Malware and Botnet Operators Going ISP

Trailrunner7 writes to mention that malware and botnet operators appear to be escalating to the next level by setting up their own virtual data centers. This elevates the criminals to the ISP level, making it much harder to stop them. "The criminals will buy servers and place them in a large data center and then submit an application for a large block of IP space. In some cases, the applicants are asked for nothing more than a letter explaining why they need the IP space, security researchers say. No further investigation is done, and once the criminals have the IP space, they've taken a layer of potential problems out of the equation. 'It's gotten completely out of hand. The bad guys are going to some local registries in Europe and getting massive amounts of IP space and then they just go to a hosting provider and set up their own data centers,' said Alex Lanstein, senior security researcher at FireEye, an anti-malware and anti-botnet vendor. 'It takes one more level out of it: You own your own IP space and you're your own ISP at that point.'"

Filtering easier?

If they own the IP block (or it's assigned exclusively to them) then wouldn't that make it a lot easier to block them? Why complain? Just find out their range and shitlist it.

Re:Filtering easier?

[JWSmythe]

    The article (and story here) are a bit deceiving.

    The LIR is usually the ISP. So, they're filling out the IP justification form to ask for a block of IP's, just like anyone with their own rack or cabinet would. Big deal. I once had over a dozen /24's, but it was for legitimate purposes, and I properly (and honestly) justified them.

    I watched spammers do that in the past. They'd get multiple T1's (at their location) or ethernet handoffs (in datacenters). They'd be able to do a spam run for about 3 days on a block of IP's. When they got the complaint, they'd simply switch to another line. Say they have 7 of these circuits. It would take 21 days before they rotated back around to the original provider. If one should (oh my gosh) cut them off for the illegal activity, they'd simply bring in new circuits under new names.

    By combining providers in a single rack, that saved them the money of needing more servers. They'd frequently have a few cabinets, in a few different datacenters. So, 4 racks, 7 circuits each, would give them 28 unique identities. At 3 days before the line is burnt, that would give 84 days before they'd rotate back around to the original line.

    They would let a line sit idle for 84 days. That would just be stupid. They'd run multiple campaigns at the same time, so they'd rotate through them. It was an art, playing providers and the spam traps. They'd send a nice apology to the provider when they got the notice to stop, saying some machine was compromised, and the complaints would stop after just a couple days, and no one would care.

    Of course, some legitimate traffic would be hosted on these lines also, just to make things look good. In a 40u rack, they may have 30u's populated with spam servers, and a couple u's with web servers and what looked like paying customers on them.

    It's just like a black market operation run by the mob. Sure, you can buy merchandise in the store front. You'd never see the mobsters counting out suitcases full of cash, or shelves full of stolen merchandise bound for other places. No one questions what you're doing, because your store front *looks* legitimate.

    All they're indicating is that the spammer crowd has realized that there is no money in spam any more, and they've migrated to malware.

    All in all, it's not hard to get a cabinet, nor a circuit or three, in a datacenter. You don't even need a legitimate company. You just need to *appear* that you have a legitimate company. $100 and a few minutes of your time will incorporate a company to use. Corporate address? A PO box somewhere. Company phone? A "magicjack" or throw away cell phone. The only things that would tie anything to anything would be who's signing the contracts, which can be anyone. For minimum wage, you can have an employee of your illicit corp sign off on papers as "CEO".

    At one job, I wasn't listed as an "officer" in the company, so I couldn't sign anything. I got annoyed with trying to deal with the provider, so the next time I called to do something, I was "Vice President of Information Technology", and suddenly I was allowed to make changes. It was with the CEO's blessing, so I wasn't doing anything wrong. It was just to get through the providers annoying "protective" measures. The CEO never even got a phone call asking if I was allowed to make the changes. He just saw it reflected on the next bill.

Re:Filtering easier?

[QuantumRiff]

I think this is for the command and control servers, not for the spam spewers.. So the blocking would have to be done at the router level, not spam filter level.. And quite frankly, blocking all mail from X is alot less dangerous of a precedent than black hole routing X. Really sucks if you knock those guys out of business, and someone else gets that IP space someday!

Re:Filtering easier?

[RobertM1968]

In addition to that, as many people seem to erroneously use the term, this makes them an OSP, and not an ISP.

That aside, virtually every ISP and OSP has an ISP they "report to" - thus this should in no way make shutting one of these company's/criminal's/site's internet access down any more difficult than in the past. Basically, unless you are a backbone owner, you're paying for a connection to the Internet via someone else and having lines installed by someone else.

In addition, I'd suspect it makes it easier to get them disconnected as they cannot claim (in the US) safe harbor if they are knowingly and/or through actions of their own; placing such botnets online on "their" network. The provisions of the law here are to protect those ISPs and OSPs who get snared in the actions of end-users (not their own malicious actions), only if and when they take appropriate actions to deal with it (those actions dependent on the infraction type... for instance, for copyright infringement, following the rules in the DMCA). In this case, they are causing two strikes to be against them from the get-go...

I'd surmise, that unless a botnet operator buys a big chunk of the Internet "backbone" that the Internet cannot survive without, that regardless of the number of IPs they own, following standard procedures against their ISP will result in the same ends as before. And I would further surmise that even if they did buy a big fat pipe, this would also make it easier to block them at peering points (which in some cases, if done drastically, would help convince their upstream provider to disconnect them even faster than the paperwork and complaints filed).

But that's just my guess... from I dunno... years in the business, including working for UUNet before they got entangled in the MCI-Worldcom debacle (you know, back in the day when besides running the 2nd largest (behind IBM) and then largest part of the backbone, they were actually the real provider for the majority of MSN's and AOL's networking and end user connections. So... as I said, it's just a guess... the Internet landscape has changed a lot from those days of antiquity... but I suspect my guess is pretty close to the true reality of the situation, thus meaning this article on threatpost is massively (and incorrectly) overstating the significance of this.

Then again, I haven't RTFA, so I am only going by a summary - even though my experience on /. has shown that's a bad idea... (but it is more fun having conversations about things that way). ;-)

Re:Filtering easier?

[fredklein]

Or just use Email Certification.

Long story short, everyone who wants to send Certified mail has to be 'certified' by their ISP. (UN-certified mail would still be possible, if you wish.) Getting certified is nothing more than providing enough information to positively identify you, and costs a nominal fee.

In return, you create a public/private key pair, and give the public one to the certifier. The private key goes into your email server, which adds some headers to each outgoing email. One of these is encrypted with the private key. When someone with a certification-compliant email program receives a certified email, the program reads the headers, connects to the certifer's certification server, and downloads the public key. It then uses the public key to decrypt the encrypted header. If successful, it proves that email came from the specified server, and no one else.

If you get spam, your email client has a big 'report certified spam' button. Click it, and an email is auto-launched to the certifier of the sender. The certifier contacts the sender and demands an explanation. If sender was hacked, they fix the security hole and tell certifier they did so. If spam was not spam, or a misunderstanding, they explain.

