Slashdot Mirror
BlueSecurity Fall-Out Reveals Larger Problem
mdrebelx writes "For anyone following the BlueSecurity story, sadly the anti-spam crusader has raised the white flag. Brian Krebs with the Washington Post is reporting that after BlueSecurity's announcement, Prolexic and UltraDNS, which were both linked with BlueSecurity through business relations came under a DNS amplification attack that brought down thousands of sites.
While much of the focus about the BlueSecurity story has been centered on the question of what can be done about spam, I think a bigger question has been raised - is the Internet really that fragile? What has been going on is essentially cyber-terrorism and from what has been reported so far the terrorist clearly have the upper hand."
There have been other outages, major, which have had significant impact. It's a good question: is the internet that fragile?
In many ways it probably is. At the same time, the infrastructure seems resilient enough. The world so far hasn't laced up life-and-death critical systems to the internet such that a failure could cause loss of life. Well, that is, if you don't include:
Oh, wait, I guess people have started doing that.
What mechanisms exist for more than resiliency, i.e., instant self-healing? Could terrorists with a little knowledge and a few well-placed EMP generators disable major segments of the internet?
Unlike phones and the phone networks which were built with lots of oversight and regulation (Universal Service was a big driver for this (aside: now that everything is profit driven, don't expect phone service at that farm house at the end of that long country road anymore... noone HAS to provide it)), I'm not aware of what safeguards back up the internet. In my entire lifetime, I've not one time experienced a phone outage, not once! Power outages, etc., the phone companies have backups to backups to ensure service (though there is the occasional and hard to manage for ditch digging incident).
While large pieces of the internet are built upon the phone companies' infrastructure, other pieces aren't, and there are significant additional layers of complexity not in the phone companies' purview (switches, routers, coax cable from cable companies).
That question, "is the internet that fragile?", is probably the biggest reason I've never opted to switch my phone service to VOIP yet. I'd hate to be the one (tiny chance, I know) who needs to make that one 911 call and not be able to do so because the internet is unavailable (which happens occasionally here, which is also too often).
It seems like every week there's a new issue with DNS. Why can't DNS be secured? Is it just inertia? Is BIND really that pathetic, or are they just not using it correctly?
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
As much as Slashdot and other white hat leaning movements fight the good fight the motivation of the 'ememy', perceived as terrorists, spammers, greedy bastards or script kiddies test driving internet mayhem will continue to have the upper hand. The wild west metaphor often describing the lawlessness of the internet is real. As much as we hate the NSA and other invasive orginizations they impose structure and laws. Chaos is the alternative.
It is far easier to tear something down than it is to build something up. Regardless of the Internet, that's just the way things work.
If brevity is the soul of wit, then how does one explain Twitter?
> What has been going on is essentially cyber-terrorism and from what has been reported so far the terrorist
> clearly have the upper hand.
Yup, and I'd have loved to have seen the US gov use this as a perfect 'live fire' exercise. After all, if they can't stop a few punk spammers how can we have any confidence they could stop a determined attack by the usual terrorist suspects?
Perfect opportunity to test all the phases of response, from tracking the responsible parties all the way to eliminating them. Ok, in this case a SEAL team would probably have to be tasked to capture em instead of just dropping a few bombs on their sorry asses. Or if, as I suspect, the ringleaders are in the US or other western representive nations, just have em all arrested.
Democrat delenda est
well the internet is as strong as the weakest link, and guess what OS that link is..
None of those attacks (DOS) could have been done without the use of thousands of zombie machines.
I guess the only way of stoping the attakers is by taking their weapons (zombies) from them and thats left as an excersise for the survivors.
The best test environment is production. - Me
chrome://browser/content/browser.xul
Seems to me maybe the solution is a tiered internet where spammers pay more to use the bandwidth... oh wait, sorry wrong discussion.
Clever or not, I got nothing...
