Slashdot Mirror
Malware and Botnet Operators Going ISP
Trailrunner7 writes to mention that malware and botnet operators appear to be escalating to the next level by setting up their own virtual data centers. This elevates the criminals to the ISP level, making it much harder to stop them. "The criminals will buy servers and place them in a large data center and then submit an application for a large block of IP space. In some cases, the applicants are asked for nothing more than a letter explaining why they need the IP space, security researchers say. No further investigation is done, and once the criminals have the IP space, they've taken a layer of potential problems out of the equation. 'It's gotten completely out of hand. The bad guys are going to some local registries in Europe and getting massive amounts of IP space and then they just go to a hosting provider and set up their own data centers,' said Alex Lanstein, senior security researcher at FireEye, an anti-malware and anti-botnet vendor. 'It takes one more level out of it: You own your own IP space and you're your own ISP at that point.'"
If they own the IP block (or it's assigned exclusively to them) then wouldn't that make it a lot easier to block them? Why complain? Just find out their range and shitlist it.
Maybe I'm not being smart today, but doesn't that actually make it easier to block the bad guys, once their address space is identified?
...phil
"For a list of the ways which technology has failed to improve our quality of life, press 3."
I thought the entire reason why botnets were so hard to stop is because they could be on a huge range of IP addresses. With this isn't it trivial to see that Evilnet ISP is a botnet and has the IP addresses xxx.xxx.x.xxx- xxx.xxx.x.yyy and just block those? I mean, yeah, if they had enough bandwidth they could still flood you with requests that slow down the servers because they all need to be blocked, but shouldn't it make blocking them easier?
Taxation is legalized theft, no more, no less.
No further investigation is done
And none should be. They're a potential customer buying IP addresses and hosting, not automatic weapons.
Pretty soon we're gonna be so "secure" it's gonna take an act of congress take a piss.
Having a block of IP addresses does not make one an ISP.
Remember back in the 90s when everyone was jizzing in their pants about Bruce Sterling and Neal Stephenson's writing, dreaming of actually implementing the ideas therein? Data havens, crypto-anarchism, impregnable anonymity, hackers making a decent living by a life of crime, and so forth?
Well, now the future is here. Kind of sucks, doesn't it? Careful what you wish for, you just might get it.
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
Sure, we know a lot of the botnet activities that we care about - distributed spamming, distributed hacking, etc... But I suspect that isn't what they want the dedicated IP space for. People already pointed out that if the lion's share of your spam or hacking attempts came from a single IP block, it would be trivial to block it.
.com, .org, .net domains not only are not restricted to sales to people/companies/organizations in the US, they aren't even restricted to being sold by companies in the US. So by owning IP space, they can actually keep more of their own money for their operations, thus increasing their profit margins. They can offer hosting, DNS, and registration services for anyone who wants to sell anything, and then sell them spamming services as well.
Hence I suspect the operators want the IP space for other uses. Consider your average spam - we'll say it asks you to buy viagra through joescheapdrugs.com. Now joescheapdrugs.com needs to be purchased, which requires a registrar. It also needs to be resolved via a DNS server somewhere (which isn't always done by the registrar or ISP). If joescheapdrugs.com were an average spamvertised site, it would likely be hosted in one continent, registered through a registrar in another, and resolved by a DNS in yet another.
The IP space would be useful because the DNS could be done in that range, and once the spammers establish an accredited registrar they could sell themselves domains from there too. We all know that
It becomes one-stop-shopping for vendors trying to make a fast buck (or those who don't know better).
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
?!? what does this have to do with this article?
In the spirit of discussing FOSS, Linux (I believe, but could be wrong), is still missing support for a bunch of consumer devices, like iPods/iPhones, and digital cameras, etc. And there are a lot of niche apps that just don't work. Let's say I use Solidworks for CAD/CAM drawings, I don't think that will run natively on Linux. That is why a lot of people are not so keen to jump on that bandwagon. Mind you, I happen to run various Windows/Linux distros at home (and every box has Firefox as the default browser)...each has their role/strengths/weaknesses. If the problem is stupid users, then fix stupid users, don't just switch software and expect the problem to go away completely, chances are it will come back to bite you, eventually. I understand that requires more effort, but it's probably more effective in the long run. Or would you rather put a piece of tape over the blinking clock on your VCR?