If, OTOH, the sender does not reply, then the certifier revokes their certification, and from that moment on, all their (the 'sender's) emails are UN-certified.

What if a Certifier themselves is 'evil'? Well, it's certainly possible to have blacklists like they do now, but, instead of blacklisting IP addressed, which get re-assigned and cause trouble for their new owners, it would be evil Certifiers that get listed and blocked.

Eventually, it'll reach a point where any spam that is sent out will get the sender 'de-certified' almost immediately. That means everyone else probably never ends up seeing the spam at all (depending on how their clients handle un-certified emails. Most people will probably auto-trash them.)

However, white lists are still possible. If you like getting emails from a certain un-certified sources, just white-list them, and you'll continue to get them. You can also use challenge-response or keyword set-ups for people sending you un-certified email.

TL;DR:
By proving who send the email (or, more precisely, which server did), Email Certification can hold the server owner responsible. If they send spam, they get de-certified, which means in all likely hood, they lose the ability to email anyone at all. Spammers who can't get certified can't send emails anyone will see.

Re:Filtering easier?

[Captain+Segfault]

Your post advocates a

(X) technical ( ) legislative ( ) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
(X) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
(X) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
(X) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(X) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
(X) Bandwidth costs that are unaffected by client filtering
(X) Outlook

and the following philosophical objections may also apply:

(X) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
(X) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
(X) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(X) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!

Re:Filtering easier?

[hardwarefreak]

I think this is for the command and control servers, not for the spam spewers.

Apparently you've never heard of snowshoe spamming. Botnet spam is easy to block with automation because it comes from easily identifiable residential broadband IP space. The CBL is expert at this, and even simple FQrDNS checks within your MTA stop most of it. Snowshoe spam is not easy to block because until you get hit with the first run from a given /27 or /24 you have no idea of the reputation of those netblocks, because most dnsbls don't target them. Until Spamhaus recently started a snowshoe specific block list, the only dnsbl doing a good job of catching snowshoe IPs was Invaluement. And content filters ala Spamassassin are just as effective in catching snowshoe as botnet spam. Spam content is spam content regardless of origin IP. It's all selling pills and enlargement and/or attempting a 419.

Spam spewing servers account for an extremely large amount of U in US datacenter racks. I've got a local cidr block list with almost 1000 entries that contains the names and cidr of each registrant and/or upstream.

Re:Filtering easier?

[RMH101]

beat me to it, goddammit! thanks!

Re:Filtering easier?

[theCoder]

Instead of messing around with setting up special server stuff, why not just use PGP/MIME to sign your outgoing emails? Works the same, but doesn't require changing server software. Of course, it still requires changing everyone's client software and behavior (at least over time), so it has all the drawbacks pointed out by the other response. However, I feel it's more in line with the "dumb network" ideal of the Internet -- the smarts on how to handle email at the edges. And, once everyone has a PGP/GPG key, we can (finally!) start sending encrypted emails to normal people.

Well, I can dream, anyway :)

Re:Filtering easier?

[fredklein]

Your post advocates a

(X) technical ( ) legislative ( ) market-based ( ) vigilante

approach to fighting spam.

God, I hate this shit. ::sigh::

(X) Users of email will not put up with it

There's nothing to 'put up with'.

(X) Many email users cannot afford to lose business or alienate potential employers

They won't. If the sender is Certified, they get the email. If the sender is not certified,they just have to look in their 'spam' folder, or white list them... just like people do now.

(X) Lack of centrally controlling authority for email

Like I said, your ISP certifies you. no need for a 'central authority'.

(X) Asshats

?

(X) Bandwidth costs that are unaffected by client filtering

And what happens when no one sees the spam anymore? Spammers quit spamming. And that lowers bandwidth usage.

(X) Outlook

Of course, getting MS to support Certification would help. So?

(X) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical

None have ever been tried.

(X) Blacklists suck

People use them today.

(X) Sending email should be free

True. And it will be. Either go through your (presumably certified) ISP's server, or send uncertified emails.

(X) Sorry dude, but I don't think it would work.

Sorry dude, but I don't think your form-letter checklist addresses any real issues with my idea.

Easier to block?

[phil+reed]

Maybe I'm not being smart today, but doesn't that actually make it easier to block the bad guys, once their address space is identified?

Re:Easier to block?

[Aequitarum+Custos]

But who enforces the blocking and how?

Re:Easier to block?

[CannonballHead]

Out of curiosity... does that make that IP space sort of permanently black-listed? e.g., if the "bad guys" go out of business and "good guys" buy the IP space... how do the new owners clear the IP space of its bad name?

Seems like a shame to start throwing IP space away because there's no way to make it clean again.

Re:Easier to block?

[Conchobair]

I would think, that the crimals would use a forged source IP address as not to reveal thier true IP.

Re:Easier to block?

[Demonantis]

In TFA it mentions that it starts to become spaghetti. As ISP get smart and start blocking that address block the criminal moves on to other things. The lease expires on the block and it is issued to a legit company and then problems happen because the blacklists are not updated by the ISPs. IPv4 also is a very limited size so you can't just rotate around the blocks you issue every 100 or so years (conservatively) and avoid this issue.

Re:Easier to block?

[Zerth]

That's why your lists should have a time component.

If you do something naughty, you're blacklisted for an amount of time, then greylisted for the next step up. If you do something naughty while greylisted, you get blacklisted for the remainder and greylisted the next step up again.

Mine goes 15 minutes/1 day/2 weeks/3 months/1 year. I've yet to blacklist anyone for a year.

Re:Easier to block?

[mjwalshe]

and also if they have had to build a dc buy srvers rent space this all leaves a paper trail to them

Re:Easier to block?

[denis-The-menace]

Wouldn't they need to peer with someone?
If so, then that peer should become the new target for shutdown requests.

Am I right?

Re:Easier to block?

[mysidia]

There is a strong movement on the public internet registries such as ARIN, RIR, etc, supporting privacy of IP address allocation data. In the future, it is very likely that registry policy may shift in favor of these supporters of internet privacy.

The result will be you cannot do so much as a WHOIS lookup to find out who these spammers might be if the privacy advocates/spammer have their way, only with a court order...

Good luck getting that when the spammer lives in a different country, where spam isn't illegal.

No, because once every /24 in those f****ers block gets on enough blacklists, they get a few more hosts to justify a bigger block, fill out a form to RETURN the IP addresses they got. Their old IPs will be assigned to someone else, and after the exchange their old IPs for a fresh new block of IPs they have even more /24s than before, and none of them blocked.

Now only the new guy (that happens to be so unlucky as to get their old IPs) is blocked.

