monkeys.dom UPL being DDOSed to death
Hi! After Osirusoft was shut down most likely Infinite-Monkeys are doing down also ?? See:
[Mimedefang] monkeys.dom UPL being DDOSed to death Jon R. Kibler mimedefang@lists.roaringpenguin.com Tue Sep 23 14:15:01 2003 Greetings to all: I have some really sad news. I just got off the telephone with Ron Guilmette who runs the monkeys.com Unsecured Proxies List DNSBL. I hate to say it, but monkeys.com has been killed. It has been DDOSed to death. Ron says that every aspect of his network is undergoing a massive DDOS attack from thousands of IPs -- apparently many/all spoofed. He has tried to get law enforcement to investigate, but to no avail. He indicated that this is probably the end of his service. This makes two DNSBLs that have been DDOSed to death recently. Which one is next? NJABL? ORDB? The computer security industry really needs to figure out how to get law enforcement to take these attacks seriously. It would only take a few good prosecutions to put an end to these types of attacks. Any thoughts/suggestions? This is really a dark day for those of us fighting spam. I looks like the spammers have won a BIG battle. The only question now is who will be the causality in this war? Jon R. Kibler A.S.E.T., Inc. Charleston, SC USA
This is pretty sad. bye, Raymond.
On Tue, 23 Sep 2003, Raymond Dijkxhoorn wrote:
After Osirusoft was shut down most likely Infinite-Monkeys are doing down also ??
Anyone SERIOUSLY interested in designing a new PTP RBL system 100% immune to DDOS, please drop me a line. By seriously, i mean those who actually want to solve the problem, not those who want to be whiny pedants. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
Raymond Dijkxhoorn wrote:
[Mimedefang] monkeys.dom UPL being DDOSed to death Jon R. Kibler mimedefang@lists.roaringpenguin.com Tue Sep 23 14:15:01 2003 The computer security industry really needs to figure out how to get law enforcement to take these attacks seriously. It would only take a few good prosecutions to put an end to these types of attacks. Any thoughts/suggestions?
This is really a dark day for those of us fighting spam. I looks like the spammers have won a BIG battle. The only question now is who will be the causality in this war?
This goes beyond spam and the resources that many mail servers are using. These attacks are being directed at anti-spam organizations today. Where will they point tomorrow? Many forms of breaking through network security require that a system be DOS'd while the crime is being committed. These machines won't quiet down after the blacklists are shut down. They will keep attacking hosts. For the US market, this is a national security issue. These systems will be exploited to cause havoc among networks of all types and sizes; governmental and commercial. Windows Update may be protected for now, but it still has limitations. It can be killed to the point of non use. Then how will system get patched to protect themselves from new exploits? The problem will escalate. There are many financial institutions online. Does anyone doubt that their security can be penetrated? What about DoD networks? There are a lot of social aspects to internetworking. Changes need to be made. Power needs to be allocated appropriately. A reconing needs to occur. All the businesses that make and spend mass amount of money due to the Internet need to strongly consider that there won't be a product if the social ramifications are solved. Users don't want to be online and check email just to find hundreds of advertisements, pornography, and illegal material in their inbox. Users don't want to hear that they've been infected with the latest virus and can no longer be online until they fix the problem; usually resulting in money. Users don't want to hear that they can't reach site X because of some change in architecture. If the general masses get fed up with the Internet, there won't be an Internet. Millions of dollars are easily being lost because of malicious activity on the Internet. Millions more are being lost due to differences of opinion in the governing bodies of the Internet. Is everyone so short sighted and greedy as to not recognize that they are dying a slow financial death? -jack
On Tue, 23 Sep 2003, Jack Bates wrote:
This goes beyond spam and the resources that many mail servers are using. These attacks are being directed at anti-spam organizations today. Where will they point tomorrow? Many forms of breaking through network security require that a system be DOS'd while the crime is being committed. These machines won't quiet down after the blacklists are shut down. They will keep attacking hosts. For the US market, this is a national security issue. These systems will be exploited to cause havoc among networks of all types and sizes; governmental and commercial.
It's somewhat funny. Quite some time ago, us IRC server operators warned about this same thing, and were mostly just told to "not run IRC servers." The anti-spammers will likely just get told to "not run DNSBL's." This only works up until the point that it's YOUR service thats getting hit and people tell you to stop running it. For several years now I've noticed a trend of technologies being used to attack IRC servers being later abused to send SPAM. First it was the open wingates, then the misconfigured Cisco's, then the HTTP Proxies. It looks like the large botnets are now being harvested by spammers to fight the Anti spammers. This is something we IRC server admins, and other high profile services like it which draw such attacks have been dealing with for some time. Ron, good luck with it. You're stuck between a rock and a hard place. If you down it the kiddies win again, and will feel they can bully the next guy. If you don't your network is crippled. It's a no win situation. Jason -- Jason Slagle - CCNP - CCDP /"\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . \ / ASCII Ribbon Campaign . X - NO HTML/RTF in e-mail . / \ - NO Word docs in e-mail .
On Tue, 23 Sep 2003, Jason Slagle wrote:
It's somewhat funny. Quite some time ago, us IRC server operators warned about this same thing, and were mostly just told to "not run IRC servers."
A private IRC server with one user isn't much fun.
The anti-spammers will likely just get told to "not run DNSBL's." This only works up until the point that it's YOUR service thats getting hit and people tell you to stop running it.