I manage the network for a medium sized data center, and I see bogus requests for large blocks of IP addresses all the time. We require a justification letter, that acts more as a clue gathering form to help us weed out the illegitimate requests. All it takes is a few minutes of research to determine if the request is legitimate or not; in fact, it is usually immediately obvious that it's a fake. It's sad that other data centers do not do the same.
It demonstrates that botnets are posting crap on /., which helps goad the discussion towards what action we can take to stop them.
Pipes and buildings and computers need to live somewhere. Find them and shut them down physically.
How do you find them? Follow the money.
They moved stuff into the cloud?
Clouds need to live somewhere. Find them and threaten to shut the cloud down physically. The cloud will then be willing to talk to you, and will shut down the people doing bad things.
How do you find them? Again, follow the money.
It's NEVER hard to shut someone down.
What's hard is organizing the people with legal authority and getting them to give a shit.
Nerds like to think that the internet is some awesome force, and that information wants to be free, etc.
The internet is a fucking physical network maintained by real people. Abstract all you want. Personify all you want. But when you get the suits lined up against you, you're going down.
If you want to test it, just do the something that will get the most suits lined up against you.
USA? Child porn.
Germany? Swastikas and Hitler.
Middle East? A drawing of Mohamed.
The bottom line is that no one gives a shit that grandma's PC is thoroughly owned, or that your inbox is 99% spam, or whatever else.
Sure, but the thing is IPv4 IP addresses are limited.
Exactly. Wake me when they become an IPv6 ISP.
When our name is on the back of your car, we're behind you all the way!
"Ha ha! Look at us! We've got fat pipes that we can use to DoS almost anyone and spew spam all over the internet! We so rule! Ha ha!"
(the internet wises up to this; these people get kicked off their ISPs or out of their universities, more people get fat pipes, spam gets blacklisted, damage is mitigated)
"Well, fine. We'll just use security flaws in swiss cheese-like browsers and operating systems, play on people's stupidity regarding computers, and turn everyone into our spam-dumping and DDoS-employing minions! You can't stop us now! Ha ha ha!"
(the internet wises up to this; more secure browsers and operating systems are deployed, better spam filtering is developed, more aggressive security measures pop up, some of which are ISP-level (for better or worse), more people are educated, damage is mitigated)
"Hrmph. No matter. Now we'll go one step higher and just get our own IP blocks and registrars, and then we'll get our own pipes! Then we'll never have ISPs shut us down again! We're so much more clever than you are! Ha ha ha!"
(the internet wises up to this; the IP blocks are soon figured out, all traffic to them is blocked from other ISPs, Google and other search engines refuse to spider anything from those blocks, damage is mitigated)
"Oh... oh yeah? Well, now we'll just go one step higher and use those pipes to make our OWN internet! We'll have everything! It'll all be ours! And YOU won't be able to get into it to stop us! HA HA HA HA!"
(the internet ignores this, that's somebody else's network now)
"...wait, hang on..."
This is nothing new.
Personally I would be running my own DNS servers / Anon proxies on those blocks of IPs so that bot traffic can be managed better.
.02
Just my
...because if they were, then we'd really have to worry....about.....the unemployed.
When they start requesting AS numbers, running their own infrastructure or even providing a service maybe then could this story have some merit.
We have 4 dedicated servers with about 20 IP's spread across them and started getting mail rejections.This turned out to be because the whole range if IP's the hosters had used got blacklisted by spamhaus for exactly the reason stated in the article - one other "customer" had spammed with his IP's so spamhaus just added the whole range to their RBL.
"You own your own IP space and you're your own ISP at that point." I believe this sentence was designed to make youtube commenters' heads to explode......your you're you what?
Delete the AS from the routing tables and don't peer with them.
Atari rules... ermm... ruled.
Servers or not, it's a shitty datacenter that doesn't enforce its AUP with its customers.
Come on, W.G. is one of the founders of the whole cyperpunk genre.
You can't honestly tell me that you've read Sterling and Stephenson and haven't read Gibson.
...which it is in Eu - they are going to slapped down just as hard. And with huge amounts of hardware being confiscated they are not going to try that trick anytime soon.