It sort of makes one hesitant to out source IT operations to a place like India. Hmmmm... maybe it's time to DDoS India and bring those jobs back to the US. If the Indian's are such technology mavens, maybe they'll find it in their best interests to resolve the DDoS / DNS Amplification issue and then we can all welcome our new, outsourced Indian overlords. =)
I think a bigger question has been raised - is the Internet really that fragile?
No, the Internet is robust and redundant. What is fragile are the tens of thousands of pwn3d Windows PC's that are being used without their owners' knowledge to perpetrate these massive DDOS attacks. If I were a lawyer for Blue Security, Yahoo, or anyone else who has been hit recently, I would be seriously looking in to the merits of a lawsuit against MS for gross negligence or something similar.
Flying is easy, just throw yourself at the ground and miss. -Douglas Adams
Of all the common comments...
#1. Don't blame Windows. Most botnets spread through software downloaded installs. 99.999% of computer installs today are vulnurable. The exception, of course, is the LiveCD type OS run directly from a CD in a read-only format. Your choice of OS is no protection. If you run malicious software, your computer is a zombie. Period.
#2. The problem is E-mail. Don't want spam? Don't use e-mail. That seems harsh, but it's true. E-mail is an open protocol, and as such, is ripe for such abuses. It's about time to come up with a new type of server based messaging. I'm not saying let the spammers win. What I'm saying is remove their audience.
It's the direct link to more governmental control over something under the premise that it "has to be" so the "terrorists" can be stopped.
While I do agree that this definitly shows the threat spammers really pose to the internet, I fear at least as much handing government the card blanche to monitoring all and any internet traffic for the sake of "saving us from spam".
No, I'm aware that this won't help a single bit in an attempt to quench spam. But did any anti-terror activity actually work against the alleged threat?
So bring this problem to the attention of your senators, your governors, your congressmen or whoever has some power in your country. This is a very, very serious problem, the criminals are getting the upper hand in this turf, and the internet is a resource I don't want to see depending on the goodwill of the spam mafia.
But for all that we hold dear, avoid the word terrorism. Legislators have been using that word before as the excuse for every kind of restrictive laws that did JACK to solve the problem and only created more. Try to find a word that makes them actually realize the problem and realize that this problem is serious. Not only to the worthless humans using it, but also to precious commerce.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
No, the Internet isn't that fragile. It's suprisingly robust, in fact. About the only thing that can really do any significant damage is sheer volume, enough traffic from enough distinct sources to overwhelm the target server or swamp it's network connections. No matter what, anything is always going to be vulnerable to that. You can only have finite bandwidth and server horsepower, and if an opponent's willing and able to throw enough resources at you he can simply overwhelm you. It's often referred to as "the Slashdot effect".
The only thing that's happened is that, because of the inherent insecurity of Windows machines and the increasing number of them with broadband connections, the bad guys now have access to orders of magnitude more bandwidth and horsepower than any single server can have. In military terms it's like facing an enemy who outnumbers you by ten thousand to one. Distributing your DNS won't help, redundant pipes won't help, distributing your servers won't help, if you can deal with 99% of his assault he's still got a hundred times what you can absorb left.
The only thing that can help is cutting off the supply of ownable machines the bad guys can take over and use in their attacks. If they're limited to their own machines they can't do much harm.
One of these days, some asshole is going to take down the entire net, just to prove that it can be done.
I keep thinking about the old saying, "what isn't prohibited, is required." Because the net doesn't prohibit these massive DDoS attacks, someone WILL do them, over and over, either because they are into extortion, or just because they're evil fucks and like creating mayhem. I almost believe that someone ought to just do it and break the net permanently so everyone will have to come to grips with this. So maybe the solution will mean that nobody with an insecure OS will be allowed back on the net. Maybe we need a catastrophic failure to force a total revamp of network protocols, and an excuse to exile all the lusers like people still using Win98. I dunno, it would probably be faster, cheaper, and ultimately more satisfying if we could just assassinate spamming assholes like PharmaMaster/Eran Reshef.
Dear Homeland Security: please look closer at Redmond.
