[[ My apologies to thos eof you who may see this twice. I have posted the message below also to the RIPE Anti-Abuse Working Group mailing list, so any of you who are on that list also will see this twice. But I believe that it is relevant here also. ]] ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Perhaps some folks here might be interested to read these two reports, the first of which is a fresh news report published just a couple of days ago, and the other one is a far more detailed investigative report that was completed some time ago now. https://www.buzzfeednews.com/article/kenbensinger/dossier-gubarev-russian-ha... https://www.documentcloud.org/documents/5770258-Fti.html Please share these links widely. The detailed technical report makes it quite abundantly clear that Webzilla, and all of its various tentacles... many of which even I didn't know about until seeing this report... most probably qualifies as, and has qualified as a "bullet proof hosting" operation for some considerable time now. As the report notes, the company has received over 400,000 complaints or reports of bad behavior, and it is not clear to me, from reading the report, if anyone at the company even bothered to read any more than a small handful of those. I have two comments about this. First, I am inclined to wonder aloud why anyone is even still peering with any of the several ASNs mentioned in the report. To me, the mere fact that any of these ASNs still have connectivity represents a clear and self-evident failure of "self policing" in and among the networks that comprise the Internet. Second, its has already been a well know fact, both to me and to many others, for some years now, that Webzilla is by no means alone in the category commonly refered to as "bullet proof hosters". This fact itself raises some obvious questions. It is clear and apparent, not only from the report linked to above, but from the continuous and years-long existance of -many- "bullet proof hosters" on the Internet that there is no shortage of a market for the services of such hosting companies. The demand for "bullet proof" services is clearly there, and it is not likely to go away any time soon. In addition to the criminal element, there are also various mischevious governments, or their agents, that will always be more than happy to pay premium prices for no-questions-asked connectivity. So the question naturally arises: Other than de-peering by other networks, are there any other steps that can be taken to disincentivize networks from participating in this "bullet proof" market and/or to incentivize them to give a damn about their received network abuse complaints? I have no answers for this question myself, but I felt that it was about time that someone at least posed the question. The industry generally, and especially in the RIPE region, has a clear and evident problem that traditional "self policing" is not solving. Worse yet, it is not even discussed much, and that is allowing it to fester and worsen, over time. It would be Good if there was some actual leadership on this issue, at least from -some- quarter. So far I have not noticed any such worth mentioning. And even looking out towards the future horizon, I don't see any arriving any time soon. Regards, rfg
It's quite conveniently to have all botnets C&C in several known ASNs. More pain if it will be spread through thousands regular residential customers, like when use fast(double)flux or peertopeer technologies ;) Joke. Really, there were a lot of cases all upstreams had disconnected some ASN for that type of activity. So it really works. 16.03.19 22:51, Ronald F. Guilmette пише:
[[ My apologies to thos eof you who may see this twice. I have posted the message below also to the RIPE Anti-Abuse Working Group mailing list, so any of you who are on that list also will see this twice. But I believe that it is relevant here also. ]]
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Perhaps some folks here might be interested to read these two reports, the first of which is a fresh news report published just a couple of days ago, and the other one is a far more detailed investigative report that was completed some time ago now.
https://www.buzzfeednews.com/article/kenbensinger/dossier-gubarev-russian-ha...
https://www.documentcloud.org/documents/5770258-Fti.html
Please share these links widely.
The detailed technical report makes it quite abundantly clear that Webzilla, and all of its various tentacles... many of which even I didn't know about until seeing this report... most probably qualifies as, and has qualified as a "bullet proof hosting" operation for some considerable time now. As the report notes, the company has received over 400,000 complaints or reports of bad behavior, and it is not clear to me, from reading the report, if anyone at the company even bothered to read any more than a small handful of those.
I have two comments about this.
First, I am inclined to wonder aloud why anyone is even still peering with any of the several ASNs mentioned in the report. To me, the mere fact that any of these ASNs still have connectivity represents a clear and self-evident failure of "self policing" in and among the networks that comprise the Internet.
Second, its has already been a well know fact, both to me and to many others, for some years now, that Webzilla is by no means alone in the category commonly refered to as "bullet proof hosters". This fact itself raises some obvious questions.
