Re: Destructive botnet originating from Japan
What's nsp-sec? -----Original Message----- From: Richard A Steenbergen [mailto:ras@e-gerbil.net] Sent: Sun Dec 25 04:25:15 2005 To: Gadi Evron Cc: Rob Thomas; NANOG Subject: Re: Destructive botnet originating from Japan On Sun, Dec 25, 2005 at 02:06:38AM -0600, Gadi Evron wrote:
It is difficult to hear something important that one invested much in is doing harm, but that is the only conclusion I and others can come up with after years of study, and NSP-SEC, as amazing as it has been, has been of a negative impact other than to cause a community to form and act together. Which is amazing by itself and which is why I believe it can do so much more.. even if it is relatively young it has proven itself time and time again... I am straying from the subject here.
Could have told you that a long time ago. NSP-SEC became useless the day it became so bogged down in its own self-aggrandizing paranoia that no one could possibly be bothered to actually tell anyone outside of the secret handshake club about security issues they've spotted. On the other hand, if you ARE going to sit around pissing and moaning about botnets you are too "sekure" to tell anyone else about, thus assuring they never get fixed, at least it's nice to do it in one secret place so I don't have to hear it. :) -- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
The first rule of nsp-sec is, you do not talk about nsp-sec The second rule of nsp-sec is, you DO NOT talk about nsp-sec Rubens On 12/25/05, Hannigan, Martin <hannigan@verisign.com> wrote:
What's nsp-sec?
-----Original Message----- From: Richard A Steenbergen [mailto:ras@e-gerbil.net] Sent: Sun Dec 25 04:25:15 2005 To: Gadi Evron Cc: Rob Thomas; NANOG Subject: Re: Destructive botnet originating from Japan
On Sun, Dec 25, 2005 at 02:06:38AM -0600, Gadi Evron wrote:
It is difficult to hear something important that one invested much in is doing harm, but that is the only conclusion I and others can come up with after years of study, and NSP-SEC, as amazing as it has been, has been of a negative impact other than to cause a community to form and act together. Which is amazing by itself and which is why I believe it can do so much more.. even if it is relatively young it has proven itself time and time again... I am straying from the subject here.
Could have told you that a long time ago. NSP-SEC became useless the day it became so bogged down in its own self-aggrandizing paranoia that no one could possibly be bothered to actually tell anyone outside of the secret handshake club about security issues they've spotted.
On the other hand, if you ARE going to sit around pissing and moaning about botnets you are too "sekure" to tell anyone else about, thus assuring they never get fixed, at least it's nice to do it in one secret place so I don't have to hear it. :)
-- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
On Sun, 25 Dec 2005, Rubens Kuhl Jr. wrote:
The first rule of nsp-sec is, you do not talk about nsp-sec The second rule of nsp-sec is, you DO NOT talk about nsp-sec
https://puck.nether.net/mailman/listinfo/nsp-security There's nothing secret about the existence or purpose of the list. I don't know enough about Barrett to guess as to whether or not he'd qualify. Also, I was considering emailing Barrett privately, but since there seems to be so much misinformation going around, others will probably benefit from this. If you want to send out list of IPs suspected of being bots or really any other class of insecure/0wn3d systems, to make it easier for those who care to find their IPs in your list, run it through the Team Cymru whois server first. http://www.cymru.com/BGP/whois.html Then sort the list numerically by ASN. That way, people can scroll through it, or search by ASN, and quickly determine if there's any further action worth taking. It's also a really good idea to include timestamps, ideally exact ones in GMT per IP. In this case (unix bots) it's not as likely, but typical windows bots frequently show up on end-user systems with dynamic IPs. Telling me one of my dial pool IPs was a bot "recently" is not as useful as telling me it was a bot 2005-12-25 02:30:45 GMT. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
I would have sent out a clean list sorted via AS and IP, except I have been working from vacation on GPRS via my 1 bar of service on my cell phone. Cleaning up lists is rather painful for me in that situation. I'm pretty sure Rob Thomas cleaned up the list and added it to Team Cymru's stuff. As a side note, I did apply to nsp-sec a while back and I was told to do something like download SNORT or join a snort discussion list. I though that was pretty telling, I run into a lot of information daily and this was messy enough for me to post to NANOG about it. I was just trying to the the right thing. If the right thing is to post this information to a more private list, then I would do so. However, I think it has been benificial to get this information out to the public where they can actually do something about it. I've been getting emails from a lot of people thanking for the posts because they were able to identify a lot of messy traffic on their network and put an end to it. Posting information like this to a private list may not have accomplished much. I think the data should most certainly go on the Team Cymru list, but why not to a large public form putting in the faces of the people that are responsible? This should be another thread completely, but I am wondering about the liability of the individual's who have owned machines that are attacking me/my clients. I'm not a lawyer but I would assume that tort liability law could apply and find someone liable for allowing their machine to DDoS people. There is no precedence for this, but maybe a few law suits could set one? I'm not saying I (Prolexic) would do this, but if someone sued the owners of the machines in civil court and won, maybe that would put a hell of a lot more pressure on people that run a dirty network or machine. It may place responsibility on some of these people that say, "we don't care what our users do". Have bots? Go to court... I'm really interested on comments on this, has anyone tried? -Barrett On Dec 25, 2005, at 2:36 PM, Jon Lewis wrote:
On Sun, 25 Dec 2005, Rubens Kuhl Jr. wrote:
The first rule of nsp-sec is, you do not talk about nsp-sec The second rule of nsp-sec is, you DO NOT talk about nsp-sec
https://puck.nether.net/mailman/listinfo/nsp-security
There's nothing secret about the existence or purpose of the list.
