Slashdot Mirror
Profile of the Russian Business Network
The Washington Post has an article detailing what is known of the workings of the Russian Business Network, a shadowy entity based in St. Petersburg that hosts a good fraction of the world's spammers, identity thieves, bot herders, and phishers. RBN is not incorporated anywhere and may not technically even be violating Russian law. It provides "bulletproof hosting" for about $600 a month to a wide range of bad guys.The author of the Post story, Brian Krebs, supplements it with two blog posts. One provides more detail and back story including a look at one ISP's security admin who decided last summer to ban all RBN traffic from his network, with outstanding results. The other post maps some of the RBN's upstream suppliers and details the extent of the RBN's involvement in recent cyber-attacks: "Nearly every major advancement in computer viruses or worms over the past two years has emanated from or sent stolen consumer data back to servers" in the RBN.
The Spamhaus project has a list of Russian Business Network addresses, for what it's worth.
I wonder if anyone has every found a remote exploit that will get past iptables -j DROP recently.
Depends on what they're a haven to, now, doesn't it?
Put another way, anonymity and secrecy can be used for good - anyone living in an oppressive country can attest to that. Or it can be used to send "3n1arg3 y00r p3nis" spam en masse. I think we can agree on the idea that the existence of data havens is a potential godsend, but the misuse of those havens is a huge headache.
Erotic is when you use a feather. Exotic is when you use the whole chicken.
You don't need the range to be in the article. Just use zen.spamhaus.org in your rbl thingy, and that'll keep you covered. spamhaus and spamcop have been blocking these guys for a while now...
http://www.zombieapocalypse.tv/
Except most spam comes from the US via zombies. Should we block them too?
I still have more fans than freaks. WTF is wrong with you people?
From TFA:
Danny McPherson, chief research officer at Arbor Networks, a Lexington, Mass.-based company that provides network security services to some of the world's largest Internet providers, said most providers shy away from blocking whole networks. Instead, they choose to temporarily block specific problem sites.
"Who decides what the acceptable threshold is for stopping connectivity to an entire network? Also, if you're an AT&T or Verizon and you block access to a sizable portion of the Internet, it's very likely that some consumer rights advocacy group is going to come after you."
First... who's saying anything about blocking "a sizable portion of the Internet"? We're talking about being able to identify bad-actors and doing something about it for a change. From some recent articles I've read, AT&T doesn't seem to have any problems blocking their users from accessing the Internet when they don't like what they're doing... they'll just drop you if they don't like you. Why do they have issues blocking real criminals from doing real criminal activities. Can anyone honestly say that these networks are hosting content that anyone legitimate would want to get to?
If there are legit companies doing business with these guys, and maybe if the networks were blocked, or the providers refused to carry routes to those networks, they would "shy away from" doing business with the RBN. Or is that too much of a free-market approach to the problem... block the criminals, and if you're associated with them, you can't do business either. Hmmm...
Second, as to who decides... the market decides! This is pretty cut-and-dry. If there's a company somewhere that specializes in hosting this crap, then shut it down! It will only benefit legitimate business. This is so easy... there isn't a free-speech or access issue here... nothing for anyone to get upset about. The cancer has been identified... cut it out of the body.
The time for reactive measures is over. The article got one thing right... this problem has been allowed to grow and fester beyond the point where half-measures are going to work. $150 million is real money and it's time to take the ability for these goons to do this away from them.
It makes a lot of sense to use the Spamhaus RBL to block things in a firewall. If a site is black listed for sending spam, then I don't want any traffic from that site, not email, not web traffic, anything. However, I am not aware of a system that ties an iptables DROP rule to an RBL.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
Like I want AT&T to be able to decide what parts of the internet are "off-limits" to me? Like there's any reasonable way of doing this anyway? The Internet was developed with the goal of routing around broken segments in mind. This is not a problem with a market solution. This is a problem where the U.N. tells Russia to get its shit together, and stop these guys from doing things that piss off the rest of the world. Nigeria can get the same treatment. If there's some other group behind all the foreign lottery scams that are apparently being sent out by botnet, then I'd like to get them locked down too.
I see your informative link, and raise you a pithy comment.
I think we can agree on the idea that the existence of data havens is a potential godsend, but the misuse of those havens is a huge headache.
I'm not sure I'd even agree with that. I am pretty much a pragmatist when it comes to on-line anonymity: I think it is, on balance, overwhelmingly a bad thing. Much the same arguments apply to data havens.