Of course the f'ers will pretend to be legitimate extremely well, and make it as hard as possible for people to see reason to ban their whole block.. (E.g. The "shell" ISP will create "fake" separation from spammers who "received space" from their block)

They may do all kinds of weird s**** to make it look like it's not just one spammer.

Alternatively, they just apply for more space, using more shell companies, lather, rinse, and repeat. Until IPv4 is exhausted, that is.

If they have no problem lying once... it's not the least bit difficult to create 30 more fake companies (or even, make them real companies -- if the spam effort is profitable enough).

This is all assuming they are getting the IPs from the RIRs in the first place, which I doubt is the most common.. that could be too easy to track, since these allocations generally get published very visibly.

LIR ips are just fine for them, and much easier to get.

Also, the RIRs are basically powerless to stop this. Contrary to the article, it's not necessarily about "LIRs being lax".

Once a block of IP addresses is assigned, it is not as if the LIR or RIR can revoke it and force its use to cease.

Revoking IP addresses doesn't magically make them unreachable on the internet -- once the spammer convinced their ISP to announce the address space, they don't need (any longer) to prove they got the IPs legitimately, until/unless they get more ISPs.

The article's terminology is wrong. An LIR is just another name for an ISP. Verizon is an LIR, Level3 is an LIR, Cogent is an LIR, AT&T, Sprint, etc, are all LIRs, any ISP that receives ISP allocations of addresses which are issued to them for the sole purpose of sub-delegating for use with their services, is called an LIR.

Maybe the article means the spammers are getting IP delegations from an ISP LIR, that would make sense. It is very easy to believe, they could do this en masse with very little effort, in fact.

If you buy internet services from an ISP like Verizon, and claim to have X hosts, they will have a very hard time rejecting a request from their customer for those IPs.

For a simple /24 or two, most won't ask for much documentation, as long as the price is right, it's not customer-friendly to try that.

The tough questions don't start getting asked, until a request for a larger number of IPs is made, which is sensible. Level of justification and documentation commensurate with the expected usage.

The LIR/ISP will SWIP the listing or list the claimed owner on their RWHOIS Servers, but it won't appear as public knowledge in the RSS feeds, that such and such /24 has been allocated.

ISP RWHOIS servers are commonly broken and poorly maintained -- the spammer's new subdelegation may not even become public knowledge.

Re:Easier to block?

[Antique+Geekmeister]

Yes, but most mid-level and top-level network providers refuse to do anything about their misbehaving clients, citing concerns such as "common carrier status" and "we have no policy for that" and "contact the registering entity" and "contact abuse@spamserver.com". This has been going on for years in various ways, especially for the 'legal' bulk advertisers as opposed to fraudulent spammers, and 'legal' spam for pyramid schemes, spam that is in complete compliance with the the USA's 'CAN-SPAM' laws but is nevertheless unwanted, excessive, and damaging to recipients.

While their peer or upstream providers will be targets for shutdown requests, they've been historically extremely reluctant to act. Look into the history of agis.net and Cyberpromo to see how a spamming domain can remain active for months and even years, continuing to gather civil and criminal lawsuits, while their upstream provider refuses to act. A list of domains who eventually disconnected Cyberpromo is at http://www.rahul.net/falk/Cp/, and the amazing thing is the length of time that each of them permitted the activity to go on. The final trigger that stopped their last haven, agis.net, from serving Cyberpromo was the series of DOS attacks that hindered agis.net from serving any of their more legitimate customers.

Re:Easier to block?

[gknoy]

Do you have any helpful links to guides that would explain how to do that? I'm sure I am not the only network-care neophyte who would like to have a safe and spam-free system at home, so I'm sure it would get you modded informative.

Re:Easier to block?

[xous]

No, it doesn't.

We had a "customer" that had 15+ dedicated servers with us. This customer received tons of SPAM complaints. Each time they had a different excuse.

After I disabled the servers and refused to turn them back on without examining them. The "employee" said he wasn't supposed to give me the root passwords but after I said that they would stay down until I got them he reluctantly gave them to me. Upon cursory examination the systems seems clean as a whistle until I realized there were no services actually running. No mail, etc.

Where was the email coming from?

I then found that the customer had GRE tunnels configured. This allowed servers in other data-centers to generate and send the spam through our network without having anything of actual value hosted with us.

The "employee" that was our customer was so convincing that I could have believed that at least he thought his company was legitimate. He even tried to tell me that it was because they couldn't get IP addresses from their current provider they bought dedicated servers from us ($1500/mo) for IP space.

Obviously the customer was terminated as soon as I found the tunnels.

Re:Easier to block?

[mysidia]

No.. it's worse than that. IP addresses aren't bought or sold.

Once they are no longer using the IPs, once they cancel the connection, the IP delegation goes away.

If the IPs came from the ISP, that ISP has to re-use such IPs: they count against the ISP's ability to justify need for more IP addresses.

If the IPs came from a RIR, once the justification goes away, the IP addresses are supposed to be returned, or they get revoked when the recipient of the IPs stops paying their annual maintenance fees.

In any case, the IPs eventually go back to the free pool, and get allocated to someone else.

The registries aren't going to try and "clean" blacklists, neither will ISPs. The recipient of IPs inherits the problem, to deal with any connectivity issues caused by blacklisting.

For IPs received from an ISP though... you should be able to convince your ISP to get you new IPs and allow you to move, if you're willing to take the time and energy to renumber, and (for some ISPs), there may be fees involved in you making the change requests, for the time it takes the ISP to make changes.

In many ways, poorly-maintained blacklists are just as harmful to the internet and end-to-end universal connectivity, as the spammers and malware peddlers are.

Re:Easier to block?

[mysidia]

Well, you could send complaints to the provider they peer with.

Normally that means the provider you send the messages to forwards them to the administrator of the network the spam complained about originates from.

Blacklisting is still your best bet, if you want to stop spam.

Spamhaus has a list called DROP, the Don't Route or Peer list, for listing hijacked blocks and professional spammers.

Trend Micro has InterCloud, ICSS/BASE.. which can provide tl. a BGP feed of providers/IP addresses to blacklist/null-route (botnet command and control points and infected hosts).

Re:Easier to block?

[mysidia]

If there were... nobody would bother cleaning old blacklist entries, since the IPs only get recycled every 100 years or so.... no reason to bother.

Then 100 years later, an IP that was spamming 100 years ago gets re-used... and can't connect to anyone......

Re:Easier to block?

[Hognoxious]

Then 100 years later, an IP that was spamming 100 years ago gets re-used... and can't connect to anyone......

No worries, everyone will be using IPv8 by then.

Re:Easier to block?

[Reaperducer]

Happened to me. launched a site on Pair networks a few years back and had problems with my outgoing mail. Turned out the guy who had the IP address before me was blacklisted. Pair just pushed me over to a new address. No problem.

Re:Easier to block?

[mysidia]

Well, you probably broke quite a few laws by using coersion to gain access to a customer's servers. But I for one would overlook it, given the benefits to the world at large (still it could be risky).