It is clear and apparent, not only from the report linked to above, but from the continuous and years-long existance of -many- "bullet proof hosters" on the Internet that there is no shortage of a market for the services of such hosting companies. The demand for "bullet proof" services is clearly there, and it is not likely to go away any time soon. In addition to the criminal element, there are also various mischevious governments, or their agents, that will always be more than happy to pay premium prices for no-questions-asked connectivity.
So the question naturally arises: Other than de-peering by other networks, are there any other steps that can be taken to disincentivize networks from participating in this "bullet proof" market and/or to incentivize them to give a damn about their received network abuse complaints?
I have no answers for this question myself, but I felt that it was about time that someone at least posed the question.
The industry generally, and especially in the RIPE region, has a clear and evident problem that traditional "self policing" is not solving. Worse yet, it is not even discussed much, and that is allowing it to fester and worsen, over time.
It would be Good if there was some actual leadership on this issue, at least from -some- quarter. So far I have not noticed any such worth mentioning. And even looking out towards the future horizon, I don't see any arriving any time soon.
Regards, rfg
Looking at the AS adjacencies for Webzilla, what would prevent them from disconnecting all of their US/Western Euro based peers and transits, and remaining online behind a mixed selection of the largest Russian ASes? I do not think that any amount of well-researched papers and appeals to ethical ISPs on the NANOG mailing list will bring down those relationships. The likelihood of the Russian domestic legal system implementing US/Western European court orders against bulletproof hosting companies is quite low. On Sat, Mar 16, 2019 at 1:53 PM Ronald F. Guilmette <rfg@tristatelogic.com> wrote:
[[ My apologies to thos eof you who may see this twice. I have posted the message below also to the RIPE Anti-Abuse Working Group mailing list, so any of you who are on that list also will see this twice. But I believe that it is relevant here also. ]]
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Perhaps some folks here might be interested to read these two reports, the first of which is a fresh news report published just a couple of days ago, and the other one is a far more detailed investigative report that was completed some time ago now.
https://www.buzzfeednews.com/article/kenbensinger/dossier-gubarev-russian-ha...
https://www.documentcloud.org/documents/5770258-Fti.html
Please share these links widely.
The detailed technical report makes it quite abundantly clear that Webzilla, and all of its various tentacles... many of which even I didn't know about until seeing this report... most probably qualifies as, and has qualified as a "bullet proof hosting" operation for some considerable time now. As the report notes, the company has received over 400,000 complaints or reports of bad behavior, and it is not clear to me, from reading the report, if anyone at the company even bothered to read any more than a small handful of those.
I have two comments about this.
First, I am inclined to wonder aloud why anyone is even still peering with any of the several ASNs mentioned in the report. To me, the mere fact that any of these ASNs still have connectivity represents a clear and self-evident failure of "self policing" in and among the networks that comprise the Internet.
Second, its has already been a well know fact, both to me and to many others, for some years now, that Webzilla is by no means alone in the category commonly refered to as "bullet proof hosters". This fact itself raises some obvious questions.
It is clear and apparent, not only from the report linked to above, but from the continuous and years-long existance of -many- "bullet proof hosters" on the Internet that there is no shortage of a market for the services of such hosting companies. The demand for "bullet proof" services is clearly there, and it is not likely to go away any time soon. In addition to the criminal element, there are also various mischevious governments, or their agents, that will always be more than happy to pay premium prices for no-questions-asked connectivity.
So the question naturally arises: Other than de-peering by other networks, are there any other steps that can be taken to disincentivize networks from participating in this "bullet proof" market and/or to incentivize them to give a damn about their received network abuse complaints?
I have no answers for this question myself, but I felt that it was about time that someone at least posed the question.
The industry generally, and especially in the RIPE region, has a clear and evident problem that traditional "self policing" is not solving. Worse yet, it is not even discussed much, and that is allowing it to fester and worsen, over time.
It would be Good if there was some actual leadership on this issue, at least from -some- quarter. So far I have not noticed any such worth mentioning. And even looking out towards the future horizon, I don't see any arriving any time soon.