This is terrorism. Everyone with a trojaned Microsoft box is aiding and abetting.
Thank you, Linus and Steve.
More like "hundreds of thousands".
My spam traps have been hit by over 1.5 million unique IPs this year alone,
with an additional 30,000 never before seen IPs every day.
I estimate there are currently 3-4 million compromised machines world wide.
-- Should you believe authority without question?
You know, BlueSecurity was working. Had they survived, it might have shutdown the spammers. This is going to become a massive bubble issue. Someone just needs to pick up the torch BlueSecurity dropped, and be willing to fight the fight.
This signature was left intentionally blank.
I backup the internet every night at 10 pm (PST).
From TFA "These massive assaults harness the power of thousands of hacked PCs to swamp sites with so much bogus traffic that they can no longer accommodate legitimate visitors."
The problem is the thousands of hacked PCs that are used in these attacks. The internet is working exactly the way it was designed and the bot nets take advantage of bottlenecks in the system.
What is being done to take out these bot nets? I've perused a few of these bot squads on IRC and while there are many zombied Windows machines there are also many *nix boxes which succumbed to the brute force ssh password attacks because they had user accounts with stupid passwords.
Aside from locating and neutralizing the individual boxes in the squads shouldn't we be creating and deploying self immunizing tools in our infrastructure that detects these boxes and quarantines them?
Shouldn't we also be holding people accountable for having vulnerable boxes connected to the net? Perhaps a bandwidth restriction will help for repeat offenders.
1) someone needs to list state or federal laws that were broken.
2) If there were laws broken, a spokesperson for the appropriate government agency (agencies) needs to explain why not prompt action was taken. ISP's whose clients were part of the attacks should have been warned to shut down their clients who are participating, or be shut down.
If no laws were broken, smile!
Perhaps the Federal government should have the power to permanently shut down an ISP that doesn't respond to a demand to block clients until they demonstrate their computers are clean and free of "zombie" software. This would include permanently blocking all traffic to or from an overseas ISP.
Fanatics flying airplanes into buildings killing thousands : Terrorists.
Haxors commanding botnets to DDOS servers : Cyber-terrorists.
Big corporations doing aggressive take-overs : Corporate terrorists.
Mass producers dumping products below cost overseas : Market terrorists.
Politicians sketching doom scenarios during campaigns to woo scared voters over to their party : Political (party) terrorists.
C'mon cut it out will ya, soon they will brand humans multiplying without limits sucking up resources and scaring other animals away and out of existence : Biosphere terrorists?
You know, according to some theory, black holes will eventually suck up most of the available matter in the universe, leaving it a dark cold desolate place with only some Hawking radiation to warm your soul. Should we call those : Universal Terrorists then?
The Hacker's Guide To The Kernel: Don't panic()!
I work for an unnamed backbone provider, and have currently been involved in blocking said DNS Amplification attack.. to give you a general idea of the size of the attack and the number of zombies involved.. When I left work... The attack was 14,768% of 9.8MBps... or.. over 13GBit/sec... Our infrastructure is holding up just fine, however.. Personally, I'd like to find the 'owner' of these zombies, and castrate him. I guess the guy doesn't have anything better to do with his life than trash the net...
Accorging to this the blue frog model will be open sourced as a peer-to-peer model available through sourceforge.net.
A few years back we would have laughed that someone is calling this terrorism, and just saying it's just a few scriptkiddies having fun with DDOS and whatnot. Computers are just a fun box, nothing serious about it. Relax. Nothing of value is lost, and if you don't have a backup, you deserve it. Darwinism at work.
It's also interesting how questions change. We question: Is the internet really that fragile?
What happened to the baser question: Do we really depend so much on the internet?
Of course, now that we do, maybe we should look into making the internet even more resilient than the original creators envisioned. After all, it was made to endure nuclear war, but a few scriptkiddies can still take down any site with a little DDOSing and DNS-tweaks..