Fortunately, given the use of GRE tunnels, the spammer probably broke more laws, and would probably be a bit hesitant to sue.

The scenario is atypical. From the sounds of it, most spammers are not buying the cabinet space from the same company that is providing the internet access.

Of course it's a breach of contract and likely a violation of SLA for a cabinet provider to power down anyone's equipment or start cutting wires, because they think they might be spamming.

The spammer might sue claiming loss of valuable data (due to an unclean shutdown of their server).

Industry standard terms are power can be disconnected at request of customer (for a fee of course), emergency, planned maintenance, and violation of wiring standards (e.g. many major colocation facilities will have many rules on how equipment can be plugged in). But I don't think there are many Enterprise rack residents that accept "We may disconnect you if we feel your servers are doing something suspicious"

Of course network connections are a bit different.

Well, if you buy TRANSPORT from point A to point B, such as a connection from your rack to an ISP, in a major datacenter, you can expect by contract the transport provider cannot examine any data crossing the wire. In fact, they cannot cut the cable, just because they suspect you might be sending spam over it.

Your OC-3 or Ethernet transport from "Point A" to "Point B" is not an internet service. It's extremely unlikely for an Enterprise to negotiate a contract that allows their transport provider to disconnect them.

Following industry standard terms, a transport provider cannot kill the link, even if you are spamming, in fact, even if an internet attack happens to be crossing the link, a transport provider has no right to kill your connection or detect the nature of the traffic that is being transported.

To do so would be breach of contract/SLA on their part, and subject them to unnecessary liabilities (they lose their common carrier status for links that they 'watch').

In most cases, the one and only party that can legally cut off such a professional spammer at the source is the upstream ISPs, transit providers, or peering exchange of the misbehaving party.

Naturally, this is assuming the ISP isn't the same company that provides the rack space. In other situations matters might be different.

And in a major datacenter, there might be a lot of different ISPs to choose from...

I guess, my point is just... the standard arrangements for such facilities can actually serve to protect spammers.

Just like they protect Enterprises (who wouldn't inhabit them otherwise -- if someone could just arbitrarily decide to power off their servers, because they didn't like a file on their website).

Re:Easier to block?

[chapstercni]

Wouldn't it only be breach of contract if it violated the terms of the contract? Not sure how YOU know what those contracts state.

Re:Easier to block?

[chapstercni]

Nice troubleshooting. Glad you terminated them.

Re:Easier to block?

[rtb61]

It doesn't really matter, the big game 'is' to be an ISP and pretend one of your customers is the culprit, so the pseudo customer gets pursued, while you simply pretend another shady customer has opened up an account. There were quite a few smaller ISPs who had a real reputation for being enablers of digital crimes, so this tactic is really nothing new.

The whole idea is to hide and make your presence felt, big noisy operations are just targets. Besides the biggest culprits will be intelligence services in corrupt countries creating their own business side line on the 'companies' already shady servers.

Re:Easier to block?

[hack++slash]

IPv4 I would think so, my HOSTS file is 600kB from http://www.mvps.org/winhelp2002/hosts.htm (I don't soley rely on it as I also use AdBlock+ with FF), but if everything went IPv6 overnight the blocklists could get into some seriously ludicrus filesizes.

Re:Easier to block?

[mysidia]

In most cases it would be. Most spammers and non-spammers, don't make an agreement with provisions for their landlord to turn off the lights.

The contract specifies services to be provided, and turning off those services is a failure to perform under the agreement, in the most common scenario.

Even if the terms don't explicitly prohibit the landlord to do so, it may still be unlawful for them to turn off the power without meeting certain advance notification requirements.

Whether the actual crime is breach of contract, unlawful eviction, or tortious interference, is immaterial.

Re:Easier to block?

[Zerth]

Not anything step by step. If your anti-spam software or mailhost supports scripting(or is OSS) and pulls from a manipulable data source(sql, text, dns), you just need to set up a rule for each case that both drops the connection and inserts the IP & timestamp back into those lists.

Then have a script in cron that deletes anything older than the max time for each list

Spamassassin probably has a plugin for this already, but I can't be bothered to get with the future:)

One easy thing you could do is to replace your first MX record with a bogus host and your last MX record with something like tarbaby.junkemailfilter.com

Many spammers give up if the first is dead or jump straight to the last.

Re:Easier to block?

[nacturation]

Run spamd on OpenBSD or other OS that supports it. Works beautifully.

http://www.openbsd.org/cgi-bin/man.cgi?query=spamd&sektion=8
http://www.openbsd.org/cgi-bin/man.cgi?query=spamd-setup&sektion=8
http://www.openbsd.org/cgi-bin/man.cgi?query=spamd.conf&sektion=5
http://www.linux.com/archive/feature/61103

By default, email gets greylisted. In other words, the first two tries are rejected with a temporary failure message, the third try gets through. Real mail servers will retry, spammers often won't. Mail that gets through is whitelisted for that combination of sender, recipient, and IP for a month or so. You can also up-front blacklist IPs by whatever criteria you want -- published blacklists, country IP ranges, and so on. You can specify specific email addresses as spam traps, so you setup fromlamespammer@example.com on your mail server and put that as a hidden mailto link on your home page, and anyone who emails that obviously harvested it and their IP gets blacklisted.

Combine that with Bob Beck's greyscanner (google for it) which looks for individual IPs trying to send from multiple domains and blacklists them for a period of about a month. I've found it eliminates about 99% of all spam. You should still do things like proactively whitelist clients and mail servers which send from a pool of servers (otherwise it'll get delayed quite a bit). And the occasional spam that gets through should get its IP address blacklisted.

It has the additional benefit that if you run a busy mail server, running this in front significantly reduces the load on the mail server. So you end up with less spam, less wasted storage space, and a snappier mail server.

Re:Easier to block?

[xous]

Hi,

The SPAM was originating from our network which is an TOS violation which allows us to suspend services. I had already disabled the switch ports and the customer was trying to get it back online.

I had no obligation to waste my time trying looking into the problem to see how the spam was being sent. The customer could have easily went somewhere else instead of accepting the condition for turning the equipment back on.

I think what this "company" was doing had all their spam services in a data-center and only used their connection with them connecting to GRE tunnels.

Then they found smaller dedicated hosting companies that offered cheap servers ($100/mo) and tunneled all their traffic to their hosts at other networks.

It's not a bad tactic as it can sometimes take smaller companies a while to investigate complaints.

Re:Easier to block?

[mysidia]

Well, killing connectivity to an IP customer generating spam is a good strategy, and should put single-homed spammers out of business.

Assuming of course, they are not an innocent victim. But in any case, your IP network is your IP network.

But as mentioned above, the more insidious spammers might make that impossible, by leasing rack space and power from provider A, transport from provider B, and IP from providers C, D, E, and F..