If Google really cared they would fix Android Chrome to reflow text, instead of discriminating
Boo to the writer... or to the Europeans... which is it? So, like 2 years ago, when I launched my own consultancy, I also wanted to offer hosting. Like every other geek out there. I just remember that there was no way to get my own block from IANA/ICANN (whoever the he!! it was)... unless I had some insane amount like $2500 US. Anyone can confirm that? Did the price thing change? I just remember feeling cheated that an average Joe couldn't fill out the right paperwork and file a reasonable fee to get his small business started. He!!, for $2500, I could get a full business financed... when did it become illegal to be a lil ole small business guy? This is why all the shops just resorted to raping people... they can't win for losing.. so, if you can't beat 'em, join 'em... is that it? Is it easy to get a block from Europe? Perhaps I should cook up some elaborate scheme to VPN my European class B to my /28 here in TX... hmmm....
kc
It's MY copypasta.
I wrote it.
I'll copypasta it wherever I see "sexconker" used.
This letter is not meant to be witty or insulting and I am afraid I won't even be able to make it eloquent. But I, for one, will do the best I can to celebrate knowledge and truth for the sake of knowledge and truth. I would like to start by discussing sexconker's demands, mainly because they scare me. The thing I'm the most frightened about is that sexconker would swear on a stack of Bibles that "the truth", "the whole truth", and "nothing but the truth" are three different things. What's my problem, then? Allow me to present it in the form of a question: Why can't we all just get along? The best answer comes from sexconker himself. That is, if you pay attention to his unrealistic long-term goals you'll definitely notice that I am shocked and angered by sexconker's devious improprieties. Such shameful conduct should never be repeated.
There are many roads leading to the defeat of sexconker's plans to control what we do and how we do it. I assert that all of these roads must eventually pass through the same set of gates: the ability to lay the groundwork for an upcoming attempt to tend to the casualties of sexconker's war on sanity. So maybe sexconker's diatribes are intended to get us all on board the Comstockism train. Big deal. What's more important is that sexconker's apparatchiks have learned their scripts well and the rhetoric comes gushing forth with little provocation. For years I've been warning people that sexconker plans to revile everything in the most obscene terms and drag it into the filth of the basest possible outlook. However, that's not my entire message; it's only a part of it. I also want you to know that sexconker claims to have data supporting his assertion that he is able to abrogate the natural order of effects flowing from causes. Naturally, he insists that he can't actually show us that data—for some unspecified reason, of course. My guess is that he's hiding something. Maybe he's hiding the fact that he writes a lot of long statements that mean practically nothing. What's sneaky is that sexconker constructs those statements in such a way that it never occurs to his readers to analyze them. Analysis would almost certainly indicate that sexconker is sincerely up to something. I don't know exactly what, but if we don't lead the way to the future, not to the past, then sexconker will weave his untoward traits, uninformed monographs, and semi-intelligible ideologies into a rich tapestry that is sure to sap people's moral stamina. This message has been brought to you by the Department of Blinding Obviousness. What might not be so obvious, however, is that sexconker is not interested in what is true and what is false or in what is good and what is evil. In fact, those distinctions have no meaning to him whatsoever. The only thing that has any meaning to sexconker is Lysenkoism. Why? You see, sexconker believes that university professors must conform their theses and conclusions to his xenophobic prejudices if they want to publish papers and advance their careers. Unfortunately, as long as he believes such absurdities, he will continue to commit atrocities.
Why does immoralism exist? What causes it? And why does the media consistently refuse to acknowledge that sectarianism is a domineering whore, cloaking herself as social virtue and brotherly love? To understand the answers to those questions, you first have to realize that my goal is to get sexconker to realize that if the word "chromatographic" occurs to the reader, he or she may recall that sexconker once tried to judge people based solely on hearsay. Of course, if he insists on remaining an ignorant, uninformed, and ill-informed voluptuary, that's his prerogative.
sexconker has, at times, called me "rummy" or "putrid". Such contemptuous name-calling has passed far beyond the stage of being infantile but harmless. It has the capacity to get people to vote against their own self-interests.
If sexconker is incapable of disc
Don't worry, once we we've needlessly partitioned away every last block of ipv6 addresses, we can repeat the exercise again with ipv8 :)
I for one know that a big romanian ISP jump.ro is owned by a spammer who operates by spamming from a large number of class C netblocks. When ripe.net was contacted, they said the onus is on ISP but when ISP itself is spammer, whom should we report this to ?
There was an attempt to quell spam by a company named Blue Security Inc., using custom software "Blue Frog."