Sure, these things can theoretically protects discourse, investigative journalism, whistle-blowing and such in an undemocratic society. However, practice is a long way from theory, and on-line "anonymity" is a long way from on-line anonymity. Does anyone really believe, despite the fact that I post under an alias here, that from a technical perspective my government could not track a post back to me if it really had sufficient motivation to do so? Does anyone really believe that if I had sufficiently sensitive information and stored it on a system hosted in one of these less legally restrictive regimes that the Powers That Be could not track it down and take steps to contain it?
Meanwhile, we have spammers, phishy types such as identity thieves and credit card fraudsters, deceptive folk like inside traders and corporate PR plants, copyright infringers, and countless other people basically abusing a near-anonymous Internet identity and data centres like the one in this article to further their own interests, often at the expense of others... and getting away with it, because no-one has the resources to stop them all reliably.
For what it's worth, I don't like this position. I appreciate the value of free communications, and I'm well aware of the inhibition imposed by having to put your name to something, and the damage this can do in extreme cases. But I also appreciate the value of privacy, and of being left to mind your own business without constantly having to defend yourself from attacks. Until society grows up, learns not to trust information or offers from anonymous sources, and learns to respect sensitive information — and it has a very long way to go to reach that point — I think we'll do a lot better if people on the Internet are not effectively placed above the law and not held accountable for their actions.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
RBN addresses (and assorted other nasties) are also listed in the Spamhaus DROP (Don't Route Or Peer) list. IMO, it's a useful thing to drop (pun intended) into your firewall...
Oh, no! You have walked into the slavering fangs of a lurking grue!
IMO, I'd rather do the blocking myself than have AT&T do it for me. That being said, I don't hesitate to block RBN traffic.
Oh, no! You have walked into the slavering fangs of a lurking grue!
There is a good line in Dune -- "You control a mentat by controlling his information." The religious crowd is easily aroused by "think of the children." Apparently, the slashdot crowd needs to hear "think of the spam." This is how the world network for all-to-free an exchange of information will be fractured. You just need to find a hot-button issue for every crowd and they'll scream for the separation along national borders on their own (thinking it's their own idea).
A good number of the posts so far propose blocking Russia altogether. Because there is no "business" done with Russia. Aha. But that means no Russian news. No access to chats with Americans for Russians. Hell, the new Russian order couldn't dream of a better situation. Not only do they get not to have their citizens interact with Americans freely, but they also don't have to be the bad guys in it. The Jefferson quote states that giving up freedom for a little bit of security will cause one to lose both. But why go that far? "little bit of security" is not even necessary as the price. Apparently a little bit of expediency is enough.
It's censorship and xenophobia even if you can make a Yakov Smirnoff joke of it. Sorry, but this time, the boogie man is you!
Any guest worker system is indistinguishable from indentured servitude.
Actually, a bomb blowing up the entire Microsoft complex, killing everyone involved in Windows (but nobody else) would produce a massive demand for jobs in the IT sector, programming sector, pretty much every technical field you can think of. Apple, Red Hat, Sun, Oracle, Novell, and so on would see massive gains in profits. The Rest Of The World (TM) would take relatively small hits- those who are still on XP would stay on XP (and start a Mac or Linux migration plan instead of a Vista one), those who have finished their Vista migration would be in good shape for a few years until it's time for their next hardware upgrade, and those who are in the middle of a switchover to Vista may well get totally fucked, depending on how they're doing it. It wouldn't be pretty in the short term, but it'd be survivable, and it's likely that replacing the monoculture with diversity would result in long-term economic gains due to competition. I actually think gaming companies would get hit the hardest, I have no idea how hard it is to take a game coded for Vista/360 and port it to another console. It's probably still a drop in the bucket of the greater economy. The biggest hit would probably be Wall Street investment bankers and so forth, but that's a single immediate hit, and not something that has a long-lasting effect. (A long-lasting effect would be something like a calamitous food shortage, sudden oil shortage, whatever; that results in an immediate hit followed by a long period of economic inefficiency because of a lack of resources for other industries to continue their business.)
Care about privacy? Read this!
I'm sorry, but civil disobedience usually involves getting intentionally caught and punished for doing something that should not be wrong, thereby bringing public attention to the issue. Anonymity is useful for practising freedoms denied by your government, but it doesn't enable true civil disobedience.
I was thinking more of civil disobedience as preached by Thoreau in "Civil Disobedience". It is not necessary to practice civil disobedience as a statement. It can be practiced for the sole purpose of non-violently opposing the corrupt regime. To quote the Wikipedia entry, "Voting for justice is as ineffective as wishing for justice; what you need to do is to actually be just. This is not to say that you have an obligation to devote your life to fighting for justice, but you do have an obligation not to commit injustice and not to give injustice your practical support." As such, practicing civil disobedience anonymously is actually more effective because after not getting caught you get to practice it again.
