RE: How many backbones here are filtering the makelovenotspam scr eensaver site?
-----Original Message----- From: Florian Weimer [mailto:fw@deneb.enyo.de] Sent: Thursday, December 02, 2004 2:01 PM To: Brett Cc: Hannigan, Martin; nanog list Subject: Re: How many backbones here are filtering the makelovenotspam scr eensaver site?
I think Lycos did not think this through enough. Their response is HUGE. They've essentially launched a Denial of Service on themselves.
The site that is being blackholed isn't on their network, AFAICS.
Actually, I think this is an ingenious PR campaign, but it probably doesn't work the way it was conceived, though I blieve that the net outcome for Lycos will be utterly positive.
Possibly. What will happen if the Lycos botnet gets hijacked? The conversations between the clients and the servers don't appear to be keyed. If a million clients got owned, it would be the equivalent of an electronic Bubonic Plague with no antidote. -M<
On Thu, 2 Dec 2004, Hannigan, Martin wrote:
-----Original Message----- From: Florian Weimer [mailto:fw@deneb.enyo.de] Sent: Thursday, December 02, 2004 2:01 PM To: Brett Cc: Hannigan, Martin; nanog list Subject: Re: How many backbones here are filtering the makelovenotspam scr eensaver site?
I think Lycos did not think this through enough. Their response is HUGE. They've essentially launched a Denial of Service on themselves.
The site that is being blackholed isn't on their network, AFAICS.
Actually, I think this is an ingenious PR campaign, but it probably doesn't work the way it was conceived, though I blieve that the net outcome for Lycos will be utterly positive.
Possibly. What will happen if the Lycos botnet gets hijacked?
to expand on this point, since it seems the screensaver pulls a list which is basically the "top newly spammed URL's" from spamcop (and possibly other places), what if the owners of the domains being 'attacked' were to point their DNS at a new ip? or set of ips? They can now control the 'bots' instead of lycos doing the controlling. I'm also concerned that lycos is claiming: "to only use 95% of the bandwidth the site has". How is that determined by lycos? Do they call each upstream and get verifiable info about the bandwidth toward the site(s) in question? Do they measure each client's output capability (and input capability) to ensure that 100 machines really equals 1.2mbps on a t1 ? There are so many holes in their 'plan', never mind the 'vigilante' parts of it which are horridly distasteful... Lycos has engineered a botnet just like any 14 year old kiddie does nightly, they just did it more publicly and under the guise of 'being helpful'. It's utterly irresponsible of them to promote this activity. -Chris
on Thu, Dec 02, 2004 at 02:56:29PM -0500, Hannigan, Martin wrote:
Possibly. What will happen if the Lycos botnet gets hijacked?
The conversations between the clients and the servers don't appear to be keyed. If a million clients got owned, it would be the equivalent of an electronic Bubonic Plague with no antidote.
You mean, like the existing botnets we already know exist but are already under the control of spammers? What's the difference? Why is everyone so upset about Lycos and nobody seems to be doing much of anything about the /existing botnets/, which conservative estimates[1] already put at anywhere from 1-3K per botnet to upwards of 1-5M hosts total[2]? Steve [1] http://newpaper.asia1.com.sg/top/story/0,4136,67698-1,00.html "There may be millions of such PCs around and they can be rented for as little as US$100 ($176)-per-hour." http://www.messagelabs.com/emailthreats/intelligence/reports/monthlies/Octob... "Some estimates have suggested a botnet in excess of tens of thousands of computers." [per virus outbreak] http://www.usatoday.com/tech/news/computersecurity/2004-07-07-zombie-pimps_x... "Small groups of young people creating a resource out of a 10-30,000-strong computer network are renting them out to anybody who has the money," a source in Scotland Yard's computer crime unit told Reuters. http://www.sans.org/newsletters/newsbites/newsbites.php?vol=6&issue=43#315 "CipherTrust recently published research claiming that all phishing attacks on the Internet are conducted with the use of one of five zombie networks, or botnets. Each botnet comprises roughly 1,000 PCs. In addition, the research shows that 70% of zombie PCs are also used to send spam." http://news.zdnet.co.uk/internet/security/0,39020375,39167561,00.htm "Linford said that every week more than 100,000 PCs are recruited into botnets without the owner's knowledge. "A botnet is a collection of -- usually -- Windows-based PCs that have been stealthily taken over by malware. Users have no idea that their computer has been corrupted." [2] the CBL, for example, currently lists 1.1M, and (here, anyway) only blocks around 15-25% of our incoming spam. I've seen round robin attacks of upwards of fifty bots at a time (same timeframe, sender, and target, from multiple hosts in multiple countries/ISPs/networks) whereas suspected zombies account for 35-45% of all inbound spam delivery attempts here. -- hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com join us! http://hesketh.com/about/careers/account_manager.html join us!