I don't know enough about Barrett to guess as to whether or not he'd qualify.
Also, I was considering emailing Barrett privately, but since there seems to be so much misinformation going around, others will probably benefit from this. If you want to send out list of IPs suspected of being bots or really any other class of insecure/0wn3d systems, to make it easier for those who care to find their IPs in your list, run it through the Team Cymru whois server first.
http://www.cymru.com/BGP/whois.html
Then sort the list numerically by ASN. That way, people can scroll through it, or search by ASN, and quickly determine if there's any further action worth taking.
It's also a really good idea to include timestamps, ideally exact ones in GMT per IP. In this case (unix bots) it's not as likely, but typical windows bots frequently show up on end-user systems with dynamic IPs. Telling me one of my dial pool IPs was a bot "recently" is not as useful as telling me it was a bot 2005-12-25 02:30:45 GMT.
---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
Hi, NANOGers. ] I think the data should most certainly go on the Team Cymru list... Just a point of clarification: There is no "Team Cymru list." There are lots of public and private lists, and none of them belong solely to Team Cymru (well, OK, there is bogon-announce, but...). Thanks, Rob. -- Rob Thomas Team Cymru http://www.cymru.com/ ASSERT(coffee != empty);
On Sun, 25 Dec 2005, Barrett G. Lyon wrote:
I would have sent out a clean list sorted via AS and IP, except I have been working from vacation on GPRS via my 1 bar of service on my cell phone.
What's vacation? I gather Prolexic isn't a one man shop. Nobody else had a better internet connection and a few minutes to tidy up the data and make the post?
If the right thing is to post this information to a more private list, then I would do so. However, I think it has been benificial to get this information out to the public where they can actually do something about it. I've been
I didn't say nanog wasn't a good place to post the info...or that there aren't better places. Just that if you want people to take action based on the data, present it in a more reader-friendly and meaningful format. Also, mixing IPs and PTRs in such a report is not a great idea. I actually did scan through the message looking for any of my prefix's and $work's primary domain name. If there was a PTR for some customer of ours in their own domain, I didn't see it, but I also didn't look for it. Posting data by ASN/IP totally avoids that issue and makes looking for your ASN(s) trivial.
getting emails from a lot of people thanking for the posts because they were able to identify a lot of messy traffic on their network and put an end to it. Posting information like this to a private list may not have accomplished much.
I don't see a problem with posting it to both or as many appropriate lists as you can find. Nanog is kind of geo-specific though. Other lists might have much broader representation from the entire internet.
This should be another thread completely, but I am wondering about the liability of the individual's who have owned machines that are attacking me/my clients. I'm not a lawyer but I would assume that tort liability law could apply and find someone liable for allowing their machine to DDoS people.
IANAL either, but if I steal your car and run someone over with it, are you liable? Should you be? Computers are "stolen" or at least commandeered on the internet at an alarming rate because those who do it know that odds are, they won't get caught. And if they are caught, odds are, nothing will happen. And there's apparently considerable profit in the sale of commandeered systems or services provided by them. I doubt you'll get anywhere trying to make an example of someone who's system was hacked or even just "used improperly". I really don't think this problem can be solved by scaring sysadmins or corporations. There will always be security holes. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
On Dec 25, 2005, at 7:21 PM, Jon Lewis wrote:
On Sun, 25 Dec 2005, Barrett G. Lyon wrote:
I would have sent out a clean list sorted via AS and IP, except I have been working from vacation on GPRS via my 1 bar of service on my cell phone.
