RE: Another DNS blacklist is taken down
-----Original Message----- From: Justin Shore [mailto:listuser@numbnuts.net] Sent: Wednesday, September 24, 2003 12:29 PM To: nanog@merit.edu Subject: Another DNS blacklist is taken down
I thought ya'll might be interested to hear that yet another DNS blacklist has been taken down out of fear of the DDoS attacks that took down Osirusoft, Monkeys.com, and the OpenRBL. Blackholes.compu.net suffered a joe-job earlier this week. Apparently the joe-jobbing was enough to convince some extremely ignorant mail admins that Compu.net is spamming and blocked mail from compu.net. Compu.net has also seen the effects of DDoS attacks on other DNS blacklist maintainers. They've decided that
risk to their actual business is too great and they are pulling the
on their DNS blacklist before they come under the gun by spammers.
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF- 8&selm=3f70e839%241%40dimaggio.newszilla.com
Ron Guilmette, maintainer of the Monkeys.com blacklists has posted a farewell from Monkeys.com to news.admin.net-abuse.email. Ron cites
total lack of interest in the attacks by both big network providers and law enforcement authorities as the ultimate reason he's pulling the
Great, Just Great. Wasn't there a post a while back that listed what providers are SPAM friendly? My fingers are getting tired trying to create ACL's lists to block ranges of IP's without compromising my service. I wish the power's up above would buy the right software to try and curb the SPAM but that is not to be according to them. So back to my ACL's I go! ---------------------------------------------- Joel Perez <jperez@ntera.net> | IP Engineer http://www.ntera.net/ | Ntera 305.914.3412 the plug the plug.
http://groups.google.com/groups?q=%22Now+retired+from+spam+fighting%22
&hl=
en&lr=&ie=UTF-8&oe=UTF-8&selm=vn1lufn8h6r38%40corp.supernews.com&rnum= 4
It's truely a sad day for spam fighters everywhere.
So, my question for NANOG is how does one go about attracting the attention of law enforcement when your network is under attack? How does the target of such an attack get a large network provider who's customers are part of the attack to pay attention? Is media attention the only way to pressure a response from either group? These DDoS attacks have received some attention in mainstream media:
http://www.msnbc.com/news/959094.asp?0cv=TB10 http://www.boston.com/news/nation/articles/2003/08/28/saboteurs_hit_sp ams_ blockers
Apparently it hasn't been enough. Legal remedies take too long and are cost prohibitive (unless you're the DoJ). Subpoenas and civil lawsuits take months if not years. Relief is needed in days if not hours.
Justin
On Wed, 24 Sep 2003, Joel Perez wrote:
Great, Just Great. Wasn't there a post a while back that listed what providers are SPAM friendly? My fingers are getting tired trying to create ACL's lists to block ranges of IP's without compromising my service. I wish the power's up above would buy the right software to try and curb the SPAM but that is not to be according to them.
So back to my ACL's I go!
This is one of the most likely things to happen. DNS RBLs are effective. Otherwise spammers wouldn't be targeting them for abuse. Mail admins will eventually start running their own RBLs or rejecting mail by other means locally. This distributed method creates hundreds and eventually thousands of separate points of contact for getting yourself off a RBL. I ran my own domain and netblock list in the past and I can say from experience that it is a very time consuming process. At the time it was also extremely effective. I didn't list open relays/proxies/formmail.cgi IPs. I did however list spamming domains and providers. It caught a surprising amount of spam. It also left me with little time to do anything else. There's got to be a better way. Justin
--On Wednesday, September 24, 2003 1:18 PM -0500 Justin Shore <listuser@numbnuts.net> wrote:
On Wed, 24 Sep 2003, Joel Perez wrote:
So back to my ACL's I go!
This is one of the most likely things to happen. DNS RBLs are effective. Otherwise spammers wouldn't be targeting them for abuse.
What evidence is there that spammers are the ones doing the DDoS? --- "The avalanche has already begun. It is too late for the pebbles to vote." -- Kosh
On Mon, Sep 29, 2003 at 09:51:08AM -0700, Mike Batchelor wrote:
--On Wednesday, September 24, 2003 1:18 PM -0500 Justin Shore <listuser@numbnuts.net> wrote:
On Wed, 24 Sep 2003, Joel Perez wrote:
So back to my ACL's I go!
