Slashdot Mirror
What Happened to Blue Security
shadowknot writes "Blue Security has published a detailed account of the attack on their servers perpetrated by spammer "PharmaMaster". The attack included a DDoS attack on the Blue Security operational system and a Black Hole filtering attack on the Blue Security website. From the article: "The first attack was to block worldwide access to Blue Security's corporate website (www.bluesecurity.com) by tampering with the Internet backbone using a technique called "Blackhole Filtering". The Second attack was a DDoS attack on Blue Security's operational system."
They deserve a break.
Slashdot Burying Stories About Slashdot Media Owned
Come on, if you have never used Bluesecurity, then you were obviously not in their database, and your email could not have been leaked to the spammers! Obviously, the spammers just sent out these FUD spam mails to everyone, just like spammers generally do.
[May 3rd 16:43 GMT]
PharmaMaster Strikes Again, Takes Down Tucows
PharmaMaster starts another attack and takes down Tucows's DNS servers which were serving thousands of sites, including Blue Security's. Tucows terminates Blue Security's account in an attempt to stop the attack.
And it was't all that long ago that DNS vulnerabilities were under discussion. Attacking a DNS server not only takes out the site intended, it has the bonus of collateral damage. Imagine the chagrin of all the other sites served by Tucows when they all go down en masse and imagine the PR campaign that Blue Security is going to have to wage to get any credibility back.
GetOuttaMySpace - The Anti-Social Network
Isn't the fact that you, a non-user, got the email proof enough that nothing was leaked? Unless the spammer "hacked" your address from a list it wasn't on (which would be a neat trick) he or she was just spamming everyone available, hoping to get Bluesecurity's users along with it.
Slashdot Burying Stories About Slashdot Media Owned
Even if the servers were temporarily downed, the publicity generated from this incident surely got quite a few new members.
Heck, I even signed up; shall have to wait and see if it's worth it though.
Someone used their tool to clean a list, then compared the clean list to a "pre-scrub" list, which means they didn't gain any email addresses, they just learned something about the emails they already had been sending spam to.
Don't quit Blue Security. My philosophy boils down to "millions for defense, not a penny for tribute" (Jefferson).
Looks like Tucow really behaved badly. They cancled an account of a legimite user instead of defeating the attack. The should never have given into the spammer's demands.
Apparently spammers are lining up to help out Pharmamaster from the SpecialHam forums. Digg.com users yesterday attempted lauching multiple types of bandwidth vampirism and DDOS attacks on SpecialHam yesterday as well. http://digg.com/technology/SPAMmers_really_pissed_ off_at_bluesecurity,_read_their_message_board
>Blue?s operational team reports on more symptoms supporting PharmaMaster's claims that the backbone of the Internet was compromised (blackhole filtering at the backbone level).
No offence to the Blue guys' disrupted service, but I think this is the most interesting bit. I wonder whether this description is correct and if so, how the spammer achieved THAT.
The forum that organized (or at least helped in) the attack is located here, but I think it's still down. It was nailed by a deliberate vigilante DDoS from about a hundred or so Digg members yesterday/last night. They hacked a university to host it after the first host got nailed. Not sure what happened after that.
What happened was that the spammer complied with instructions from Blue Security to download a program that washed Blue Security protected email addresses from the spammers' sucker list. When theis program was run on the spammer's email list Blue Security email addresses were purged. The spammer simply compared the purged list against his unpurged list and listed all the email addresses that were removed. He then sent the threatening emails to any email address that was purged from the original list.
Blue Security is up and running again. Not only will I continue to use the Blue Frog, I will also promote it now. I do not like bullies, and will do whatever I can to stop them. Blue Security and others that help people punch back against spammers should be commended. I myself have written a signed applet that also punishes spammers.
One can look at it by visiting http://www.plaza1.net/SpammerSlapper .
The applet is GPL, and the source code is embedded in the applet. If you do not want to actually punish spammers, do not accept the certificate. I am also thinking about creating a java application that works in a similar way to Blue Frog - only the complaint instructions will be distributed via a peer to peer protocol and cryptographically signed. Any ideas on this one?
this is a really cool story about how a company handled a DDoS attack by organized crime.
xkcd.com - a webcomic of mathematics, love, and language.
shameless from digg, but an easy redirect for /.ers without having to read digg's stuff:
information week's take on it makes it seem less, well, amazing on the part of the spammers.
http://www.informationweek.com/story/showArticle.j html?articleID=187200875
Wow, if this is a detailed timeline, I'd hate to see the summary.
"Some shit happened."
As a security guy, this could have been really interesting, but it's not.
PharmaMaster starts another attack and takes down Tucows's DNS servers which were serving thousands of sites, including Blue Security's. Tucows terminates Blue Security's account in an attempt to stop the attack.
[May 3rd 23:23 GMT]
PharmaMaster Boasts Success
Tucows is a company I will never recommend or use to host any of my domains.
Caving in to a spammer/hacker retaliation will not garner much support.
http://www.joker.com/ serves my needs well
Rick B.
Enquiring minds (and all that) want to know.
This was truly lame and inexcusable - redirecting the attack from themselves to someone else.