Regards, rfg
isn't i the case that 35415 peers with 174/3356/2914 directly and shouldn't you just be asking those folk: "Hey, err... are you getting these complaints? do you care about the harm?" On Mon, Mar 18, 2019 at 12:37 AM Eric Kuhnke <eric.kuhnke@gmail.com> wrote:
Looking at the AS adjacencies for Webzilla, what would prevent them from disconnecting all of their US/Western Euro based peers and transits, and remaining online behind a mixed selection of the largest Russian ASes? I do not think that any amount of well-researched papers and appeals to ethical ISPs on the NANOG mailing list will bring down those relationships.
The likelihood of the Russian domestic legal system implementing US/Western European court orders against bulletproof hosting companies is quite low.
On Sat, Mar 16, 2019 at 1:53 PM Ronald F. Guilmette <rfg@tristatelogic.com> wrote:
[[ My apologies to thos eof you who may see this twice. I have posted the message below also to the RIPE Anti-Abuse Working Group mailing list, so any of you who are on that list also will see this twice. But I believe that it is relevant here also. ]]
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Perhaps some folks here might be interested to read these two reports, the first of which is a fresh news report published just a couple of days ago, and the other one is a far more detailed investigative report that was completed some time ago now.
https://www.buzzfeednews.com/article/kenbensinger/dossier-gubarev-russian-ha...
https://www.documentcloud.org/documents/5770258-Fti.html
Please share these links widely.
The detailed technical report makes it quite abundantly clear that Webzilla, and all of its various tentacles... many of which even I didn't know about until seeing this report... most probably qualifies as, and has qualified as a "bullet proof hosting" operation for some considerable time now. As the report notes, the company has received over 400,000 complaints or reports of bad behavior, and it is not clear to me, from reading the report, if anyone at the company even bothered to read any more than a small handful of those.
I have two comments about this.
First, I am inclined to wonder aloud why anyone is even still peering with any of the several ASNs mentioned in the report. To me, the mere fact that any of these ASNs still have connectivity represents a clear and self-evident failure of "self policing" in and among the networks that comprise the Internet.
Second, its has already been a well know fact, both to me and to many others, for some years now, that Webzilla is by no means alone in the category commonly refered to as "bullet proof hosters". This fact itself raises some obvious questions.
It is clear and apparent, not only from the report linked to above, but from the continuous and years-long existance of -many- "bullet proof hosters" on the Internet that there is no shortage of a market for the services of such hosting companies. The demand for "bullet proof" services is clearly there, and it is not likely to go away any time soon. In addition to the criminal element, there are also various mischevious governments, or their agents, that will always be more than happy to pay premium prices for no-questions-asked connectivity.
So the question naturally arises: Other than de-peering by other networks, are there any other steps that can be taken to disincentivize networks from participating in this "bullet proof" market and/or to incentivize them to give a damn about their received network abuse complaints?
I have no answers for this question myself, but I felt that it was about time that someone at least posed the question.
The industry generally, and especially in the RIPE region, has a clear and evident problem that traditional "self policing" is not solving. Worse yet, it is not even discussed much, and that is allowing it to fester and worsen, over time.
It would be Good if there was some actual leadership on this issue, at least from -some- quarter. So far I have not noticed any such worth mentioning. And even looking out towards the future horizon, I don't see any arriving any time soon.
Regards, rfg
In message <CAB69EHiS0dAFyrUQ0ajEc3+En8+ccCVNcPaXmFvwz1CjBNQ2WA@mail.gmail.com>, Eric Kuhnke <eric.kuhnke@gmail.com> wrote:
Looking at the AS adjacencies for Webzilla, what would prevent them from disconnecting all of their US/Western Euro based peers and transits, and remaining online behind a mixed selection of the largest Russian ASes? I do not think that any amount of well-researched papers and appeals to ethical ISPs on the NANOG mailing list will bring down those relationships.