A private DNSBL with one user works just fine. If whoever is behind this succeeds in "driving all the DNSBLs off the net" what they'll really do is drive them all underground. In the short term, lots of networks will lose access to the public DNSBLs they've been using. The spammers will rejoice, but that will only fuel the creation of hundreds (maybe thousands) of new private DNSBLs. Necessity is the mother of invention. Those with clue, will run their own. Alot of those without will too. Some will likely even latch onto the "last snapshot" they got before the DNSBLs they were syncing went offline/private. These will, of course, get out of date and out of sync almost immediately. Once you host a customer who turns out to be a spammer, good luck getting those IPs removed from 10000 private DNSBLs. E-mail abuse management may be the next field to really open up with job opportunities as networks will have to contact a large portion of the internet to try to get IPs cleared from everyone's private DNSBL...most of which will be poorly documented if at all. Just over 2 years ago, I posted a message titled "Affects of the balkanization of mail blacklisting" about how ex-MAPS users were using out-of-sync copies of the MAPS DUL after MAPS went commercial and those networks presumably lost access to the data. I guess that was just the tip of the iceberg. ---------------------------------------------------------------------- Jon Lewis *jlewis@lewis.org*| I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
On Tue, 23 Sep 2003 18:12:11 -0400 (EDT) jlewis@lewis.org wrote:
These will, of course, get out of date and out of sync almost immediately.
one wonders how many private blocking lists still have the old aegis netblocks in them. i make it a point to date entries in my lists and periodically purge older entries that don't seem to be active spam sources anymore, but most do not, i'm afraid. if the well run BLs are run underground or shutdown, this will ultimately lead to exactly what jon fears -- an IP space full of random, unusable "superfund sites". cheers, richard -- Richard Welty rwelty@averillpark.net Averill Park Networking 518-573-7592 Java, PHP, PostgreSQL, Unix, Linux, IP Network Engineering, Security
Ron, good luck with it. You're stuck between a rock and a hard place. If you down it the kiddies win again, and will feel they can bully the next guy. If you don't your network is crippled. It's a no win situation.
If any of the dos'ed to death rbls really want's to get back at the spammers it's easy. Write software that allows any ISP or business to use their mail servers and their customers/employees (via a foward to address) to maintain their own highly dynamic blacklist. Blacklists are just one kind of filter. If we could load software that allowed us to forward spams caught by other filters into it and it maintained a DNS blacklist we could have our servers use, we wouldn't need big public rbl's, everyone doing any kind of mail volume could easily run their own IF THE SOFTWARE WAS AVAILABLE. A distributed solution for a distributed problem. Resistance is NOT futile. Geo.
On Tue, 23 Sep 2003, Geo. wrote:
If any of the dos'ed to death rbls really want's to get back at the spammers it's easy. Write software that allows any ISP or business to use their mail servers and their customers/employees (via a foward to address) to maintain their own highly dynamic blacklist.
Already been done. http://spamikaze.nl.linux.org/ ---------------------------------------------------------------------- Jon Lewis *jlewis@lewis.org*| I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
Geo. wrote:
Blacklists are just one kind of filter. If we could load software that allowed us to forward spams caught by other filters into it and it maintained a DNS blacklist we could have our servers use, we wouldn't need big public rbl's, everyone doing any kind of mail volume could easily run their own IF THE SOFTWARE WAS AVAILABLE. A distributed solution for a distributed problem.
The benefit of using a blacklist like monkeys or ordb is that there is only one removal process for all the mail servers. The issue is that when the webserver is dDOS'd, it is very hard for people to get removed. Running local blacklists on common themes (such as open proxy/open relay) has the same issue. Yes, one can blacklist the site, but how do you get it delisted once the problem is fixed? I had openrbl.org in my rejections for awhile so that people could find all the blacklists that they were on. Since the dDOS of openrbl, I've had to change it to my local scripts which don't cover near what openrbl did. -Jack
The benefit of using a blacklist like monkeys or ordb is that there is only one removal process for all the mail servers. The issue is that when the webserver is dDOS'd, it is very hard for people to get removed.<<
There shouldn't be a need for any removal process. A server should be listed for as long as the spam continues to come from it. Once the spam stops the blacklisting should stop as well. That is how a dynamic list SHOULD work. Geo.
Geo. wrote:
There shouldn't be a need for any removal process. A server should be listed for as long as the spam continues to come from it. Once the spam stops the blacklisting should stop as well. That is how a dynamic list SHOULD work.
Depends on the type of listing. Open proxies and open relays are best removed by request of owner once they are fixed or staled out after a retest at a later time, although retests should be far and few between (many use anything from 1-6 months). Just because spam is not temporarily coming from an insecure host does not mean that the host has been secured. Direct Spam is difficult to automatically detect, and reports are not always accurate (see SpamCop). It tends to be a very manual process. A lot of work goes into maintaining a list like SBL or SPEWS. Spam is also very transient which makes local detection of a spammer's activities difficult. They may just be focusing on someone else for a week or two before plastering your servers again. If you removed them, they will do considerable damage before they get relisted via the manual process (delay between first email received and first recipient reporting can easily exceed hours). The other issue with shared listings is what one considers acceptable or unacceptable. Easynet, for example, lists a lot of mail senders which I accept mail for due to user demand. They consider the email spam or resource abuse (broken mailers) while I am meeting the demands of my customers who are paying to receive the email. This isn't a collateral damage issue. It is an issue of where a network decides to draw the line on accepting or rejecting email. -Jack
participants (7)
-
Dan Hollis
-
Geo.
-
Jack Bates
-
Jason Slagle
-
jlewis@lewis.org
-
Raymond Dijkxhoorn
-
Richard Welty