Any guest worker system is indistinguishable from indentured servitude.
Although the RBN are certainly bad guys, Slashdotters should pls resist the tendency to assume that all the bad guys are nasty, foreign types. Most of the bad guys - for example spammers - as usual, are home-grown.
Of the 133 worst spammers on the Spamhaus ROKSO list, the vast majority of the worlds worst spammers are from the USA, followed after a big gap by nasty foreigners from Israel, Ukraine, China and yes Russia too:
See: http://www.spamhaus.org/rokso/index.lasso
# Russian Buisness Network et al. As listed from spamhaus.org on 10/14/2007 81.95.144.182/32 81.95.149.171/32 58.65.239.66/31 81.95.144.3/32 81.95.149.27/32 81.95.149.181/32 81.95.149.178/32 81.95.156.0/22 193.93.235.5/32 81.95.149.110/31 81.95.148.18/32 81.95.148.130/31 81.95.148.132/31 81.95.153.243/32 81.95.147.202/31 81.95.144.0/20 195.114.16.0/23 195.64.162.0/23 84.45.90.141/32 88.201.208.0/20 195.64.140.0/23 81.94.16.0/20 85.249.23.0/24 81.95.147.182/32 217.118.119.26/32 85.133.4.138/32 213.200.79.194/32 62.154.15.154/32 213.200.78.66/32 195.66.226.151/32 213.200.80.46/32
That's a variant on the broken window fallacy. The idea that breaking somebody's windows is a good thing because it creates work for the glazier, the police, etc. It only works from an internal viewpoint that is based on the relative distribution of wealth. Taking a broad overview of society as a whole, it's pretty plain to see that the total wealth has gone down. It's the same sort of protectionism as farm subsidies. It may keep people in work but its at the cost of having an inefficient, bloated economy. Far better than to create jobs through needless destruction and inefficiency, is to create jobs by aiming higher and achieving more as a society.
Aide-toi, le Ciel t'aidera - Jeanne D'Arc.
I started blocking Russian, Nigerian, and other addresses from one of the forums I run. It's just a community forum for people in Houston, Texas. In a matter of hours I started getting complaints from regular users who I didn't realize were expat oil execs and workers in Russia, Nigeria, etc... who used my forum to keep up on things going on at home.
The lesson I learned is that even if I can't imagine why someone would want something doesn't mean it isn't something someone would want.
-- I'm old enough to have lived through six different meanings of the word "hacker."
A little late to the thread to get modded up, but I didn't have time this morning to post my own BGP filtering route-maps to keep these malware ISPs out of my tables. AS41173 seems to be the only upstream ISP to 40989. These companies seem to be the same mysterious people, hoping to hide their identities and locations. The internet isn't that easily fooled, though.
If you look at the RIPE and whois records for all the parties involved, this is an ISP that popped up in June of last year, apparently dedicated to hosting malware sites. Look closely at addresses and dates. Fictitious Panamanian and UK addresses with an American phone number, claims of being in the Seychelles (English spelling), again with other American phone numbers.
Some nmap fingerprinting of their routing equipment shows this operation tends towards low budget. I've seen ISPs that were nothing more than a couple of university students who obtained an AS#, a prefix, found a BGP feed, and filled a rented a rack in a colo with some servers and a linux box running quagga. Seen from a looking glass, no difference from the big players. A good looking website regularly updated, proper whois and RIPE records, and it's very difficult for a potential client to know the ISP may go down during exams week.
This operation seems not much more than what a couple of kids with a little knowledge could put together. The prefixes fill various spamhaus and RBL lists. Doubtful that there are any legitimate clients on those networks. This operation is the malware gangs getting a little more hi-tech, running their own ISP by buying IP transit from companies known for never turning down business. They use C4L/NetSumo, a known no-questions-asked ISP who resell an MPLS service between London and Eastern Europe, probably Interoute's.
As for location, looking at various internal looking glasses, the prefixes seem to be hitting the internet in London then through a leased line with 70 mSec of delay, and in Prague with a sudden 20 mSec of delay. This certainly is not going through the Seychelles. My best guess would be a data centre in Russia, where bribes to local authorities gives them a certain level of immunity to lawful pursuits.
Any reasonable ISP hoping to protect their clients from this criminal malware gang would just filter those four AS#s from their main routing tables, and save themselves a world of hurt. Better yet would be to actively blackhole those prefixes. Sure, it might fly in the face of one perfect internet, but since there is no legal remedy, internet providers need to protect themselves. Good ISPs and hosting services already filter all kinds of bogus routing information, adding a known spam and malware operation to the list is just good practice.
the AC
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on