What's vacation?
I gather Prolexic isn't a one man shop. Nobody else had a better internet connection and a few minutes to tidy up the data and make the post?
There are special considerations that should be taken while posting public data, so I take responsibility for public postings. Our team makes sure everything else is running usual, in the future I would like to formulate an internal policy and structure that helps us correctly post data on public forums without my involvement.
IANAL either, but if I steal your car and run someone over with it, are you liable? Should you be? Computers are "stolen" or at least commandeered on the internet at an alarming rate because those who do it know that odds are, they won't get caught. And if they are caught, odds are, nothing will happen. And there's apparently considerable profit in the sale of commandeered systems or services provided by them. I doubt you'll get anywhere trying to make an example of someone who's system was hacked or even just "used improperly". I really don't think this problem can be solved by scaring sysadmins or corporations. There will always be security holes.
If they have had notice about the problem and that the problem may damage or cause harm to others then the question is; Did they act as a reasonable service provider? If they failed to act as a reasonable service provider to the compromised machine, then they are negligent. In your car situation, if you know your car has been stolen, or if you have the ability to prevent it, then you could possibly be negligent. If you left a car with the engine running and the keys in it, and you left it in a grammar school playground and your example happens, you are negligent. If we contract an ISP and tell them about a machine that is causing harm, and we provide correct documentation, and they choose to do nothing about it. I would say they are a negligent ISP and could be open for litigation. We have a couple huge bank customers, they refused to use any mitigation methods that involve syn-cookes because of the liability that causes. They were so concerned that a SYN flood would be relayed off a syn-cookie "guard" and be used to attack a competitor as well. Their legal teams refused to take the liability because that case would have had to be settled for a huge sum of money. As a result they looked for solutions that do not use syn-cookes to defend against syn floods. If an ISP knew they could be found negligent then the community that uses Arbor and other techniques to detect inbound attacks may use it to detect and stop outbound attacks as well. I think it would raise the bar of responsibility and responsiveness. Otherwise, we will just sit and bitch about problems until there is a better protocol than the old one we use now. -Barrett
This should be another thread completely, but I am wondering about the liability of the individual's who have owned machines that are attacking me/my clients.
As a practical matter, I'd expect it to be difficult to try. Convincing a jury that running a PHP version that's three months out of date constitutes gross negligence because you should have read about the vulnerability on the Web might be... tricky. Especially when you have to explain to the jury what PHP is. Dueling expert witnesses arguing about best practice, poor confused webmaster/Amway distributor looking bewildered at all this technical talk ("I figgered I just buy Plesk and I was good to go. I dunno nothin' about PHP. Isn't that a drug?") Not to mention working out what percentage of the damages you suffered should come from each host. But yeah, I'd like to see it tried. Lawyering up is one of our core competencies here in the USA; maybe we could use it for good instead of evil. -- Dave Pooser Manager of Information Services Alford Media http://www.alfordmedia.com
On Sun, 25 Dec 2005, Dave Pooser wrote:
This should be another thread completely, but I am wondering about the liability of the individual's who have owned machines that are attacking me/my clients.
As a practical matter, I'd expect it to be difficult to try. Convincing a jury that running a PHP version that's three months out of date constitutes gross negligence because you should have read about the vulnerability on the Web might be... tricky. Especially when you have to explain to the jury what PHP is. Dueling expert witnesses arguing about best practice, poor confused webmaster/Amway distributor looking bewildered at all this technical talk ("I figgered I just buy Plesk and I was good to go. I dunno nothin' about PHP. Isn't that a drug?") Not to mention working out what percentage of the damages you suffered should come from each host.
But yeah, I'd like to see it tried. Lawyering up is one of our core competencies here in the USA; maybe we could use it for good instead of evil.