Just always remember where we came from.
http://www.debunkingskeptics.com/
dns has always had inherrent weaknesses due to its universal standards and how the interenet relies on it as it does. scary how the internet is only the internet that you can view through whatever controls your DNS...
Walk with Music;
Sadly the internet is already compromised since the bot networks are already too large for most organisations to take on.
I hope someone does something to deal with the botnet threats. Being able to suck multiple gigabits of bandwidth means 'they' can kill any small to medium sized internet operation if they want to via a range of attacks from the simple to the rather sophisticated.
Tier1 ISPs usually don't care other than possibly to try and filter all your traffic to prevent their other customers from suffering.
Some medium/larger sized companies use services like Akamai siteshield that are capable of sustaining a reasonable DDOS-ing but the botnet operators will eventually realise that the attacks are not just about knocking a site offline. Akamai will charge you for that traffic which will send the companies bankrupt anyway (and possibly quicker than going offline). In fact i was wondering how on earth bluesecurity were going to pay their bandwidth bill.
The defences we have against such attacks are pathetic. I was amused in an episode of 24 when they came under an online attack from terrorists and their new "CISCO FIREWALL" protects them, i mean seriously the firewalls are the least of your problems these days. If you come under attack from one of these serious russian dudes - you'd be looking at trying to filter the traffic well before it reaches the firewalls since your line and network would be saturated.
The internet is so not fragile it isn't even funny. Can people make it hickup and sneeze along minor portions of it? Yes. Is it fragile? Hell no! It's been running for 20 years across the globe. It has been hammered by viruses, trojans, organized DDOS attacks and world-wide calamities and their corresponding data-storms and still the internet as a whole has functioned. It may simply be that the internet is not enough of a singular entity to be susceptible to a singular vulnerability. Computers are fragile, software can be fragile, but the aggregation of those two into an organism made up of millions perhaps even billions of machines is not fragile. The DDOS attack on Blue Security, when compared to the totality of the internet is practically meaningless. The only thing that might make the entirety of the internet fragile would be a universal vulnerability which has no workaround and cripples the main traffic routes of the internet itself. Maybe this will happen, but I think even then, the internet will continue to function but perhaps just along it's backroads and private secure networks.
You are lucky! I've had several phone outages. I had a few outages caused by water in the cable ducts in my street after heavy rains. I had one in the old days (~25 years ago) of analog hardware that took them several days to fix. I've had an outage caused by a truck hitting a utility pole, in a neighborhood where the cables were overhead.
Although telephone stations are more robust than the internet, because they are very specialized and have lots of redundancy, the last mile is susceptibel to outages. Of course, internet connections use the same last mile, so they are also vulnerable. I agree, the phone service is more reliable than the internet, but this does not mean it cannot fail.
If you did that nobody would be able to email from home unless they passed. As having a system turned into a bot could happen anytime this would have to be an ongoing process. I can't see how that would work in reality
The only reason some people get lost in thought is because it's unfamiliar territory.
Who would they peddle their viagra to if there was no-one else on the Internet?
The basic requirement here is that DNS servers shouldn't be accepting queries from clients outside their local organizations. This is like the old "open relay" problem with SMTP. Obviously, such DNS servers have to be fixed. To force the issue, DNS servers queried by other DNS servers should find out if the querying server incorrectly accepts queries from the outside. If it does, that server is marked as a loser, and its queries get processed only after any other queries, and maybe with a deliberate delay. That should deal with the problem in the near term.
The stronger form of this protection is that many queries from loser servers are answered with an address that returns a page saying something like "Your DNS server at [xxx.xxx.xxx.xxx] has a problem and must be upgraded." The screaming users will get the problem fixed.
Restrict 25 to their own mail servers. Require SMTP_AUTH. And tag all outgoing email with the real email address (sender field) based on SMTP AUTH.
That way if a home user is compromised, there's no guesswork to track them down.
The #%^^@$! spammer jerk has thousands of computers in his bot network and leashed them on BlueSecurity. So far so good. These zombies are mostly on broadband connections, served by a cable or DSL provider.