Relying on the notion that IP providers C,D,E, and F, have no control over the rack, and can't "turn off" the spammers servers. The only thing they can do with remote safety is to kill their own link to the suspected spammer, and send them a disconnect notice (following the terms of their agreements).

If IP provider C tried to break into your rack, and turn off the connection to provider D or E, or to unplug power cables, the facilities providers, their security staff, and possibly the police might have some choice words for provider C...

If provider C kills their IP handoff (which is legal), the spam continues with the other providers D-E-F, if just D kills their IP handoff, the spam continues with C-E-F, etc...

C,D,E,and F, all need to shutdown the spammer.

I suppose the feasability depends on how profitable the spam... rack space in places where many ISPs are available is not the cheapest thing in the world, let-alone large amounts of IP transit without providers asking questions, or performing at least a credit check.

I remain skeptical that spammers can really pull this off, unless it's extremely profitable.. Blacklisting tends to be quick, and if their campaign gets shutdown before they can make up for installation fees, then the spammer should lose money..

Re:Easier to block?

[rbcd]

Well, you probably broke quite a few laws by using coersion to gain access to a customer's servers. But I for one would overlook it, given the benefits to the world at large (still it could be risky).

Fortunately, given the use of GRE tunnels, the spammer probably broke more laws, and would probably be a bit hesitant to sue.

No legal problem there. It's a contract issue.

Re:Easier to block?

[Slashcrap]

Well, you probably broke quite a few laws by using coersion to gain access to a customer's servers.

No, he quite obviously didn't and only an unbelievable retard would assume that he had.

Fortunately, given the use of GRE tunnels, the spammer probably broke more laws, and would probably be a bit hesitant to sue.

Given the rambling bullshit nature of the rest of your comment, I'm seriously wondering if you think the use of GRE tunnels is itself illegal. Obviously that would be incredibly stupid, but well...

Re:Easier to block?

[RMH101]

this is kind of the point, isn't it? It imposes an incentive on ISPs to vet their customers and not harbour spammers. If they do, they'll end up with a block of IPs that no-one wants. SORBS et al give them notice, if it's ignored then eventually they get blacklisted. Other ISPs can choose to use those blacklists if they want, or not, depending on whether they think the net effect is beneficial.
There is no cabal

Re:Easier to block?

[mysidia]

No legal problem there. It's a contract issue.

I wouldn't say it's so clear. A contract issue is definitely a legal issue, and depends on the terms of the contract, and also what country a provider operates in, and what is legal in that country..

In many countries, the policy of coercing customers into providing access may run afoul of the Data Protection / Wiretap acts, according to the customer information stored on that equipment.

Also, no matter what the terms of a contract actually say, certain acts such as extortion are always illegal, and a contract cannot allow illegal actions, no matter what the words say.

Forcing someone to give a provider full access to their collocated servers, or else lose a service critical to them that they had paid for, is highly irregular, a compromise of their privacy, possibly their customer's privacy.

If, e.g. an e-commerce web site is hosted on the equipment, it is fair to assume such a server many contain information subject to the Data Protection act, such as names, addresses.

And likely to result in action.. that is, assuming the customer wasn't a spammer.

The issue isn't so much gaining unauthorized access to a spammer's "empty" server... it's forcing entry to a legitimate server or tampering with their equipment (if you were mistaken about them being a spammer).

Re:Easier to block?

[rbcd]

It isn't extortion. The disconnection is legal under the terms of the contract (violation of TOS).

Reconnection is then subject to negotiation, or the customer can take their business elsewhere. That cannot be extortion because you aren't threatening the customer with anything. He can have his server back. He is under no obligation.

<i>...it's forcing entry to a legitimate server or tampering with their equipment (if you were mistaken about them being a spammer).</i>

It's not forcing entry at all. It is entry with permission as the result of a non-obligatory contract renegotiation.

Re:Easier to block?

[hesaigo999ca]

You bring about a few good points, especially about IPv4 running out, and the problem continuing simply with PIv6.
If we were to try and maybe add a process unto the name acquisition, such as cocacola.com, which would be part of a white list (having gone through approval by some comittee), where any regular website like yours or mine homebrew (could or not be legit) be considered grey list, have some blacklist which would be the actual malware resolvers...and then add a list per country, or even maybe per type of url extension, like .sex or .tv, we could also
have each type of extension it's own process to become legit...so that .gov would have a much bigger process to go through then let's say .info, or .edu would be only school's, while .ccc could be a new type variant made for unrecognized or unprocessed ( in waiting).

So many possibilities, yet so few people trying to actually fix the problem. I myself do not have much experience
other then building the websites and then hosting them on godaddy like accounts, but never been very impressed with the people in charge, sort of like, they could not care less, unless there is a REAL big problem (like dns cache poisoining or dns server cracking) they do not do much on their own, to improve the model we use today.

Re:Easier to block?

[vaniderstine]

Actually, your are incorrect on at least one point. If your upstream ISP (or whatever you'd like to call it) stops advertising a route to your /24 (etc) and blocks your outbound traffic, then, you are effectivly off of the net. This takes about 2 minutes for a single peering relationship.

Re:Easier to block?

[mysidia]

And which point is that?

No, then your inbound traffic for your /24 advertisements starts coming in from the other ISP you have not ceased the announcement to.

And your outbound traffic stops going to the ISP who killed their peering session with you (since the routing process on your router will immediately withdraw the routes advertised by that particular upstream peering session which is no longer "up").

Well, this is all assuming the spammer has a proper (expensive) multi-homed setup, which I doubt too.

In truth it's not necessary. The spammer may very well have a bunch of NAT boxes in front of all their spam sources. When an ISP turns them off, or they detect an inability to perform their "liveness" test on a given link, their spam sources just immediately swap over to a different NAT box in their spamnet.

Re:Easier to block?

[mysidia]

You do realize, most of large ISPs' bread and butter are big companies that bring their own IP ranges?

Their customers aren't subject to blacklisting, their own infrastructure is kept well apart from blocks that are assigned to customers. Blacklisting doesn't hurt the big ISPs themselves, it hurts subscribers and smaller ISPs.

Frankly, huge ISPs need so many ip addresses legitimately, that the 5% or so of their ranges getting blacklisted may just be their cost of doing business.

ISP subdelegations are handed out to the little guys.

You take what you get, and you won't know it's blacklisted, until you're already paying for the service.

The little guy (unless an ISP themselves) is usually too little to negotiate custom terms like "approving/vetting their IP allocation against existing blacklisting"

Community (and perhaps regulatory) pressure is the best tool to make big players do anything.

Also, many see reduction of spam as a noble goal.

However, for big corporations, taking care of every spam source may not be feasible, or it may be a massively expensive undertaking.

This is not likely to be looked on favorably by the suits. It's cheaper to acquire more IPs.

Re:Easier to block?

[gknoy]

Thank you! I'll be keeping this in mind when I rebuild my server.

