Slashdot Mirror
What Happened to Blue Security
shadowknot writes "Blue Security has published a detailed account of the attack on their servers perpetrated by spammer "PharmaMaster". The attack included a DDoS attack on the Blue Security operational system and a Black Hole filtering attack on the Blue Security website. From the article: "The first attack was to block worldwide access to Blue Security's corporate website (www.bluesecurity.com) by tampering with the Internet backbone using a technique called "Blackhole Filtering". The Second attack was a DDoS attack on Blue Security's operational system."
Even if the servers were temporarily downed, the publicity generated from this incident surely got quite a few new members.
Heck, I even signed up; shall have to wait and see if it's worth it though.
Apparently spammers are lining up to help out Pharmamaster from the SpecialHam forums. Digg.com users yesterday attempted lauching multiple types of bandwidth vampirism and DDOS attacks on SpecialHam yesterday as well. http://digg.com/technology/SPAMmers_really_pissed_ off_at_bluesecurity,_read_their_message_board
>Blue?s operational team reports on more symptoms supporting PharmaMaster's claims that the backbone of the Internet was compromised (blackhole filtering at the backbone level).
No offence to the Blue guys' disrupted service, but I think this is the most interesting bit. I wonder whether this description is correct and if so, how the spammer achieved THAT.
What happened was that the spammer complied with instructions from Blue Security to download a program that washed Blue Security protected email addresses from the spammers' sucker list. When theis program was run on the spammer's email list Blue Security email addresses were purged. The spammer simply compared the purged list against his unpurged list and listed all the email addresses that were removed. He then sent the threatening emails to any email address that was purged from the original list.
Blue Security is up and running again. Not only will I continue to use the Blue Frog, I will also promote it now. I do not like bullies, and will do whatever I can to stop them. Blue Security and others that help people punch back against spammers should be commended. I myself have written a signed applet that also punishes spammers.
One can look at it by visiting http://www.plaza1.net/SpammerSlapper .
The applet is GPL, and the source code is embedded in the applet. If you do not want to actually punish spammers, do not accept the certificate. I am also thinking about creating a java application that works in a similar way to Blue Frog - only the complaint instructions will be distributed via a peer to peer protocol and cryptographically signed. Any ideas on this one?
Amen to that. I had never heard of BlueSecurity before this fiasco, but now that I've heard how much trouble they can give these jackass spammers and that they stick to their guns (no matter the cost), I'd like to support them in some way (although I probably won't join the network, as I don't agree with their methods of stopping spam).
Read my blog posts on usability.
this is a really cool story about how a company handled a DDoS attack by organized crime.
xkcd.com - a webcomic of mathematics, love, and language.
...and imagine the PR campaign that Blue Security is going to have to wage to get any credibility back.
Um, how about "no such thing as bad publicity"?
In my journal i commented that the attack on Six Apart was the web equivalent of Pearl Harbor. It not only (possibly) called the attention of the authorities towards PharmaMaster, it also became worldwide famous: I've been searching blogs for "blue security" and I've seen a lot of comments from people wanting to sign up when they're back online. One blogger in particular (forgot the url) said that "Blue Security" became the top technorati search during the attacks.
Wow, if this is a detailed timeline, I'd hate to see the summary.
"Some shit happened."
As a security guy, this could have been really interesting, but it's not.
But!
Reading the account in TFA reveals that Blue Security was not undergoing a DDOS attack and that the DDOS attack on Typepad starts well after the address is redirected. Then the spammer seems to have widened the attack to bring down as many people as possible to make it look like Blue Security is at fault (which, at least according to their story - be nice to hear PharmaMaster's account, if he/they are not too cowardly to say anything) they were not.
I'm not a Blue Security user, but if they've managed to make a spammer this cranky, I'm going to seriously consider it.
This was truly lame and inexcusable - redirecting the attack from themselves to someone else.