Notice that the bluesecurity.com website was *NOT* being flooded with packets. On the countrary, it was routed to null for all the internet except Israel. In summary, there were 4 different DOS attacks:
* Packet flooding (lots of traffic) the operational servers (the ones doing the opt-outs)
* Null routing blue's www (no traffic)
* Packet flooding the redirected www at Six Apart (lots of traffic)
* Packet flooding Tucow's DNS servers (lots of traffic)
So, technically, blue security didn't redirect the attack.
This ferocious attack on Blue Security as well as Typepad and TUCOWS is proof that Blue Security's tactics are working. Spammers are scared to death of Blue Frog because it forces them to comply with the spirit of CANSPAM (since it is worthless in practise). They are so desperate that they are damaging the internet backbone to slightly increase the limited time that spam will be profitable.
/. comments urging you to stay away from Blue Frog. Spammers do not have Blue Security's member lists - they are simply DIFFing their entire lists with the opt-outs sent by Blue Frog and sharing their filters with the "mailer community". Yes, some members (not me) have been threatened with, and temporarily recieved, more spam. However, this can't last since spammers who do this are simply fighting fire with gasoline! The more spam Blue Frog users get, the more opt-outs the spammer and client recieve which costs them time and money! Plus, regarding threats to leave Blue Frog, does it make sense that a spammer would remove ANY working email address for ANY reason?
/.er to sign up for a Blue Frog account RIGHT NOW (or whenever they're not getting DOSed) and simply forward your spam to yourusername@reports.bluesecurity.com. You can wait a day or two and send many spams as attachments in one email, or you can let the resident client do it for you. It's so easy and the headlines prove that it really does make a difference.
/.ers, as an informed userbase, to stand up for those internet users who don't know how to stand up for themselves.
Do not listen to FUD-spreading ignoramuses who will no doubt leave many
Who do you trust to solve your spam problem? Microsoft? Your government? If they really cared, wouldn't the problem have have been solved long before spam encompassed 90% of all email? Blue Security offers a realistic, fair, assertive, and EFFECTIVE means of hitting spammers where it hurts - in the database and in the pocketbook. They need your help to make spam an unprofitable, inconvenient vehicle for advertisers.
I urge each and every
Spammers are childishly thrashing around the internet like a bull in a china shop, having a flailing temper tantrum because people dare to stand up for their privacy. It is the duty of
We have the numbers and the motivation. Aren't you sick and tired of these rich criminals wasting our time, defrauding our elders, and endangering our children day after day? If we stand together, just as the spammers stand together to attack Blue Security, then we WILL win.
Sign up for a Blue Frog account ASAP and encourage your friends and family to do the same, as I have. And if you think it's possible to reason with spammers, check out this CastleCops forum thread that shows inside conversations from a spammer message board.
Those spammers will threat e-mails if you unsubscribe or not, so don't unsubscribe. They're doing this because it's hurting it in their pocket. Big deal. I don't give a damn if a spammer can't buy a new humvee limo, and I don't have to support those scumbags. So if they want to fill my mailbox with with their trash, so be it. I will not bend over to them. I will not unsubscribe. I will not let those fscking bastards tell me what I should do.
...they must be doing something right! I'm signing up.
Thanks PharmaMaster for referring me!
Is to kill the spammers. Obviously the death penalty doesn't resolve the issue forever, or we'd not have as much crime as we do in the world, but it will deter most spammers.
We put down rabid dogs because they have the potential to harm human beings despite having no intention to do so. Why is it less humane to remove life that actively and maliciously harms others?
...and show him my SIG. [DUKE NUKEM MODE]Come get some[/DUKE NUKEM MODE]
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
An InfoWorld article from May 4th quoted Blue Security CEO Eran Reshef as saying:
Since Blue Security is now referring to "tier-1 ISP name withheld", that means one of several things:If you must!
Most owners of spamvertised sites do NOT want traffic, they want money. They only want the .01% of spam victims who are stupid enough to buy their crap to visit their site to complete the sale. However, in order to get the orders for their profit, they have have a place where users can come to. This place is their website. Website owners have to PAY for bandwidth consumption. Traffic consumes bandwidth. Therefore traffic is an expense. What the website owners really want is orders that bring in money.
When a site receive traffic from those who do not buy, it is the same as a store which has 200 people just looking around (and not buying). These browsers cause wear and tear on the carpet, require the watchful eye of security, require resources to answer questions, and make it more crowded so that it is more difficult for paying customers to find what they are looking for and complete the transaction.
Right now, the ratio of revenue-generating traffic (those who come to a website to buy) verses the non revenue-generating traffic is high enough to justify having the website running and paying the spammers. When there is 8 gigs of traffic (non revenue generating) from spam haters for every byte of revenue producing traffic, then advertising a website via spam will be very UNPROFITABLE. When those who advertise by spam see loss instead of profits, they will quit paying spammers (or stop spamming themselves). This is why spammers hate the likes of Blue Security, SpammerSlapper, SpamFryer, and other retalitory tools.
