Slashdot Mirror
BlueSecurity Fall-Out Reveals Larger Problem
mdrebelx writes "For anyone following the BlueSecurity story, sadly the anti-spam crusader has raised the white flag. Brian Krebs with the Washington Post is reporting that after BlueSecurity's announcement, Prolexic and UltraDNS, which were both linked with BlueSecurity through business relations came under a DNS amplification attack that brought down thousands of sites.
While much of the focus about the BlueSecurity story has been centered on the question of what can be done about spam, I think a bigger question has been raised - is the Internet really that fragile? What has been going on is essentially cyber-terrorism and from what has been reported so far the terrorist clearly have the upper hand."
There have been other outages, major, which have had significant impact. It's a good question: is the internet that fragile?
In many ways it probably is. At the same time, the infrastructure seems resilient enough. The world so far hasn't laced up life-and-death critical systems to the internet such that a failure could cause loss of life. Well, that is, if you don't include:
Oh, wait, I guess people have started doing that.
What mechanisms exist for more than resiliency, i.e., instant self-healing? Could terrorists with a little knowledge and a few well-placed EMP generators disable major segments of the internet?
Unlike phones and the phone networks which were built with lots of oversight and regulation (Universal Service was a big driver for this (aside: now that everything is profit driven, don't expect phone service at that farm house at the end of that long country road anymore... noone HAS to provide it)), I'm not aware of what safeguards back up the internet. In my entire lifetime, I've not one time experienced a phone outage, not once! Power outages, etc., the phone companies have backups to backups to ensure service (though there is the occasional and hard to manage for ditch digging incident).
While large pieces of the internet are built upon the phone companies' infrastructure, other pieces aren't, and there are significant additional layers of complexity not in the phone companies' purview (switches, routers, coax cable from cable companies).
That question, "is the internet that fragile?", is probably the biggest reason I've never opted to switch my phone service to VOIP yet. I'd hate to be the one (tiny chance, I know) who needs to make that one 911 call and not be able to do so because the internet is unavailable (which happens occasionally here, which is also too often).
As much as Slashdot and other white hat leaning movements fight the good fight the motivation of the 'ememy', perceived as terrorists, spammers, greedy bastards or script kiddies test driving internet mayhem will continue to have the upper hand. The wild west metaphor often describing the lawlessness of the internet is real. As much as we hate the NSA and other invasive orginizations they impose structure and laws. Chaos is the alternative.
It is far easier to tear something down than it is to build something up. Regardless of the Internet, that's just the way things work.
If brevity is the soul of wit, then how does one explain Twitter?
well the internet is as strong as the weakest link, and guess what OS that link is..
None of those attacks (DOS) could have been done without the use of thousands of zombie machines.
I guess the only way of stoping the attakers is by taking their weapons (zombies) from them and thats left as an excersise for the survivors.
The best test environment is production. - Me
chrome://browser/content/browser.xul
Of all the common comments...
#1. Don't blame Windows. Most botnets spread through software downloaded installs. 99.999% of computer installs today are vulnurable. The exception, of course, is the LiveCD type OS run directly from a CD in a read-only format. Your choice of OS is no protection. If you run malicious software, your computer is a zombie. Period.
#2. The problem is E-mail. Don't want spam? Don't use e-mail. That seems harsh, but it's true. E-mail is an open protocol, and as such, is ripe for such abuses. It's about time to come up with a new type of server based messaging. I'm not saying let the spammers win. What I'm saying is remove their audience.
It's the direct link to more governmental control over something under the premise that it "has to be" so the "terrorists" can be stopped.
While I do agree that this definitly shows the threat spammers really pose to the internet, I fear at least as much handing government the card blanche to monitoring all and any internet traffic for the sake of "saving us from spam".
No, I'm aware that this won't help a single bit in an attempt to quench spam. But did any anti-terror activity actually work against the alleged threat?
So bring this problem to the attention of your senators, your governors, your congressmen or whoever has some power in your country. This is a very, very serious problem, the criminals are getting the upper hand in this turf, and the internet is a resource I don't want to see depending on the goodwill of the spam mafia.
But for all that we hold dear, avoid the word terrorism. Legislators have been using that word before as the excuse for every kind of restrictive laws that did JACK to solve the problem and only created more. Try to find a word that makes them actually realize the problem and realize that this problem is serious. Not only to the worthless humans using it, but also to precious commerce.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
No, the Internet isn't that fragile. It's suprisingly robust, in fact. About the only thing that can really do any significant damage is sheer volume, enough traffic from enough distinct sources to overwhelm the target server or swamp it's network connections. No matter what, anything is always going to be vulnerable to that. You can only have finite bandwidth and server horsepower, and if an opponent's willing and able to throw enough resources at you he can simply overwhelm you. It's often referred to as "the Slashdot effect".