I'd like to bring some conclusions from past discussions on this issue to the table. First, holding a person liable while he had no way of knowing he is doing something wrong is not right. Still, you know what they say about not knowing the law and punishment. There are two somewhat interesting metaphopres that explain contradicting views: 1. The gun owner: If you own a gun, it is your duty to keep it safe. If it is stolen, you will be punished to differing degrees depending on country. From never owning a gun again or maybe a slap on the wrist... to going to jail. If your gun is used in a crime such as say, murder, you can be held liable for not keeping your gun safe or maybe even confused for the actual criminal. You may also be the criminal (anyone remembers the Trojan horse defense? "I was hacked! It wasn't me who did that from my computer!"). 2. Some believe that equating a gun to a computer is just wrong. Another metaphore might be a stolen car, or some completely different ones. Still, today people do not have a quick and eay way of protecting their computers... and before anyone can start talking about ISP's and other organizations, one would be forced to talk about STANDARTISATION for the ISP industry, and so on. Banks today don't follow standards, they follow regulations. If they fail to, they are liable. Same for the insurance industry in some countries. I am not really sure what the best solution is here or what will cause more harm than good... but I am sure that from the complete lack of care that involved compromised computers to the complete kill-future when kiddie porn is involved, a solution can be found. One has to remember though that law enforcement is limited in resources, and millions on millions of compromised machines just are not a priority on rape or murder. Gadi.
If the gun seller is selling guns to people he knows are murders, or is told to stop selling guns to known murders, then what would you say? I would say the gun seller is negligent. Likewise, if an ISP is told about a problem machine/user then (as much as the ISP folks here would hate to admit it) the ISP is negligent. I think it would be a pretty easy case to prove negligence if you have legally recorded phone calls to the ISP reporting the bot, email history of conversations reporting the bot, and proof of the bot attacking you. -Barrett On Dec 26, 2005, at 4:58 AM, Gadi Evron wrote:
On Sun, 25 Dec 2005, Dave Pooser wrote:
This should be another thread completely, but I am wondering about the liability of the individual's who have owned machines that are attacking me/my clients.
As a practical matter, I'd expect it to be difficult to try. Convincing a jury that running a PHP version that's three months out of date constitutes gross negligence because you should have read about the vulnerability on the Web might be... tricky. Especially when you have to explain to the jury what PHP is. Dueling expert witnesses arguing about best practice, poor confused webmaster/Amway distributor looking bewildered at all this technical talk ("I figgered I just buy Plesk and I was good to go. I dunno nothin' about PHP. Isn't that a drug?") Not to mention working out what percentage of the damages you suffered should come from each host.
But yeah, I'd like to see it tried. Lawyering up is one of our core competencies here in the USA; maybe we could use it for good instead of evil.
I'd like to bring some conclusions from past discussions on this issue to the table.
First, holding a person liable while he had no way of knowing he is doing something wrong is not right. Still, you know what they say about not knowing the law and punishment.
There are two somewhat interesting metaphopres that explain contradicting views: 1. The gun owner: If you own a gun, it is your duty to keep it safe. If it is stolen, you will be punished to differing degrees depending on country. From never owning a gun again or maybe a slap on the wrist... to going to jail.
If your gun is used in a crime such as say, murder, you can be held liable for not keeping your gun safe or maybe even confused for the actual criminal. You may also be the criminal (anyone remembers the Trojan horse defense? "I was hacked! It wasn't me who did that from my computer!").
2. Some believe that equating a gun to a computer is just wrong. Another metaphore might be a stolen car, or some completely different ones.
Still, today people do not have a quick and eay way of protecting their computers... and before anyone can start talking about ISP's and other organizations, one would be forced to talk about STANDARTISATION for the ISP industry, and so on.
Banks today don't follow standards, they follow regulations. If they fail to, they are liable. Same for the insurance industry in some countries.
I am not really sure what the best solution is here or what will cause more harm than good... but I am sure that from the complete lack of care that involved compromised computers to the complete kill-future when kiddie porn is involved, a solution can be found.
One has to remember though that law enforcement is limited in resources, and millions on millions of compromised machines just are not a priority on rape or murder.
Gadi.
Gadi Evron wrote:
On Sun, 25 Dec 2005, Dave Pooser wrote:
This should be another thread completely, but I am wondering about the liability of the individual's who have owned machines that are attacking me/my clients.
As a practical matter, I'd expect it to be difficult to try. Convincing a jury that running a PHP version that's three months out of date constitutes gross negligence because you should have read about the vulnerability on the Web might be... tricky. Especially when you have to explain to the jury what PHP is. Dueling expert witnesses arguing about best practice, poor confused webmaster/Amway distributor looking bewildered at all this technical talk ("I figgered I just buy Plesk and I was good to go. I dunno nothin' about PHP. Isn't that a drug?") Not to mention working out what percentage of the damages you suffered should come from each host.