I thought...

[Darkness404]

I thought the entire reason why botnets were so hard to stop is because they could be on a huge range of IP addresses. With this isn't it trivial to see that Evilnet ISP is a botnet and has the IP addresses xxx.xxx.x.xxx- xxx.xxx.x.yyy and just block those? I mean, yeah, if they had enough bandwidth they could still flood you with requests that slow down the servers because they all need to be blocked, but shouldn't it make blocking them easier?

DNA samples/Chips in fingertips?

[e2d2]

No further investigation is done

And none should be. They're a potential customer buying IP addresses and hosting, not automatic weapons.

Pretty soon we're gonna be so "secure" it's gonna take an act of congress take a piss.

Re:DNA samples/Chips in fingertips?

[casings]

Mark Foley would probably like that idea.

Re:DNA samples/Chips in fingertips?

[Darkness404]

Sure, but the thing is IPv4 IP addresses are limited. Because of this, even if they started a botnet today and a year from now were gone, those range of IP addresses still might be blocked by various places.

I agree with your general feelings that you shouldn't need investigating to get a block of IP addresses, but it reduces a scares commodity and is in the best interests of those giving out blocks of IP addresses to check out the companies a bit more.

Re:DNA samples/Chips in fingertips?

[Shakrai]

Pretty soon we're gonna be so "secure" it's gonna take an act of congress take a piss.

Boy, that's gonna really suck for the people whose political party of choice happens to be out of power at the time they need to go..... ;)

Re:DNA samples/Chips in fingertips?

[scott_karana]

Most sane datacenters will be extremely proactive about dealing with abuse complaints about spam, to say nothing about botnets, since they're the ones providing the IPs to the customers.
Capitalism typically makes it hard on the baddies here: datacenters do NOT want to lose saleable IPs to long-lasting blocks.

Re:DNA samples/Chips in fingertips?

[techno-vampire]

Pretty soon we're gonna be so "secure" it's gonna take an act of congress take a piss.

If so, that's going to make it damned hard to be a phlebotomist. It's a good thing I only plan on leaving one.

Re:DNA samples/Chips in fingertips?

[RobertM1968]

No further investigation is done

And none should be. They're a potential customer buying IP addresses and hosting, not automatic weapons.

Pretty soon we're gonna be so "secure" it's gonna take an act of congress take a piss.

Yet, funnily enough, for me to get a measly 16 IPs (for 6 servers, 1 router, 3 dedicated workstations that are not permitted by law to have NAT, one more IP to a NAT router for other client stations and SOB/EOB) I have to justify each and every one of them, including possibly digging out the specific legal requirement for the 3 specialized workstations not being able to be NAT'd and identify the customer to further support why that law applies to them in support of us not being able to NAT those workstations.

Kinda odd if it is easier to obtain a big block than a measly 16 for our legitimate needs.

Hyperbole

[uassholes]

Having a block of IP addresses does not make one an ISP.

Re:Hyperbole

[Shakrai]

But they are providing internet service to the critically underserved market of phishers, extortionists and viagra salesman. I bet they even obey network neutrality and don't inject fake RST packets into your connections too. Clearly they qualify as an ISP ;)

Re:Hyperbole

[Eil]

Well, the terminology is debatable. They're talking about the malware and botnet operators getting more organized and reselling their services as malware-friendly ISPs.

I work for a web hosting company, but the vast majority of our customers are resellers who simply rent a dedicated box with cPanel, toss up a web page, and presto, they're a web hosting company too.

Re:Hyperbole

[RobertM1968]

Technically, "back in the day" the term Internet Service Provider referred to a provider of online access for companies or individuals (ie: you could connect to the net via dial-up, ISDN, T1, T3, DSL, etc) and the term OSP referred to a company that provided online services (for themselves and/or others) other than connectivity (companies with web properties, web hosting companies, newsgroup hosting companies, email providers, etc).

Seems "ISP" is the new blanket term for everything. Various US law addresses both terms though.

Isn't this cool?

[DNS-and-BIND]

Remember back in the 90s when everyone was jizzing in their pants about Bruce Sterling and Neal Stephenson's writing, dreaming of actually implementing the ideas therein? Data havens, crypto-anarchism, impregnable anonymity, hackers making a decent living by a life of crime, and so forth?

Well, now the future is here. Kind of sucks, doesn't it? Careful what you wish for, you just might get it.

Re:Isn't this cool?

[lymond01]

Umm, my future had me flying through a huge chamber freezing other people's limbs with my gun and scoring points with my helmet.

We really should have gone with my future...

Re:Isn't this cool?

[MathiasRav]

Remember back in the 90s when everyone was jizzing in their pants about Bruce Sterling and Neal Stephenson's writing, dreaming of actually implementing the ideas therein? Data havens, crypto-anarchism, impregnable anonymity, hackers making a decent living by a life of crime, and so forth?

Somewhere, on a secret global malware authors' intranet, on a site running Slashcode, scammers are praising 2010 as the year of unregulated DoS'ing on the Internet.

Re:Isn't this cool?

[Tsujiku]

Don't forget using high tech fishing line to change direction in mid-air.

Re:Isn't this cool?

[Deltaspectre]

Then I would gracefully fall down towards the enemy gate. (I was actually looking around yesterday and it seems there may be a battle room videogame on the way : http://en.wikipedia.org/wiki/Ender's_Game_(video_game) )

Re:Isn't this cool?

[JohnyDog]

Remember back in the 90s when everyone was jizzing in their pants about Bruce Sterling and Neal Stephenson's writing, dreaming of actually implementing the ideas therein? Data havens, crypto-anarchism, impregnable anonymity, hackers making a decent living by a life of crime, and so forth?
Well, now the future is here. Kind of sucks, doesn't it? Careful what you wish for, you just might get it.

In those cyberpunk visions the world, political and judicals systems are tightly controlled by corrupt mega-corporations and the net is anything but open. The very act of accessing the network or tampering with it may land you in prison, criticizing the rulers means you're dead and so on. Every piece of hardware is registered, so if you want to get any hacking done you have to turn in to black market (for stuff) and criminals (to get money for stuff), out of pure necessity. (it's the classical tale of occupied country's resistance movement working together with organized crime, right?)

Compare that to the reality we got: cheap ubiquitous internet, cheap ubiquitous hardware to access it, the net is *by default* free and open, and all attempts to any large-scale censoring has failed miserably. Anonymity is just one unsecured wifi hotspot away on every corner (so you don't need to pay a hacker to get you online), and any attempts at uncovering corruption and truth are met with public support. So the traditional heroes of cyberpunk stories can operate publicly or semi-publicly (think wikileaks), the worst that can happen to them is someone pulling the DMCA on the copied/leaked documents, which rarely results even in fines, much less prison time. The hackers are working on cool engineering projects instead of breaking into companies networks, and the criminals are, well, criminals - since they are no longer needed for the goals of the freedom fighters, all they do is disrupt the free information exchange (ddosing sites for greed, decreasing signal-to-noise ratio by spamming the hell out of everyone etc.), and so are frowned upon even by the neo-anarchists.