Notice that the bluesecurity.com website was *NOT* being flooded with packets. On the countrary, it was routed to null for all the internet except Israel. In summary, there were 4 different DOS attacks:
* Packet flooding (lots of traffic) the operational servers (the ones doing the opt-outs)
* Null routing blue's www (no traffic)
* Packet flooding the redirected www at Six Apart (lots of traffic)
* Packet flooding Tucow's DNS servers (lots of traffic)
So, technically, blue security didn't redirect the attack.
If I'm reading correctly -- Up to that point, the DDoS was on BS's dedicated machines, the site itself was blackholed rather than under attack; hence they weren't redirecting an attack, just redirecting users who wanted to know what was going on.
Also, I note the URL you have on your post...
I mod down anyone who says "I will be modded down for this", regardless of the rest of their comment
Look at it this way - are you going to forget that Tucows turned off a legitimate client? Me neither. Are you going to consider Tucows next time you need a corporate provider? Me either.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
From:http://72.14.207.104/search?q=cache:daxdV_-e7 aQJ:www.cisco.com/warp/public/732/Tech/security/do cs/blackhole.pdf+Blackhole+Filtering&hl=en&ct=clnk &cd=1
Benefits of Remotely Triggered Black Hole Filtering
Black holes, from a network security perspective, are placed in the network where traffic is forwarded and dropped. Once an attack has been
detected, black holing can be used to drop all attack traffic at the edge of an Internet service provide (ISP) network, based on either destination
or source IP addresses. RTBH filtering is a technique that uses routing protocol updates to manipulate route tables at the network edge or
anywhere else in the network to specifically drop undesirable traffic before it enters the service provider network.
RTBH filtering provides a method for quickly dropping undesirable traffic at the edge of the network, based on either source addresses or
destination addresses by forwarding it to a null0 interface. Null0 is a pseudointerface that is always up and can never forward or receive traffic.
Forwarding packets to null0 is a common way to filter packets to a specific destination.
What part of their methods do you not agree with? All they are doing is automating what you could do on your own. For each spam message you send them, they analyze it and set up a script to make ONE opt-out request on the spammer's website (where they are selling their product) and ONE message each to some and/or all of the upchain ISPs, government agencies that have jurisdiction over the crime, etc. They then forward that script to your BlueFrog client running on your system. If you are the only person that got that spam message, that one message is all that is sent to the spammer and the appropriate authorities.
Now if the spammer sends that message to 1000 BlueSecurity members, they will get 1000 messages generated and sent, one from each of the users they spammed. If they send it to 5000 users, well you get the idea. The more Blue people they spam, the more opt-out requests they get. One for one.
You have a right to do it by yourself, tracking filling out forms on the spammer's ordering site, forwarding a copy to the ISP of the originating IP and/or mail server, forwarding it to the FDA if it is a drug relates spam, etc. How long will that take you? You could easily spend a few hours a day or more doing that.
Enter BlueSecurity stage right. They hire staff to track down the senders of that spam message you just received, just like you would have done. The difference is they take that information and distribute it to everybody else they know received that spam as well.
The thing is, these spammers should understand they have absolutely 0% of a chance of selling that item to any of the members of the Blue community. Why are they bothering to do this when it has no chance whatsoever of giving them even a single cent of profit? They should be happy to have the chance to clean their leads list. I've done telephone sales in the past (calling existing members about renewals) and I was happy to remove people who didn't want to be called from the list. For every person I removed from the list, it meant one less guaranteed no-sale next time the membership list cycled. In the long run I made more sales, and actually helped more people save money (it was cheaper to renew via phone than via the normal process) on a product they wanted.
I understand the calling I was doing is completely different than the spamming in this topic, but the end result is the same. The more guaranteed "no" leads you remove, the higher you sales percentage will be, and the more profits in the long run.
I had heard about Blue before this mess, but never got around to checking into their methods and signing up. Now that I see they are effective, and feel comfortable on how their network and client works (I also thought they DDoS'd the sites until I looked into it,) I have signed up. Now I'm waiting for their system to become fully functionable again so I can verify my account and start kicking spammer tail!
Jeremy