less than $10 of savings per new bot (assuming 500,000/day) to fix the computers. If there are even more bots, the numbers just get worse.
For comparison, Cardweb's estimate of credit card fraud is about $14 Billion in 2004. Merchants are hit with about 90% of credit card fraud, and banks about 10%. CFCA's estimate for telecommunications fraud is about $55-60 Billion in 2003.
Regardless of the numbers, I think we are currently stuck in a very nasty spot
1. Reduce the cost of fixing/protecting a computer 2. or increase the losses from compromised computers
Either way, the consumer will eventually end up paying for it.
Indeed, but even worse. The problem is moving to the user side. Regular type "fake site" phishing is going to be with us for a long time yet but several of the organized crime groups involved are hard at work at released Trojan horses using root kit technology daily, which basically steals your credentials to every HTTPS site you enter, and reports home. How do banks, ISP's, or whoever else defend from the roblem moving to the user-side? That is a very interesting question indeed. :) Gadi.
Gadi Evron wrote: [...]
Regular type "fake site" phishing is going to be with us for a long time yet but several of the organized crime groups involved are hard at work at released Trojan horses using root kit technology daily, which basically steals your credentials to every HTTPS site you enter, and reports home.
How do banks, ISP's, or whoever else defend from the roblem moving to the user-side? That is a very interesting question indeed. :)
Over here some banks issue customers a password token device that uses a combination of your card, a number sent by the web site and a PIN to generate a one-time password. It seems a reasonable system, and isn't really new technology. However, while bank web site security may be on-topic for other lists I suspect it's wandering off-topic for NANOG. Regards, -- leo vegoda Registration Services Manager RIPE NCC
Henry Linneweh wrote:
Personally as a manager I want to know the problem and then the workable solution. I just don't see that many bot nets happening anymore.
From my vantage point I do see students writing bot nets more for programming skills than for malicious attacks.
With several hundred million people and computers on the inter network, there will always be an aberration, caused by some social or mental or emotional defect.
Workable technical solutions, not new laws or rants will make these issues, less of an issue operationally in the long run.
-Henry <snip>
Gadi asked if I have any botnets from DA's list on SBC. Indeed, I have three suspect C&Cs on SBC and a six more on ATT which I will be happy to share with you off list. Randy
* Gadi Evron:
Ignoring is the high-road. How long are we going to cry about the Internet being a battle-ground, the wild west, or whatever else if we legitimize DDoS?
The project needs to gather supporters before they can do any real damage. Reports exposing their nefarious practices are probably the best kind of publicity they can get.
Internet IS a wild west. You should live with it. It will never be _quet, dead american's residential area, where dogs do not bark and kids do not play themself on streets in age of 8 (normal dogs bark, and normal kids often play themself when they are 8)_. It is the whole WORLD, not one country. So, we must live with it, and do not hope, that it will have numerous _speed tickets_ and _police officers_ (as 90% of the people live every day, making their own decisions and protecting themselves. It is, in fact, a very effectiv way to stop spammers. But it definitely became a dangerous DDOS service. So - learn how to live with it, it's the only choice. (Make sure, that no single protocol or botnet can kill the whole network or deplete all resources, for example). ----- Original Message ----- From: "Gadi Evron" <ge@linuxbox.org> To: "Florian Weimer" <fw@deneb.enyo.de> Cc: <nanog@merit.edu> Sent: Thursday, May 25, 2006 3:38 AM Subject: Re: Black Frog - the botnets keep coming
On Thu, 25 May 2006, Florian Weimer wrote:
* Gadi Evron:
http://news.google.com/news?q=black+frog
How do we make this folly stop?
Ignore it? It's an inactive Sourceforge project (with some Google forums attached), and news reports seem to be based on a Slashdot diary entry announcing it:
Ignoring is the high-road. How long are we going to cry about the Internet being a battle-ground, the wild west, or whatever else if we legitimize DDoS?
Sometimes being quiet is not going to win the war. There will be other Blue Frogs.
<http://slashdot.org/~Spy+der+Mann/journal/135727>
There are far more dangerous Sourceforge projects out there. 8-/
participants (13)
-
Alexei Roudnev
-
David Ulevitch
-
Eric Whitehill
-
Florian Weimer
-
Gadi Evron
-
Henry Linneweh
-
leo vegoda
-
Niels Bakker
-
RLVaughn
-
Robert Boyle
-
Sean Donelan
-
Valdis.Kletnieks@vt.edu
-
william(at)elan.net