Isn't it in the TOS of the ISPs to require the end user to keep his/her computer safe from viruses and malware, crippling the provider's network ? If so, why the ISPs shut those zombie machines' network connectivity down ? Yeah, there will be few bystanders who may get nabbed but most of these bystanders will be the geeks who are pushing their broadband connections to the limit and they will contact the ISP and get their connections re-instated. The clueless users, whoch have been own3d by the hacker will have to find someone to clean up their pc's caoghing up some dough which will make them a little more carefull about listening to people when they were told not to open attachments to see the cute dog pictures or accept free product offers from inscrupulous websites.
If you do not hold the ignorant users' feet to the fire, this zombie issue will not come to an end. Yes, we al know that, Redmond's finest operating system is no more than a joke when it comes to security, but if one is buying this crap, they should be ready to keep it safe and secure or find some other platform, let it be mac or linux or what have you.
I for one, am sick and tired of seeing the spammers to go unnoticed while the solution, regardless how brutal it is to the end user, goes unnoticed. Enough is enough !
__________
The more I know people, the more I love animals
The backbone providers are unlikely to care that much - it impacts a little business, but most make money off their inter-corporate and inter-Governmental lines. The more the Internet degrades, the more high-priced services the major vendors can sell and the more copper/fiber the telecos can charge for. I don't see much of a motive to fix things here.
The vendors further up the chain don't need to care much, either. The companies on the Internet can't gain by switching ISP, because it's the backbone that's broken and they'll have to go through it to reach the peasents - err, home users anyway. The corporations that sell over the Internet don't lose any sales, as a person who is going to buy from an online store is likely to be doing other stuff and won't go out to the stores, so they'll be back. Home users, for the most part, are ignorant enough to think AOL and MSN are really neat ideas, have no clue what the Internet involves, what needs fixing or why, and is likely to pass it off as someone else's problem anyway. And those who ARE smart enough are Libertarian enough that they won't Unionize and DEMAND the fixes that damn well should be made.
(IT users and IT professionals should stop with the "unions are evil" crap - no organization is any more evil than the people in it - and collectively insist that the defects be fixed. No ifs, no buts, no maybes, no excuses, no delays - these kinds of attacks SHOULD be impossible and COULD - very cheaply - be made impossible. But nobody is going to even take the cheap option without a fight, if there's an even cheaper option of apathy open to them.)
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Not everyone has a static IP. Some (most?) of these "additional 30,000 never before seen IPs every day" could be the same PCs every time, which reduces the total.
Reduce, reuse, cycle
No, the problem is that the Internet was created as a trusted network between universities. IPv6 has been created as an untrusted network and many of these problems would disappear if everyone switched.
IMEO, there is a way to fix or at least mitigate the problem. Make ISPs more responsible. The ISPs control the connections of every computer on the Internet. The technology is available (many of us have it on our own PCs and routers in the UNIX world) to block things such as e-mail with spoofed headers, port scans, repeated attempts by crackers to break into our systems, etc. The ISPs can head off most of the attacks virtually at the source. In the overall scheme of things, is trivial to disable the account of an offender. In the case of someone with a compromised system, the ISP can disable their account until they secure their system (I've had ISPs do this to people that have cause me problems on my networks). When people start losing their accounts due to their irresponsible attitude or naivete toward computer and network security, they will quickly become more responsible and knowledgeable.
If someone abuses the telephone service, it's not real difficult to have the phone company take action (and depending upon the abuse, have the offender arrested). ISPs must be forced to take the same responsibility.
The only way to stem the tide of cyber-terrorism (or whatever you'd like to call it), is to make ISPs take the responsibility to mitigate it.
PGA
I don't see 'egress' on this page, so I'll just throw the usual advice out there. ISPs should filter traffic coming out of customer computers to only allow i,p. addresses that the ISP has assigned. This is ok since if the customer computers are using other i.p. addresses, then they have no network functionality other than to do denial of service attacks.
If you need text styles to communicate then you don't have a message.