Re:Isn't this cool?

[pantherace]

Compare that to the reality we got: cheap ubiquitous internet, cheap ubiquitous hardware to access it, the net is *by default* free and open, and all attempts to any large-scale censoring has failed miserably.

Sadly, I think your statement is incorrect. I'd agree that we've got cheap internet and hardware. China's firewall, as well as Iran's filtering seem to both be large-scale censoring, which has not failed miserably. In most of the rest of the world, while not censored, it may well be monitored. Also consider the recent articles about people providing fake DMCA notices, which may or may not be widespread, and the attempt to get those extended to every country.

Re:Isn't this cool?

[Jeremy+Erwin]

Personally, I thought that Stephenson's skullgun was pretty damn cool.

Re:Isn't this cool?

[rastoboy29]

I wish I was as sanguine as you seem to be about the future of the net, though.  I don't see it getting any free-er any time soon.  China's Great Firewall actually does a pretty fantastic job of censoring the net--even if someone can trivially bypass it, the fact is they *have* to, which has much more moral force than I'd certainly originally considered.

The future looks wireless, and right now wireless is a hellhole of proprietary bullshit.

And if you don't think our political and judicial systems are already tightly controlled by megacorporations, well, I don't know which world you grew up in.

I'm not saying it's dystopic, yet, but that possibility doesn't seem the least bit  unrealistic to me.  Wikileaks and bittorrent are under relentless legal attacks, and both of them rely on actual servers in actual places, which makes them vulnderable (even if widely distributed at the moment).

Is the address space for something else?

[damn_registrars]

Sure, we know a lot of the botnet activities that we care about - distributed spamming, distributed hacking, etc... But I suspect that isn't what they want the dedicated IP space for. People already pointed out that if the lion's share of your spam or hacking attempts came from a single IP block, it would be trivial to block it.

Hence I suspect the operators want the IP space for other uses. Consider your average spam - we'll say it asks you to buy viagra through joescheapdrugs.com. Now joescheapdrugs.com needs to be purchased, which requires a registrar. It also needs to be resolved via a DNS server somewhere (which isn't always done by the registrar or ISP). If joescheapdrugs.com were an average spamvertised site, it would likely be hosted in one continent, registered through a registrar in another, and resolved by a DNS in yet another.

The IP space would be useful because the DNS could be done in that range, and once the spammers establish an accredited registrar they could sell themselves domains from there too. We all know that .com, .org, .net domains not only are not restricted to sales to people/companies/organizations in the US, they aren't even restricted to being sold by companies in the US. So by owning IP space, they can actually keep more of their own money for their operations, thus increasing their profit margins. They can offer hosting, DNS, and registration services for anyone who wants to sell anything, and then sell them spamming services as well.

It becomes one-stop-shopping for vendors trying to make a fast buck (or those who don't know better).

Re:Is the address space for something else?

[Ifni]

Still doesn't complicate matters much - some software will have to be updated, but if the option were added to refuse to resolve websites that use a particular registrar, or to ignore results from specific DNS servers, then they can be shut out of the average user's Internet experience. Granted, this would have to be done at the DNS provider level (your ISP, or OpenDNS, etc) so the individual user wouldn't have as much control (unless they host their own recursive DNS), but it presents a pretty minor speed bump over all.

Re:Is the address space for something else?

[Corporate+Troll]

We all know that .com, .org, .net domains not only are not restricted to sales to people/companies/organizations in the US, they aren't even restricted to being sold by companies in the US.

I know I might be nitpicky here, but why do you feel that .com, .org, .net (and .biz, .name, .info and a plethora others) should only be restricted to the US? So Medecin Sans Frontières has no right to a .org in your world because it's French? Heck SAP couldn't get a .com because it's German! I'm just wondering. The ones you cited are international. You might have a point regarding .us domains. I know that in my country you only get a .lu when you live there and/or have a company there. Might have changed by now...

Re:Is the address space for something else?

[rdavidson3]

I live in Canada, and we have the .ca domain. But I've worked for several Canadian companies that have the .com suffix.

Re:Is the address space for something else?

[Corporate+Troll]

I think that was my point :-) I have a vanity .com, .net and .org.... Hosted from my ADSL line.

Re:Is the address space for something else?

[damn_registrars]

We all know that .com, .org, .net domains not only are not restricted to sales to people/companies/organizations in the US, they aren't even restricted to being sold by companies in the US.

I know I might be nitpicky here, but why do you feel that .com, .org, .net (and .biz, .name, .info and a plethora others) should only be restricted to the US?

I didn't actually say that, and admittedly when typing my post I was concerned about the possibility someone might read it that way.

The point I was trying to make has more to do with registration of domains. It is trivial for overseas spammers to give the impression of being an American company, and registrar credentials are generally crappy at best.

Re:Is the address space for something else?

[mjwalshe]

err the TLD's .com .org etc are not and have never been "American" they are by design generic domains that have no geographic ties. Though I am surprised that within the EU that member states can restrict the sale of country tld's to residents of that country how that fits with the suposed "free movement of services" i dont know.

Deal with them all the time...

I manage the network for a medium sized data center, and I see bogus requests for large blocks of IP addresses all the time. We require a justification letter, that acts more as a clue gathering form to help us weed out the illegitimate requests. All it takes is a few minutes of research to determine if the request is legitimate or not; in fact, it is usually immediately obvious that it's a fake. It's sad that other data centers do not do the same.

Re:Friends don't let friends surf the web in IE

[psithurism]

It demonstrates that botnets are posting crap on /., which helps goad the discussion towards what action we can take to stop them.

Uh, No

[sexconker]

Pipes and buildings and computers need to live somewhere. Find them and shut them down physically.

How do you find them? Follow the money.

They moved stuff into the cloud?
Clouds need to live somewhere. Find them and threaten to shut the cloud down physically. The cloud will then be willing to talk to you, and will shut down the people doing bad things.

How do you find them? Again, follow the money.

It's NEVER hard to shut someone down.
What's hard is organizing the people with legal authority and getting them to give a shit.

Nerds like to think that the internet is some awesome force, and that information wants to be free, etc.

The internet is a fucking physical network maintained by real people. Abstract all you want. Personify all you want. But when you get the suits lined up against you, you're going down.

If you want to test it, just do the something that will get the most suits lined up against you.

USA? Child porn.
Germany? Swastikas and Hitler.
Middle East? A drawing of Mohamed.

The bottom line is that no one gives a shit that grandma's PC is thoroughly owned, or that your inbox is 99% spam, or whatever else.