This is one of the most likely things to happen. DNS RBLs are effective. Otherwise spammers wouldn't be targeting them for abuse.
What evidence is there that spammers are the ones doing the DDoS?
There is likely some conjecture here, but aside from the DNS RBLs that cause collateral damage (ie: blacklisting large chunks of address space to cause behaviour change) who has something to gain from these dnsbl's going down? - Jared -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
Jared Mauch wrote:
On Mon, Sep 29, 2003 at 09:51:08AM -0700, Mike Batchelor wrote:
--On Wednesday, September 24, 2003 1:18 PM -0500 Justin Shore <listuser@numbnuts.net> wrote:
On Wed, 24 Sep 2003, Joel Perez wrote:
So back to my ACL's I go!
This is one of the most likely things to happen. DNS RBLs are effective. Otherwise spammers wouldn't be targeting them for abuse.
What evidence is there that spammers are the ones doing the DDoS?
There is likely some conjecture here, but aside from the DNS RBLs that cause collateral damage (ie: blacklisting large chunks of address space to cause behaviour change) who has something to gain from these dnsbl's going down?
Isn't that collateral damage issue enough to have angered hundreds of ISPs & end users to the point of not necessarily organizing a DDoS, but ignoring it? I think it is far _more_ likely that the DDoS came from the innocent victims fighting back rather than the spammers. Dan.
On Mon, Sep 29, 2003 at 01:11:08PM -0400, Dan Armstrong wrote:
Jared Mauch wrote:
On Mon, Sep 29, 2003 at 09:51:08AM -0700, Mike Batchelor wrote:
--On Wednesday, September 24, 2003 1:18 PM -0500 Justin Shore <listuser@numbnuts.net> wrote:
On Wed, 24 Sep 2003, Joel Perez wrote:
So back to my ACL's I go!
This is one of the most likely things to happen. DNS RBLs are effective. Otherwise spammers wouldn't be targeting them for abuse.
What evidence is there that spammers are the ones doing the DDoS?
There is likely some conjecture here, but aside from the DNS RBLs that cause collateral damage (ie: blacklisting large chunks of address space to cause behaviour change) who has something to gain from these dnsbl's going down?
Isn't that collateral damage issue enough to have angered hundreds of ISPs & end users to the point of not necessarily organizing a DDoS, but ignoring it? I think it is far _more_ likely that the DDoS came from the innocent victims fighting back rather than the spammers.
Presently I beg to differ. (I do encourage you to prove me wrong :) A lot of small-time people have created their own dnsbl's after MAPS(tm) closed down public access to their system, and there have been a lot of these smaller lists that could handle the query-load of people that wanted to use them without problems, but once they were hit with medium to large sized DoS attacks have decided that it's not worth the effort. I am waiting to see what happens if people move against those that are doing this as part of their business model, such as MAPS, spamcop, etc.. These people will be quite happy to call and get some of the law enforcement people to actually move as it does pose a legitimate threat to their entire cash flow and business model. They will also be able to easily go to the media instead of some small time people that run the list on machines in their basements or shared-colo environments. Their providers just don't want to deal with the headache, similar as to how some IRC networks have been fighting to stay alive as well. The problem here is end-to-end accountability. It all relates back to the constant issue of patching your systems and being a good net.citizen with your upstreams, peers, etc.. Security incidents continue to be on the rise and unless people start to actually do something about them (which I know is dificult due to financial constraints that we face in the US currently at least) and are responsive at all hours to them, things aren't going to get any better. We need the ability to trace back attacks over the course of an hour at most to be able to mitigate the risks that are posed, and filter out the true attacks from the "noise" that people generate who think because they're seeing p2p traffic to their machine they think they're being attacked.. I encourage people to start profiling their traffic. not by looking at netflow or other data, but by quite simple heuristics. Look at your typical bitrate, and pps rates that you see on your internal and external (peering, upstream, exchange-point) links. Watch for any abnormal events, large bursts in either bps or pps. Do this not only on your routers but on any layer-2 switches you may have as well and you may be able to find attacks on your network or attacks sourced from your network/customers that would have not been otherwise noted. If you can find these and isolate the compromised machines sooner rather than later you will be helping the entire internet as a whole. - Jared - Jared -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
At 01:49 PM 29/09/2003, Jared Mauch wrote:
On Mon, Sep 29, 2003 at 01:11:08PM -0400, Dan Armstrong wrote:
Isn't that collateral damage issue enough to have angered hundreds of ISPs & end users to the point of not necessarily organizing a DDoS, but ignoring it? I think it is far _more_ likely that the DDoS came from the innocent victims fighting back rather than the spammers.