[http://en.wikipedia.org/wiki/Blue_Frog]
What they did was set up honey pot addresses, and for every spam received, send a request to the business promoted by the spam - not the spammers. It seemed to be working; so well in fact that the spammers organized a DOS attack on them.
I think this may be the way to kill the spammers, start attacking the companies behind them, who must have some public and unique interface, i.e. a credit card account, a pay pal account, an e-mail address to write to to collect your Nigerian "millions"... etc.
Sounds like a good way to run a wide shallow botnet control tree.
And Big Crime^WBusiness could control a collection of these small ISPs just like a botnet.
--
Does the noise in my head bother you?
As such, they still connect to someone upstream, you blacklist their address space, ALL OF IT, and their ISP if they refuse to cooperate.
Rarely will the national ISPs take this sort of abuse, its rather easy for them to spot. You get plenty of crappy little local data centers that will let them get by with it, and 999 times out of a 1000 you'll never hear anything about it.
I make about 2 attempts to stop a spammer that does this crap, 3 time I just blacklist the entire ISP.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
"Personally I would be running my own DNS servers / Anon proxies on those blocks of IPs so that bot traffic can be managed better." - by cjjjer (530715) on Monday December 21, @05:30PM (#30517760)
Why waste the CPU cycles & RAM on a quite possibly & MORE THAN POTENTIALLY "buggy" DNS server setup (plenty of evidence of THAT much is in my lists below), which is more complex to do than what I will suggest (which everyone has already, in a HOSTS file) in HOSTS files?
HOSTS files are something you already have, & they are also VERY easily edited (via a text editor like notepad.exe) & reliable/reputable ones are EASILY obtained (& kept current/up-to-date vs. KNOWN bad sites + bad servers) online?
(I use reliable lists for that, such as these HOSTS @ Wikipedia.com -> http://en.wikipedia.org/wiki/Hosts_file or those from mvps.org (a good one this one))
So, that all "said & aside", about DNS servers vs. HOSTS files (which on the latter, again, you already HAVE one)?
How about a GLOBAL solution that not only blocks out ads, giving you an "HBO-Style Internet Experience" & a much faster websurfing experience in the same pass, but one that also secures you vs. maliciously coded banner ads & known bad servers/sites too... & it's also a solution that extends to ALL of your "webbound apps", instead of just 1 family like mozilla browser addsons do only also!
(AND this is a solution that acts as "layered security" in combination with the FF/Mozilla only methods you use (which slow your browser down, use CPU cycles & more... where this solution does not, + is 100% FREE (you already have one is why, it's just a matter of populating it from reliable sources), & it's a solution that GLOBALLY covers ALL webbound apps as well)??
A GOOD SOLID & GLOBAL WORK-AROUND, IS YOUR LOCAL HOSTS FILE!
(It works for more speed online, AND SECURITY ESPECIALLY... Also, it works for your money, because you pay for your linetime out of pocket most likely as I do, you can get back your speed, AND, gain security easily, & from a single easily edited file & a file eats no CPU cycles like a local DNS server can (& are not as security vulnerable either if you protect write access to a HOSTS file also)...
Personally, here, I use a custom HOSTS file vs. a DNS server setup!
That's in addition to the tools others here in this thread have noted for "blocking out" known bad servers &/or sites (which MANY like FF addons only really function for FireFox/Mozilla products, but don't extend globally to all other webbound applications, & that is part of what HOSTS files give you above the methods you extoll + utilize: "GLOBAL COVERAGE", & of ALL webbound apps, not just FireFox/Mozilla ones via the addons you noted + use yourself...).
HOSTS files can also be used to blockout KNOWN "bad" adserves, maliciously coded sites or adbanners, and "botnet C&C servers" too & again, VERY easily! (Can't 'stress that' enough)...
I also further populate & keep current my custom HOSTS file with up to date information in regards to all of those threats, via:
----
A.) Spybot "Search & Destroy" updates (populates HOSTS and browser block lists)
B.) Sites like ZDNet's Mr. Dancho Danchev's blog -> http://ddanchev.blogspot.com/
C.) Sites like FireEye -> http://blog.fireeye.com/
D.) SRI -> http://mtc.sri.com/
----
My HOSTS file incorporates ALL of the entries from the HOSTS files shown @ wikipedia as well... gaining me speed online (by blocking adbanners, which have been compromised many times the past few years now by malscripted exploits (examples below)).
(I combined ALL reputable HOSTS files with one of my own (30,000 entries), & I removed du