Re:Uh, No

[foniksonik]

SO you're saying that *someone* should hack into the spammers boxen and and install a child porn archive or similarly regional taboo - then bring public attention to it? Oooohhh that sounds like a very vigilante grey hat goal to achieve. So whom will take up the gauntlet? Any "NetMan" around to protect us all from organized crime on the net?

Wake Me

[camperdave]

Sure, but the thing is IPv4 IP addresses are limited.

Exactly. Wake me when they become an IPv6 ISP.

Escalation

"Ha ha! Look at us! We've got fat pipes that we can use to DoS almost anyone and spew spam all over the internet! We so rule! Ha ha!"

(the internet wises up to this; these people get kicked off their ISPs or out of their universities, more people get fat pipes, spam gets blacklisted, damage is mitigated)

"Well, fine. We'll just use security flaws in swiss cheese-like browsers and operating systems, play on people's stupidity regarding computers, and turn everyone into our spam-dumping and DDoS-employing minions! You can't stop us now! Ha ha ha!"

(the internet wises up to this; more secure browsers and operating systems are deployed, better spam filtering is developed, more aggressive security measures pop up, some of which are ISP-level (for better or worse), more people are educated, damage is mitigated)

"Hrmph. No matter. Now we'll go one step higher and just get our own IP blocks and registrars, and then we'll get our own pipes! Then we'll never have ISPs shut us down again! We're so much more clever than you are! Ha ha ha!"

(the internet wises up to this; the IP blocks are soon figured out, all traffic to them is blocked from other ISPs, Google and other search engines refuse to spider anything from those blocks, damage is mitigated)

"Oh... oh yeah? Well, now we'll just go one step higher and use those pipes to make our OWN internet! We'll have everything! It'll all be ours! And YOU won't be able to get into it to stop us! HA HA HA HA!"

(the internet ignores this, that's somebody else's network now)

"...wait, hang on..."

Re:Escalation

[el_tedward]

Hey, I don't really like this...

I'm studying cool l33t computer security stuff at college at the moment, and what you seem to be suggesting implies that some day computer security will mature, and there won't be as big of a reason to employee peoples like me.. Um, I don't like the way that sounds. You should stop talking..

mod parent down, plz

k thx

Re:Escalation

[Earthquake+Retrofit]

I suspect there will always be con artists and suckers to feed them. Crack those books, el tedward, the networks will need you.

Steve

Old news

[jimpop]

This is nothing new.

Re:Old news

[Antiocheian]

Yes, typing stuff for other people to see... computers, networks, whatever.

Re:Old news

[Zocalo]

No it's not, several of the larger spam/malware gangs including the infamous Russian Business Network have been doing this for several years now. That's partly what prompted Spamhaus to create their solution to the problem: DROP. All it takes is a for the majority of the Tier 1 carriers to adopt the DROP list and it's pretty much game over for this this technique.

Actually I see it like this...

[cjjjer]

Personally I would be running my own DNS servers / Anon proxies on those blocks of IPs so that bot traffic can be managed better.

Just my .02

....Yeah but are they Microsoft Certified?

[Bob_Who]

...because if they were, then we'd really have to worry....about.....the unemployed.

ISP Level?

When they start requesting AS numbers, running their own infrastructure or even providing a service maybe then could this story have some merit.

This screws up other innocent good guys too

[phonewebcam]

We have 4 dedicated servers with about 20 IP's spread across them and started getting mail rejections.This turned out to be because the whole range if IP's the hosters had used got blacklisted by spamhaus for exactly the reason stated in the article - one other "customer" had spammed with his IP's so spamhaus just added the whole range to their RBL.

Re:This screws up other innocent good guys too

[RMH101]

Good. Presumably your ISP had repeatedly ignored requests to bin the spammers, and eventually got themselves blacklisted. Their punishment for this is to get complained at / sued by irate customers such as yourself. Perhaps they won't be so dumb next time.

youtubers beware

[cl191]

"You own your own IP space and you're your own ISP at that point." I believe this sentence was designed to make youtube commenters' heads to explode......your you're you what?

Re:youtubers beware

[juliannoble]

Yo you, you're your youtube you, yet your youtube's yesterday's you.

Re:youtubers beware

[jez9999]

I believe this sentence was designed to make youtube commenters' heads to explode

The second 'to' shouldn't be there.

just don't route it!

[Gunstick]

Delete the AS from the routing tables and don't peer with them.

Subject

[Legion303]

Servers or not, it's a shitty datacenter that doesn't enforce its AUP with its customers.

Re:Subject

[dr2chase]

Clearly we're doing this wrong. Maybe if we frame them for pirating MP3s, the ISPs will move a little quicker.

What - No William Gibson?

[meerling]

Come on, W.G. is one of the founders of the whole cyperpunk genre.
You can't honestly tell me that you've read Sterling and Stephenson and haven't read Gibson.

But when spam is illegal

[Snaller]

...which it is in Eu - they are going to slapped down just as hard. And with huge amounts of hardware being confiscated they are not going to try that trick anytime soon.

Are IP ranges free all of a sudden??!!

[kcoriginal]

Boo to the writer... or to the Europeans... which is it? So, like 2 years ago, when I launched my own consultancy, I also wanted to offer hosting. Like every other geek out there. I just remember that there was no way to get my own block from IANA/ICANN (whoever the he!! it was)... unless I had some insane amount like $2500 US. Anyone can confirm that? Did the price thing change? I just remember feeling cheated that an average Joe couldn't fill out the right paperwork and file a reasonable fee to get his small business started. He!!, for $2500, I could get a full business financed... when did it become illegal to be a lil ole small business guy? This is why all the shops just resorted to raping people... they can't win for losing.. so, if you can't beat 'em, join 'em... is that it? Is it easy to get a block from Europe? Perhaps I should cook up some elaborate scheme to VPN my European class B to my /28 here in TX... hmmm.... kc

Re:Are IP ranges free all of a sudden??!!

[Onetime77]

once you jump through the hoops the first time it works out to about $1-2 USD/IP address. This is based on a request of a /22 which is still considered a "micro-allocation."

Simple - ipV8

[Dogbertius]

Don't worry, once we we've needlessly partitioned away every last block of ipv6 addresses, we can repeat the exercise again with ipv8 :)

Botnet control?

[hicksw]

Sounds like a good way to run a wide shallow botnet control tree.

And Big Crime^WBusiness could control a collection of these small ISPs just like a botnet.
--
Does the noise in my head bother you?

They aren't ISPs, they are OSPs

[BitZtream]

As such, they still connect to someone upstream, you blacklist their address space, ALL OF IT, and their ISP if they refuse to cooperate.

Rarely will the national ISPs take this sort of abuse, its rather easy for them to spot. You get plenty of crappy little local data centers that will let them get by with it, and 999 times out of a 1000 you'll never hear anything about it.

I make about 2 attempts to stop a spammer that does this crap, 3 time I just blacklist the entire ISP.