Internet Providers Band Together to Fight Evil

toadlife writes "A group of prominent Internet providers are teaming up with a security vendor Arbor Networks to form the Fingerprint Sharing Alliance. Through the use of Arbor Networks Peakflow SP internet appliance (which is an OpenBSD box with some secret sauce mixed in), members of the alliance can share internet threat information with each other in real time. It sounds a bit like Razor, doesn't it?"

"Evil"?

[Markus+Persson]

DDOS attacks? BitTorrent traffic? Spam email? Slashdotting? Seems a bit too vague to be good.

Re:"Evil"?

[KiloByte]

Uh oh.
If I read this correctly, if you take part in a DDOS attack also known as "Slashdotting", it takes just a single trigger-happy sysadmin somewhere on the way to knock you and the rest of us from the participating networks.

The article is pretty vague, and if I read correctly, there _is_ a human factor involved. Of course, humans are better from machines from telling apart a bone-fide Slashdotting (beh, a "bona-fide" DDOS attack :p ) from something that's meant just to destroy.

However, our bona-fide attack just took their server down. We're entering a gray area here: is it still a legitimate flash crowd? It's often hard to tell. The problem is, until today, the one who used to lose was the affected server. If enough backbone ISPs will join this alliance, it will be us getting hurt by the collateral damage.

Re:"Evil"?

[Woy]

How long until "evil" means usage of p2p protocols? Legal, illegal, that'll be too much work to figure out. Any central point from which everyone's connectivity depends is a potential point of failure, and it will be compromised, either technically or legally and turned against, well, us. If we come to depend on it, it will be a matter of when, not if.

Re:Fighting evil!?

[Lshmael]

Last I looked, Google was not an Internet provider. Even more damning to your case, none of the three companies you mentioned seem to be included in the alliance.

Re:"It sounds a bit like Razor, doesn't it?"

[mboverload]

But SkyNet was evil, remember?

Since it is run by humans it must be totally innocent and for the benifeit of the human race in general, right?

Automatic upstream firewalling

[NoMercy]

Subject says it all, and it's pretty much all I want, a automated system where by if I say I don't want to recieve ICMP messages for the next hour, my ISP firewalls them off.

A similar system could be employed by the ISP to inform the backbone to stop sending them specific types of packet for a while, and mabie evolved so that backbones can tell large ISPs to filter some of there customers from sending packets at a specific target.

Re:Interesting Idea

[99BottlesOfBeerInMyF]

As for the revealing competitive information I dont care revealing anything these bastards could have, you know, they keep pissing people so, why have any consideration ??

Keeping the information non-specific protects ISPs sharing fingerprints from any privacy concerns or laws and also from giving out too much information about their own network to possible competitors. Think traffic jump X on ports Y and Z, through border router Q, with additional criteria A, B, C. It describes a type of traffic and calls it DDoS or Nimda Worm.

When another service provider connected to border router Q sees the same type of traffic they know what it is already and have a bigger picture of the event.

Re:Open Source "Appliance" using Snort + IPtables

[FireFury03]

cuts their access (using iptables) to everything except an internal Webserver to notify them of their infection.

An additional point - the internal web server should really provide the tools to clean the infection, otherwise someone's gonna be screwed when their access to the clean up tools has been blocked. Even smarter would be to identify the infection and redirect them to a page that contains the tools and instructions for cleaning that specific infection. (Hell, for people using IE the internal webserver could exploit one of the many security holes in it and automagically clean the machine. :)

This could be perfect for fighting zombie spam

[minas-beede]

If they would but do it this coalition could expand their concern to the detection and prevention of zombie spam (that is, abuse of systems within each provider's IP space as zombies) they could begin the process of eliminating spam. Not dealing with spam, eliminating spam. It's long past time for that.

The great unexploited opportunity for eliminting spam is at the intermediate level (that is, ahead of the destination server for the spam.) If they had been implemented in sufficient numbers at the appropriate time (with "sufficient numbers" being below 1% of all IP addresses) open relay and open proxy honeypots could have eliminated spam - before the spammers had a chance to advance to zombies.

The great anti-spam opportunity is still at the intermediate level (where distinguishing spam from valid email isn't necessary - no valid email follows the path spam takes.) At the intemediate level anti-spam actions can easily be 100% effective, 100% accurate. No spam delivered, no valid email (of which there is none using that path) wrongly stopped.