The only thing that's happened is that, because of the inherent insecurity of Windows machines and the increasing number of them with broadband connections, the bad guys now have access to orders of magnitude more bandwidth and horsepower than any single server can have. In military terms it's like facing an enemy who outnumbers you by ten thousand to one. Distributing your DNS won't help, redundant pipes won't help, distributing your servers won't help, if you can deal with 99% of his assault he's still got a hundred times what you can absorb left.
The only thing that can help is cutting off the supply of ownable machines the bad guys can take over and use in their attacks. If they're limited to their own machines they can't do much harm.
You know, BlueSecurity was working. Had they survived, it might have shutdown the spammers. This is going to become a massive bubble issue. Someone just needs to pick up the torch BlueSecurity dropped, and be willing to fight the fight.
This signature was left intentionally blank.
Fanatics flying airplanes into buildings killing thousands : Terrorists.
Haxors commanding botnets to DDOS servers : Cyber-terrorists.
Big corporations doing aggressive take-overs : Corporate terrorists.
Mass producers dumping products below cost overseas : Market terrorists.
Politicians sketching doom scenarios during campaigns to woo scared voters over to their party : Political (party) terrorists.
C'mon cut it out will ya, soon they will brand humans multiplying without limits sucking up resources and scaring other animals away and out of existence : Biosphere terrorists?
You know, according to some theory, black holes will eventually suck up most of the available matter in the universe, leaving it a dark cold desolate place with only some Hawking radiation to warm your soul. Should we call those : Universal Terrorists then?
The Hacker's Guide To The Kernel: Don't panic()!
I dunno, it would probably be faster, cheaper, and ultimately more satisfying if we could just assassinate spamming assholes like PharmaMaster/Eran Reshef.
;-)
According to the Wired article you linked, Eran Reshef is Blue Security's CEO. I guess you could argue he was spamming PharmaMaster.
The internet is so not fragile it isn't even funny. Can people make it hickup and sneeze along minor portions of it? Yes. Is it fragile? Hell no! It's been running for 20 years across the globe. It has been hammered by viruses, trojans, organized DDOS attacks and world-wide calamities and their corresponding data-storms and still the internet as a whole has functioned. It may simply be that the internet is not enough of a singular entity to be susceptible to a singular vulnerability. Computers are fragile, software can be fragile, but the aggregation of those two into an organism made up of millions perhaps even billions of machines is not fragile. The DDOS attack on Blue Security, when compared to the totality of the internet is practically meaningless. The only thing that might make the entirety of the internet fragile would be a universal vulnerability which has no workaround and cripples the main traffic routes of the internet itself. Maybe this will happen, but I think even then, the internet will continue to function but perhaps just along it's backroads and private secure networks.
You are lucky! I've had several phone outages. I had a few outages caused by water in the cable ducts in my street after heavy rains. I had one in the old days (~25 years ago) of analog hardware that took them several days to fix. I've had an outage caused by a truck hitting a utility pole, in a neighborhood where the cables were overhead.
Although telephone stations are more robust than the internet, because they are very specialized and have lots of redundancy, the last mile is susceptibel to outages. Of course, internet connections use the same last mile, so they are also vulnerable. I agree, the phone service is more reliable than the internet, but this does not mean it cannot fail.
What is fragile are the tens of thousands of pwn3d Windows PC's that are being used without their owners' knowledge to perpetrate these massive DDOS attacks. If I were a lawyer for Blue Security, Yahoo, or anyone else who has been hit recently, I would be seriously looking in to the merits of a lawsuit against MS for gross negligence or something similar.
You're right on the first part, wrong on the second.
It's true that if there weren't zombie machines out there to take part in botnets, that DDoSing would be much less of an issue, if one at all.
However, suggesting that Microsoft could be legally liable is right out. Just because I leave all of my car doors open and the keys in the ignition doesn't mean someone has the right to steal my car. I may be stupid, yes, but I am not legally liable for the crime, and I'd be able to make the insurance claim, too (unless there's a clause in my policy that says I need to adhere to certain standards of vigilance in order to qualify for reimbursement).
Suggesting that Microsoft is at fault for the botnets is the same as suggesting that BlueSecurity is at fault for the 'collateral damage' outages.
The people responsible for the mayhem - at least in a legal sense - are those who have perpetrated it.
(Oh yeah, IANAL, but I watch Cops on TV all the time. Cops set out 'bait' to catch thieves all the time. Expensive mountain bike unguarded and unlocked; someone walks off with it, cops swoop in and make the arrest. Same concept here.)