But yeah, I'd like to see it tried. Lawyering up is one of our core competencies here in the USA; maybe we could use it for good instead of evil.
I'd like to bring some conclusions from past discussions on this issue to the table.
First, holding a person liable while he had no way of knowing he is doing something wrong is not right. Still, you know what they say about not knowing the law and punishment.
There are two somewhat interesting metaphopres that explain contradicting views: 1. The gun owner: If you own a gun, it is your duty to keep it safe. If it is stolen, you will be punished to differing degrees depending on country. From never owning a gun again or maybe a slap on the wrist... to going to jail.
If your gun is used in a crime such as say, murder, you can be held liable for not keeping your gun safe or maybe even confused for the actual criminal. You may also be the criminal (anyone remembers the Trojan horse defense? "I was hacked! It wasn't me who did that from my computer!").
2. Some believe that equating a gun to a computer is just wrong. Another metaphore might be a stolen car, or some completely different ones.
Still, today people do not have a quick and eay way of protecting their computers... and before anyone can start talking about ISP's and other organizations, one would be forced to talk about STANDARTISATION for the ISP industry, and so on.
Banks today don't follow standards, they follow regulations. If they fail to, they are liable. Same for the insurance industry in some countries.
I am not really sure what the best solution is here or what will cause more harm than good... but I am sure that from the complete lack of care that involved compromised computers to the complete kill-future when kiddie porn is involved, a solution can be found.
One has to remember though that law enforcement is limited in resources, and millions on millions of compromised machines just are not a priority on rape or murder.
Gadi.
Take a car for example. Somebody is stealing your car. He gets photographed crossing a red traffic light and there is an accident. You dont get punished for the read traffic light but you still have to pay for the accident. Peter and Karin -- Peter and Karin Dambier The Public-Root Consortium Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: peter@peter-dambier.de mail: peter@echnaton.serveftp.com http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
At 07:58 AM 12/26/2005, Gadi Evron wrote:
On Sun, 25 Dec 2005, Dave Pooser wrote:
This should be another thread completely, but I am wondering about the liability of the individual's who have owned machines that are attacking me/my clients.
As a practical matter, I'd expect it to be difficult to try. Convincing a jury that running a PHP version that's three months out of date constitutes gross negligence because you should have read about the
Web might be... tricky. Especially when you have to explain to
vulnerability on the the jury what
PHP is. Dueling expert witnesses arguing about best practice, poor confused webmaster/Amway distributor looking bewildered at all this technical talk ("I figgered I just buy Plesk and I was good to go. I dunno nothin' about PHP. Isn't that a drug?") Not to mention working out what percentage of the damages you suffered should come from each host.
But yeah, I'd like to see it tried. Lawyering up is one of our core competencies here in the USA; maybe we could use it for good instead of evil.
I'd like to bring some conclusions from past discussions on this issue to the table.
First, holding a person liable while he had no way of knowing he is doing something wrong is not right. Still, you know what they say about not knowing the law and punishment.
Bringing the discussion back to networking and away from gun issues, the question of liability for negligence in network operations is not new. There was discussion of this issue back when smurf attacks were common, networks were generally not doing ingress filtering (though many still are not) and many innocent third parties were being attacked (Schwab, Yahoo, others all in one week as I recall). At the time there was concern over suing folks, though in many cases there was a strong case. Network operators continued to resist filtering despite being aware their own networks were being used to attack others. To my knowledge, BCP38 has not been cited in a court proceeding. If you think it's OK to hold hosting providers at fault for negligence, network operators should be prepared to defend their own actions (or inaction) regarding any known or anticipated threats as well.
What's nsp-sec? A bot chasers' list. ...... Original Message ....... On Sun, 25 Dec 2005 15:03:18 -0500 "Hannigan, Martin" <hannigan@verisign.com> wrote:
What's nsp-sec?
randy ___ sent from a handheld, so even more terse than usual :-)
participants (11)
-
Barrett G. Lyon
-
Barrett G.Lyon
-
Daniel Senie
-
Dave Pooser
-
Gadi Evron
-
Hannigan, Martin
-
Jon Lewis
-
Peter Dambier
-
Randy Bush
-
Rob Thomas
-
Rubens Kuhl Jr.