What the spammers do not realize is that people who are ready to resort to using such antispammer tactics DO NOT like spamvertised websites nor will they buy crap from these websites. Blue Security is actually doing spammers a favor by pointing out the email receipients who do not want the spam and are willing to cause problems. If I were a spammer, I would want to listwash my sucker list and get rid of the email addresses of troublemakers and concentrate on the idiots who buy stuff advertised via spam. That way I would have to send out a lot less spam to get the sales I want. Spammers should go only after the suckers and leave the rest of us alone. When these nooby suckers decide that they are tired of being robbed and spammed into oblivion, they can then add their name and voice to the rest of the angry masses who have HAD ENOUGH.
From:http://72.14.207.104/search?q=cache:daxdV_-e7 aQJ:www.cisco.com/warp/public/732/Tech/security/do cs/blackhole.pdf+Blackhole+Filtering&hl=en&ct=clnk &cd=1
Benefits of Remotely Triggered Black Hole Filtering
Black holes, from a network security perspective, are placed in the network where traffic is forwarded and dropped. Once an attack has been
detected, black holing can be used to drop all attack traffic at the edge of an Internet service provide (ISP) network, based on either destination
or source IP addresses. RTBH filtering is a technique that uses routing protocol updates to manipulate route tables at the network edge or
anywhere else in the network to specifically drop undesirable traffic before it enters the service provider network.
RTBH filtering provides a method for quickly dropping undesirable traffic at the edge of the network, based on either source addresses or
destination addresses by forwarding it to a null0 interface. Null0 is a pseudointerface that is always up and can never forward or receive traffic.
Forwarding packets to null0 is a common way to filter packets to a specific destination.
Bluesecurity (BS) are either confused or misleading people.
There is no way that a single "backbone" provider could have installed a null route to block all traffic to their network. Bluesecurity is served by a Haifa-based provider called Netvision (Autonomous System number 1680). Netvision buys internet transit from four providers:
--UUnet/701 (uunet north america)
--UUnet/702 (uunet europe/middle east)
--btn/3491 (beyond the network)
--telia/1299 (telia sonera international backbone).
what the heck is BS claiming? that *all* of them installed a null route at once. do they even know what a null route is.
i'm getting annoyed enough at this nonsense to think about blogging about it in more detail over at www.renesys.com/blogs . perhaps later today.
foolishness.
A variation of this technique is to route packets to an internal "blackhole router" instead of to Null0. This consumes a little more resources than the Null0 option but still far less than an ACL. The blackhole router does nothing else other than null routing the traffic. It can also be used to route the traffic to a sniffing device to give the admin an opportunity to see what the malicious traffic really was. The blackhole router can also advertise internally the blackhole routes. This is useful when you network policy prohibits making changes to critical hardware such as a border router without sufficient peer review. Often when you must null route something you must do it in a hurry (ie, a customer is being attacked). Being able to make the changes on a non-critical box (the blackhole router) and having the routes changes propgate up to a critical piece of hardware (the border router(s)) is very useful.
Another reason to use them is to prevent routing loops. Lets say for example you have an access server terminating dialin customers. You've loaded out your AS with 192 modems. A /24 has been allocated for this AS. Your AS advertises that /24 with OSPF back into the core of your ISP network. However the AS's routing table doesn't contain a route for all 253 of the useable IPs in that /24. Instead individual routes are added as individual users dial in. Lets say a packet comes in that's destined for an IP that isn't in use. The AS looks at its routing table and says to itself that it doesn't have a route to that IP. It falls back on its default route which is the router upstream of the AS that just routed the packet to the AS. Rinse and repeat. A routing loop ensues.
Sometimes in BGP you have to have a static route to a given netblock to turn around and advertise it. You already have internal routes that would ultimately route the packet to the right destination. However to get BGP working you have to create a specific route. You can simply create a static route to that subnet via Null0 with a cost of 254 and make BGP happy.
There are dozens of examples of why you need null routing. Does that help? You can search on Cisco's website for additional references.
I'd probably do that too if I were an astro-truffer for a sleazey spammer, instead I'm going to down-load the linux version of the bluefrog client and connect it to my spam account and let it run. In fact I'm probably going to engage in activities designed to get those accounts on as many spam lists as is humanly possible. I've got accounts at yahoo and gmail that get about 10 spams for every legit email, maybe I can get the clutter down to the point where they'll actually be usable again.
Apocalypse Cancelled, Sorry, No Ticket Refunds
The fact that Tucows would kick one of their customers to the curb in a pathetic attempt to pacify a blackmailer/spammer/terrorist is shameful, short-sighted, and tragic.
While the spammer is clearly worthy or our scorn, I believe Tucows is even more deserving of public shame and disgrace. I expect a spammer to spam, I expect a hacker to hack, but I do not expect a (formerly) respectable business that takes my money to sell me out to criminals! Yes, I know they claim it was to protect their other customers, but tossing your baby to the lion to keep it from from attacking everyone else is reprehensible and I thought civilization had progressed beyond this.
I for one, will NEVER use any of their services or web properties again unless they issue a public apology for their actions. Not just to BlueSecurity, but to all of their customers, because this clearly sends a signal to all would-be DDoS attackers that Tucows customers are for sale for the price of a few million IP packets!