All it would take would be for ISPs and others to detect the abuse and then act against it - in all the ways they can or in all the ways they choose (some, for instance, might cling to the "only blocking is good" philospohy. OK, let them only block - it still is productive, even though it's way less so than interception, since the spammers can simply choose another abuse path when they experience blocking. For interception the spammers first need to learn that the spam is bieng intercepted. It's always good to make life harder for the spammers, to add to their burden.)

Re:This could be perfect for fighting zombie spam

[minas-beede]

"Spam currently follows a pretty recognizable pattern on the internet. That does not mean zombies could not be programmed to send spam in a less recognizable way, or in a way that mimics normal e-mail usage. This could slow down spam, but I doubt it is a good long term solution."

It's always going to be packets in to some IP address, always going to be packets out to port 25 at some other IP address. The nastiest technique would be to have a local network of zombies so that the incoming packets go to a different IP address from the source of the outgoing packets to port 25 - and at some appreciable time delay after the receipt of the packets that control the zombies. That's part of why I think that an ISP-level counter-attack is needed - single IP address monitoring might be inadequate.

If spam were a low-level abuse then that would be a fairly formidable problem. With the huge volume of spam as it is detecting the abuse is far easier, is it not?

The article talks of sharing the "fingerprints" of the abuse, which seems to indicate that one of the design goals is to anticipate and provide for a constantly-changing pattern of abuse rather than assume a fixed pattern.

In any case the mere fact that the proposed solution is based on a cooperative approach rather than on a collection of individual approaches is, IMHO, a step forward.

Thanks for your comment.

Re:This could be perfect for fighting zombie spam

[minas-beede]

If a host begins talking on port 25 did a worm just start spamming or did the user sign up for a new e-mail account?

What's the destination of the port 25 packets? In general I don't wish to examine packet contents, only size and ports and IP addresses. For abuse packets my feeling is that the ISP has a complete right to fully examine them - the ISP is acting to protect itself and is not intercepting valid traffic.

The easiest traffic to spot is the worm propagation traffic that compromises machines in the first place.

I won't argue, although a bunch of port 25 traffic going elsewhere shouldn't be that hard to spot. If the spammers spread the zombies out so much that each need only carry a tiny bit of spam traffic (keeping the volume down and making it less detectable from port 25 volume) they also potentially hit more IP addresses for which port 25 traffic volume isn't the only criterion. In any case I think they hit zombies less hard than they used to hit open relays and open proxies, although that is an opinion backed by no data at all (other than what I know about how heavily they hit some open relay honeypots.)

The trick is making it cost effective for ISPs to notify users.

I'd like to see far more effort by ISPs to notify the ISPS of the sources of the abuse. Which appears to be (in part) the nature of this new plan, if the source ISP is a participant. Spam abuse is an internet-wide problem, not a single ISP problem. There needs to be effective cooperation and timely sharing of information about abuse as it happens.

Some countries are starting government agencies to deal with spam and worms. ISPs can easily provide them with a list of infected hosts that they can contact with the appropriate worm remedy.

Ah. Exactly.

The problem is mostly logistics and funding, the technical part has been solved for a long time. I see this as the most realistic solution to spam zombies.

I think the biggest problem, dwarfing logistics and funding, is the human problem. It is in fact very difficult to get those in charge of security to look outside their own domains, to consider anything beyond what they've already chosen to do. Most prefer a combination of blocking and of sternness towards their own users who operate compromised machines. This after the ISP blithely, inattentively, and unconcernedly delivered the packets that caused the infection. "All the fault lies in the users" could be their motto, "never in us."

System administrators almost all treat spam as a single-system problem to be handled at the destination server (the single system.) It is nearly impossible to persuade anyone to act against spam earlier in the spam path (and when they do act it is almost entirely a combination of blocking and "blame their own customer for the abuse committed by the spammer.") You can see the result: spam continues to flow.

Thanks again for your comments. Do note that I'm strictly a loudmouth: I'm doing nothing at all to fight spam. I gave it up in January.

OK, I did something incredibly tiny: I just looked to see if ZoneAlarm was still logging proxy port attempts (which could indicate a continuing volume of open proxy spam: if it is spammers looking for proxy ports they're doing it to find a way to send their spam.) I found 3, all to port 8080.

(I have a hardware firewall. It passes packets to open proxy ports so that I can log them using ZoneAlarm.)

Re:got it!

[TFGeditor]

"These people have lives outside of slashdot, you know."

Would that I could mod this +10 Insightful and put it up in 40-point flashing type.