Everything you say may be correct, but I personally would feel remiss if I failed to point out the facts of this case to an audience that has it within its power to do something about the issue. And the facts in this case could not be more plain. At best, it can only be said that Webzilla, and all of its various faces, simply doesn't care about the majority of us who just want to use the Internet in peace and security. (And that abundant lack of care seems to be the overriding message of the reports I have cited.) At worst, the company and its various nefarious customers present a clear and present danger, if not to Western democracies then perhaps just to anyone and anything that's connected to the Internet. And all of the companies peering with the various Webzilla companies have a choice -- to support Webzilla and the harmful activities of all of its customers, many of whom have proven themselves, time and again, to be outright dangerous to the rest of us, or alternatively, to take reasonable measures, and do what they can to save themselves, their customers, and people around the world from so easily, conveniently, and inexpensively being hacked, fiddled, hoodwinked and penetrated. So this is the question. Can Western companies really justify, to themselves, to their stockholders, and to their customers, their acts which make it easier than it has to be for the likes of Webzilla to have connectivity? Should these companies, whose profitability and mere existance rests on both the freedom and justice, such as they are, that is commonly available in Western liberal democracies... should these companies continue to support, even if only indirectly, those who would undermine that same freedom and justice on which the companies themselves depend? And even setting aside THAT consequential question, are the long term best interests of these same Western companies best served by an Internet that is known to the public at large as a place primarily characterized by scamming, scheming, and skulduggery? And finally, is it a persuasive arguement to say that because there is crime in the world, and always has been, and likely always will be, that we, and each of us, should harbor and abet criminals simply because it is convenient for us to do so, and perhaps even profitable in the short run? You may think me naive, but I say that the answer each and all of these questions is a resounding "no". It shall not profit any of these companies who provide peering to Webzilla, even if they gain the whole world, if they lose their souls. Will there still be a thriving and growing market for moving bits when nobody in his or her right mind trusts the Internet anymore? Although I am cloaking my arguments, at least to some extent, in moral and ethical terms, I do understand that such considerations are not at all likely to be persuasive when it comes to the world of commerce. That's perfectly OK, because in this instance I believe that I am also arguing in favor of enlightened self-interest. Are any of the customers of any of the companies that provide peering to Webzilla and/or its various parts and pieces better off or worse off because of that peering? I believe that sober and informed reflection on this simple question will yield the Right Answer. In the early years of the 20th century, Vladimir Lenin, leader of the Bolshevik, revolution, famously quipped to his communist collegues that "The capitalists will sell us the rope to hang them with." His prescient words have endured even the fall of the empire he founded because they clarify a simple and fundamental truth -- in capitalist systems, short term greed often overrides both rationality and simple common sense. My hope is that it will not be so on this occasion, and that enligtened long-term self interest will prevail, at least among those companies that are peering with any of Webzilla's ASNs. I would be happy to see Webzilla be given no choice other than to beat a retreat, back to Russia, and to have the company seek connectivity there and only there. If the company wishes to continue either its support for, or its abject tolerance of the kind of nefarious activities documented in detail in the report I cited, then I say let them do that, let them connect only via Russia, and let the company's true allegiances be revealed for all to see. If, as now seems evident, the company wants to continue to flaunt the norms and traditions of the civilized portions of the Internet, then I don't see it as being in anyone else's best interests for Webzilla to continue to be welcomed with open arms, as they currently are, in Dallas, in Singapore, or in any other place where democracy and the rule of law still hold sway. Regards, rfg P.S. For those of you who missed it, I would like to suggest to you all that you google the name "Spammy Bear" and start reading. The press reports on this case arose from my determined efforts to investigate the source of a large scale set of bitcoin extortion spams, which had been sent to tens or hundreds of thousands of recipients across the United States, Canada, Australia, New Zealand, and Hong Kong on December 13th, 2018. These scam-spams informed all those who received it that there was a bomb in their building, and that the bomb would detonante if a certain bitcoin ransom wasn't paid by the end of business on that same day. In te wake of this large scale scam-spam, police, first responders, and bomb squads were called out in innumerable locations throughout all