Web 2.0 == Giant Blogspam Circle Jerk
If you did that nobody would be able to email from home unless they passed. As having a system turned into a bot could happen anytime this would have to be an ongoing process. I can't see how that would work in reality
The only reason some people get lost in thought is because it's unfamiliar territory.
Who would they peddle their viagra to if there was no-one else on the Internet?
Restrict 25 to their own mail servers. Require SMTP_AUTH. And tag all outgoing email with the real email address (sender field) based on SMTP AUTH.
That way if a home user is compromised, there's no guesswork to track them down.
The #%^^@$! spammer jerk has thousands of computers in his bot network and leashed them on BlueSecurity. So far so good. These zombies are mostly on broadband connections, served by a cable or DSL provider.
Isn't it in the TOS of the ISPs to require the end user to keep his/her computer safe from viruses and malware, crippling the provider's network ? If so, why the ISPs shut those zombie machines' network connectivity down ? Yeah, there will be few bystanders who may get nabbed but most of these bystanders will be the geeks who are pushing their broadband connections to the limit and they will contact the ISP and get their connections re-instated. The clueless users, whoch have been own3d by the hacker will have to find someone to clean up their pc's caoghing up some dough which will make them a little more carefull about listening to people when they were told not to open attachments to see the cute dog pictures or accept free product offers from inscrupulous websites.
If you do not hold the ignorant users' feet to the fire, this zombie issue will not come to an end. Yes, we al know that, Redmond's finest operating system is no more than a joke when it comes to security, but if one is buying this crap, they should be ready to keep it safe and secure or find some other platform, let it be mac or linux or what have you.
I for one, am sick and tired of seeing the spammers to go unnoticed while the solution, regardless how brutal it is to the end user, goes unnoticed. Enough is enough !
__________
The more I know people, the more I love animals
The backbone providers are unlikely to care that much - it impacts a little business, but most make money off their inter-corporate and inter-Governmental lines. The more the Internet degrades, the more high-priced services the major vendors can sell and the more copper/fiber the telecos can charge for. I don't see much of a motive to fix things here.
The vendors further up the chain don't need to care much, either. The companies on the Internet can't gain by switching ISP, because it's the backbone that's broken and they'll have to go through it to reach the peasents - err, home users anyway. The corporations that sell over the Internet don't lose any sales, as a person who is going to buy from an online store is likely to be doing other stuff and won't go out to the stores, so they'll be back. Home users, for the most part, are ignorant enough to think AOL and MSN are really neat ideas, have no clue what the Internet involves, what needs fixing or why, and is likely to pass it off as someone else's problem anyway. And those who ARE smart enough are Libertarian enough that they won't Unionize and DEMAND the fixes that damn well should be made.
(IT users and IT professionals should stop with the "unions are evil" crap - no organization is any more evil than the people in it - and collectively insist that the defects be fixed. No ifs, no buts, no maybes, no excuses, no delays - these kinds of attacks SHOULD be impossible and COULD - very cheaply - be made impossible. But nobody is going to even take the cheap option without a fight, if there's an even cheaper option of apathy open to them.)
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Not everyone has a static IP. Some (most?) of these "additional 30,000 never before seen IPs every day" could be the same PCs every time, which reduces the total.
Reduce, reuse, cycle
IMEO, there is a way to fix or at least mitigate the problem. Make ISPs more responsible. The ISPs control the connections of every computer on the Internet. The technology is available (many of us have it on our own PCs and routers in the UNIX world) to block things such as e-mail with spoofed headers, port scans, repeated attempts by crackers to break into our systems, etc. The ISPs can head off most of the attacks virtually at the source. In the overall scheme of things, is trivial to disable the account of an offender. In the case of someone with a compromised system, the ISP can disable their account until they secure their system (I've had ISPs do this to people that have cause me problems on my networks). When people start losing their accounts due to their irresponsible attitude or naivete toward computer and network security, they will quickly become more responsible and knowledgeable.
If someone abuses the telephone service, it's not real difficult to have the phone company take action (and depending upon the abuse, have the offender arrested). ISPs must be forced to take the same responsibility.
The only way to stem the tide of cyber-terrorism (or whatever you'd like to call it), is to make ISPs take the responsibility to mitigate it.
PGA
I don't see 'egress' on this page, so I'll just throw the usual advice out there. ISPs should filter traffic coming out of customer computers to only allow i,p. addresses that the ISP has assigned. This is ok since if the customer computers are using other i.p. addresses, then they have no network functionality other than to do denial of service attacks.
If you need text styles to communicate then you don't have a message.