Presently I beg to differ. (I do encourage you to prove me wrong :)
Especially in the case of SPAMHAUS, they were no XRBL. What networks were really listed as collateral damage ? I dont see how willtel was an innocent bystander either in the previous case. ---Mike
Jared Mauch wrote:
On Mon, Sep 29, 2003 at 01:11:08PM -0400, Dan Armstrong wrote:
Jared Mauch wrote:
On Mon, Sep 29, 2003 at 09:51:08AM -0700, Mike Batchelor wrote:
--On Wednesday, September 24, 2003 1:18 PM -0500 Justin Shore <listuser@numbnuts.net> wrote:
On Wed, 24 Sep 2003, Joel Perez wrote:
So back to my ACL's I go!
This is one of the most likely things to happen. DNS RBLs are effective. Otherwise spammers wouldn't be targeting them for abuse.
What evidence is there that spammers are the ones doing the DDoS?
There is likely some conjecture here, but aside from the DNS RBLs that cause collateral damage (ie: blacklisting large chunks of address space to cause behaviour change) who has something to gain from these dnsbl's going down?
Isn't that collateral damage issue enough to have angered hundreds of ISPs & end users to the point of not necessarily organizing a DDoS, but ignoring it? I think it is far _more_ likely that the DDoS came from the innocent victims fighting back rather than the spammers.
Presently I beg to differ. (I do encourage you to prove me wrong :)
A lot of small-time people have created their own dnsbl's after MAPS(tm) closed down public access to their system, and there have been a lot of these smaller lists that could handle the query-load of people that wanted to use them without problems, but once they were hit with medium to large sized DoS attacks have decided that it's not worth the effort. I am waiting to see what happens if people move against those that are doing this as part of their business model, such as MAPS, spamcop, etc..
These people will be quite happy to call and get some of the law enforcement people to actually move as it does pose a legitimate threat to their entire cash flow and business model. They will also be able to easily go to the media instead of some small time people that run the list on machines in their basements or shared-colo environments. Their providers just don't want to deal with the headache, similar as to how some IRC networks have been fighting to stay alive as well.
The problem here is end-to-end accountability. It all relates back to the constant issue of patching your systems and being a good net.citizen with your upstreams, peers, etc.. Security incidents continue to be on the rise and unless people start to actually do something about them (which I know is dificult due to financial constraints that we face in the US currently at least) and are responsive at all hours to them, things aren't going to get any better. We need the ability to trace back attacks over the course of an hour at most to be able to mitigate the risks that are posed, and filter out the true attacks from the "noise" that people generate who think because they're seeing p2p traffic to their machine they think they're being attacked..
I encourage people to start profiling their traffic. not by looking at netflow or other data, but by quite simple heuristics. Look at your typical bitrate, and pps rates that you see on your internal and external (peering, upstream, exchange-point) links. Watch for any abnormal events, large bursts in either bps or pps.
Do this not only on your routers but on any layer-2 switches you may have as well and you may be able to find attacks on your network or attacks sourced from your network/customers that would have not been otherwise noted. If you can find these and isolate the compromised machines sooner rather than later you will be helping the entire internet as a whole.
I agree with you whole heatedly. Malicious attacks deserve severe consequences, and all ISPs need to set themselves up to be able to deal with them more quickly and effectively. We have had problems with these sort of things in the past. We have done all sorts of neat stuff including sending alarms if traffic trends change drastically, blackhole routing, etc. etc. That's a whole separate discussion, in my opinion. These BLs that leveraged their "wild west" style, unaccountable vigilante justice by inflicting "collateral damage" to thousands of innocent victims got their karma back. I think it's a cop out to think that it was the spammers themselves who did this. Spammers are not smart enough to do things like that...... They are just money grubbing sleeze bags that play the numbers game. It is un-economic for them to use resources to organize a DDoS. A DDoS is an act of passion, not an act of dollars and cents, which is how the spammers work. Dan.