of the affected countries. Innumerable businesses, schools, hospitals, universities, and government buildings were either evacuated or put on lockdown as a reasonable precaution. Even now, several months after the event, you can still get a sense of how widespread this event was by simply going to YouTube and searching for "bitcoin" and "bomb threat". You will then be able to see numerous local media reports from around the country describing the widespread mayhem. I expended some considerable time and effort to try to find out who and what was the source of this massively disruptive event. Although I was not able, in the end, to find a conclusive attribution to any specific individuals, I was at least able to track down the full set of IPv4 addresses that were the likely sources of these bogus bitcoin extortion threats. And in turn, I identified the full set of ASNs that were the likely sources. (I also found out that GoDaddy had a rather serious security problem, but that is and was another story.) Several Russian ASNs were the primary sources of these unambiguously criminal scam-spams. Also however, at least a few of the source IP addresses involved traced back to at least two different Webzilla ASNs. I may not know for certain who the specific criminals were who sent out those bomb threat spams, but Webzilla does, or should anyway. I would be more than happy to receive that information from them, as, I'm sure would any one of the countless law enforcement agencies that were called out, on an emergency basis, on December 13th, 2018, to investigate these bogus bomb threats. I feel sure that, like me, they too are all still hopping mad about this bogus waste of their time and resources. That having been said, I do not anticipate that Webzilla will so easily give up their criminal customers who did this anytime soon. I invite the company to prove me wrong about this. (Not that it would make much difference to anything anyway, in the end. The actual perps who sent those scam-spams are almost certainly located in Russia, and thus, not subject to extradition, even if they were proven to be serial killers.) P.P.S. In a simpler and less naive time, an event like the coast-to-coast wall of bomb threats that was unleashed against my country, the United States of America, on December 13th, 2018 might well have been considered an Act of War. These days, everyone just shrugs and goes back to work. It is left as an exercise for the reader to deduce which response is the more appropriate one, given the totality of present circumstances.
On 2019-03-18 23:24, Ronald F. Guilmette wrote:
In message <CAB69EHiS0dAFyrUQ0ajEc3+En8+ccCVNcPaXmFvwz1CjBNQ2WA@mail.gmail.com>, Eric Kuhnke <eric.kuhnke@gmail.com> wrote:
Looking at the AS adjacencies for Webzilla, what would prevent them from disconnecting all of their US/Western Euro based peers and transits, and remaining online behind a mixed selection of the largest Russian ASes? I do not think that any amount of well-researched papers and appeals to ethical ISPs on the NANOG mailing list will bring down those relationships.
In the early years of the 20th century, Vladimir Lenin, leader of the Bolshevik, revolution, famously quipped to his communist collegues that "The capitalists will sell us the rope to hang them with." His prescient words have endured even the fall of the empire he founded because they clarify a simple and fundamental truth -- in capitalist systems, short term greed often overrides both rationality and simple common sense. My hope is that it will not be so on this occasion, and that enligtened long-term self interest will prevail, at least among those companies that are peering with any of Webzilla's ASNs.
Your speech is very reminiscent of this very Lenin, who climbed on an armored car and broadcasted speech to the "worker class" and told how bad are rich and how to restore justice. Only instead of rich people you have "those pesky Russians", and instead of the working class - "Western democracies". But let's not get into politics too deep. What prevents those who consider the activities of this hosting to be so harmful that they are worth blocking - to filter and add to the ACL lists of networks, where Webzilla AS is origin? Or make some easy to use lists, API, BGP feed, and those who decide to participate will null-route offenders, and you will see how many people will support you. If this list is compiled carefully, then I am sure it will interest many(including me). If it turns into a political tool or a tool for extortion ... then of course not. And generally speaking, all these speeches from an armored cars end with a witch hunt, and almost always entire nations or categories of people are appointed as witches, depending on the trends. Who will be next? Cloudflare? Their attempt to maintain neutrality annoys many. Amazon? They react very slowly to abuse. OVH? It seems they do not care about abuse at all. Or maybe it will go into fashion to make the guilty - legal arms sellers? Or internet-stores who sell alcohol? Just create a cause for a depeering, and a lot of people with their special views will demand a depeering at every opportunity. P.S. North Korea, as far as I know, is very limited in connectivity choice, and this does not prevent them from creating a bunch of problems. As Max Tulyev said, and they are good example, just sprayed through countless proxies.
participants (5)
-
Christopher Morrow -
Denys Fedoryshchenko -
Eric Kuhnke -
Max Tulyev -
Ronald F. Guilmette