On Thu, 2 Dec 2004, Steven Champeon wrote:
on Thu, Dec 02, 2004 at 02:56:29PM -0500, Hannigan, Martin wrote:
Possibly. What will happen if the Lycos botnet gets hijacked?
The conversations between the clients and the servers don't appear to be keyed. If a million clients got owned, it would be the equivalent of an electronic Bubonic Plague with no antidote.
You mean, like the existing botnets we already know exist but are already under the control of spammers?
What's the difference? Why is everyone so upset about Lycos and nobody seems to be doing much of anything about the /existing botnets/, which conservative estimates[1] already put at anywhere from 1-3K per botnet to upwards of 1-5M hosts total[2]?
perhaps the difference is 'reponsible people' don't go out and recruit botnets... Lycos, as a corporate entity with it's business model dependent upon the health and wellbeing of the Internet would try to be 'responsible', or so I would have thought. arguing that there are murderers and rapists out there and that 'nothing is being done' is hardly reason to become one yourself. -Chris
on Thu, Dec 02, 2004 at 08:58:03PM +0000, Christopher L. Morrow wrote:
On Thu, 2 Dec 2004, Steven Champeon wrote:
on Thu, Dec 02, 2004 at 02:56:29PM -0500, Hannigan, Martin wrote:
Possibly. What will happen if the Lycos botnet gets hijacked?
The conversations between the clients and the servers don't appear to be keyed. If a million clients got owned, it would be the equivalent of an electronic Bubonic Plague with no antidote.
You mean, like the existing botnets we already know exist but are already under the control of spammers?
What's the difference? Why is everyone so upset about Lycos and nobody seems to be doing much of anything about the /existing botnets/, which conservative estimates[1] already put at anywhere from 1-3K per botnet to upwards of 1-5M hosts total[2]?
perhaps the difference is 'reponsible people' don't go out and recruit botnets... Lycos, as a corporate entity with it's business model dependent upon the health and wellbeing of the Internet would try to be 'responsible', or so I would have thought.
I agree. I also think it's up to the companies providing the Internet connectivity to the non-Lycos-"owned" botnets to prevent such activity from affecting others.
arguing that there are murderers and rapists out there and that 'nothing is being done' is hardly reason to become one yourself.
I couldn't agree more that vigilantism isn't the answer. My earlier remarks were directed to the shock and awe evident in the possibility that - via Lycos - there might be, heaven forbid, /large numbers of computers under the control of spammers, that could be used in spamming and abuse/. All I was pointing out was that, surprise, surprise, there already are. So why anyone thinks Lycos' botnet being hacked is /any different/ from /the current situation/ is utterly beyond my ken. Why would any spammer bother to hack Lycos' botnet? They /already have their own/. -- hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com join us! http://hesketh.com/about/careers/account_manager.html join us!
On Thu 02 Dec 2004 (16:14 -0500), Steven Champeon wrote:
All I was pointing out was that, surprise, surprise, there already are. So why anyone thinks Lycos' botnet being hacked is /any different/ from /the current situation/ is utterly beyond my ken. Why would any spammer bother to hack Lycos' botnet? They /already have their own/.
Well, if I don't have one now, I could build my own botnet, which takes time and exposes significant risk over a lot of sites as I try to acquire them, or I could look at one site which, if I can compromise it, gives me instant access to a huge botnet. There are lots of places in the world where people/companies store dangerous waste. Some of these dumps are huge, most are small, all are dangerous. Now I read that someone who certainly ought to know better has decided to make yet another of the huge waste dumps, but that's apparently OK, because they exist anyway. -- Jim Segrave jes@nl.demon.net
On Thu 02 Dec 2004 (15:21 -0500), Steven Champeon wrote:
on Thu, Dec 02, 2004 at 02:56:29PM -0500, Hannigan, Martin wrote:
Possibly. What will happen if the Lycos botnet gets hijacked?
The conversations between the clients and the servers don't appear to be keyed. If a million clients got owned, it would be the equivalent of an electronic Bubonic Plague with no antidote.
You mean, like the existing botnets we already know exist but are already under the control of spammers?
What's the difference? Why is everyone so upset about Lycos and nobody seems to be doing much of anything about the /existing botnets/, which conservative estimates[1] already put at anywhere from 1-3K per botnet to upwards of 1-5M hosts total[2]?
Some people regard what's being done with this system as being on exactly the same level as any other cracker's work. Look up vigilante some time and consider carefully whether or not this is applicable. -- Jim Segrave jes@nl.demon.net
participants (4)
-
Christopher L. Morrow
-
Hannigan, Martin
-
Jim Segrave
-
Steven Champeon