:s wrap 80-columns On Mon, Sep 29, 2003 at 02:04:45PM -0400, Dan Armstrong wrote:
I agree with you whole heatedly. Malicious attacks deserve severe consequences, and all ISPs need to set themselves up to be able to deal with them more quickly and effectively. We have had problems with these sort of things in the past. We have done all sorts of neat stuff including sending alarms if traffic trends change drastically, blackhole routing, etc. etc. That's a whole separate discussion, in my opinion.
These BLs that leveraged their "wild west" style, unaccountable vigilante justice by inflicting "collateral damage" to thousands of innocent victims got their karma back. I think it's a cop out to think that it was the spammers themselves who did this. Spammers are not smart enough to do things like that...... They are just money grubbing sleeze bags that play the numbers game. It is un-economic for them to use resources to organize a DDoS. A DDoS is an act of passion, not an act of dollars and cents, which is how the spammers work.
I think you misjudge the skill of the spammers. The fact that they are taking such actions as compromising machines, using wireless links to do their spamming from, and finding other interesting ways to leak their spam out on the networks is something that requires more skill than the average computer user out there. The NYT had a good article over the weekend that describes the techniques and skills of some of these spammers. See here: (free reg, or find the news.google link ...) http://www.nytimes.com/2003/09/28/magazine/28SPAMLT.html You're making a clear mistake in underestimating the skills of these people. While they may not be able to do it, these are people who have been fighting the dnsbl, filtering, SpamAssassin, bayesian filters and other such systems for years that are attempting to mitigate the loss of number of deliveries they can perform on a daily basis. There is some skill required for these people to realize that there are minor ways to tweak your text to get past filters, and to understand how these filters work... - Jared -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
[at the risk of angering the moderator, quite rightly since this thread is bordering on OT - apologies moderator!] At 14:04 -0400 (GMT) 29/9/03, Dan Armstrong wrote:
These BLs that leveraged their "wild west" style, unaccountable [rant probably directed at 'spews' snipped] I think it's a cop out to think that it was the spammers themselves who did this. Spammers are not smart enough to do things like that...
Ehm, we actually have proof the spammers are doing the dDoS, at least against Spamhaus. We can even see the spammer doing it on his IRC channel, we know how many zombies he's controlling, where they are, where he's connected from and even his aliases and account names, we have enough on him to put the Feds at his door ...should the Feds ever get interested. MessageLabs have also compared the long list of servers participating in the dDoS against Spamhaus, with their database of known virus-infected hosts. The test came back today showing that almost all the hosts attacking Spamhaus have all been recently identified by MessageLabs as being infected with the Fizzer worm. We had in fact also been wondering if, as well as being responsible for sending SoBig the spammers might be responsible for other viruses as well. In particular we wondered how so many spammers were now hosting their spamvertised web sites on rapidly-appearing zombies all over the net, that answered that too, since the summary of Fizzer (one of the most widespread viruses in the world) is: Fizzer is a complex e-mail worm that appeared on May 8, 2003. The worm can spread itself in e-mails and in the Kazaa P2P (peer-to-peer) file-sharing network. The Fizzer worm contains a built-in IRC backdoor, a DoS (Denial of Service) attack tool, a data-stealing Trojan (uses external keylogger DLL), an HTTP server and other components. The worm has the functionality to kill the tasks of certain anti-virus programs. Additionally, the worm has automatic updating capabilities. The world has to wake up to the fact that spammers are no longer stupid, there's a lot of money to be made spamming so crackers and script kiddies have joined them. We've had open relays, we've had open proxies, the future of mass spamming is by way of ever-more-powerful viruses. -- Steve Linford The Spamhaus Project http://www.spamhaus.org
participants (8)
-
Dan Armstrong
-
Jared Mauch
-
Jared Mauch
-
Joel Perez
-
Justin Shore
-
Mike Batchelor
-
Mike Tancsa
-
Steve Linford