Naming and Shaming "Bad" ISPs

An anonymous reader writes "Brian Krebs takes a provocative look at ISP reputations, collecting data from 10 different sources that track 'badness' from a multitude of angles, from phishing to malware to botnet command and control centers. Some of the lists show very interesting and useful results; the ISPs that are most common among the various reputation services are some of the largest ISPs and hosting providers, including ThePlanet and Softlayer. The story has generated quite a bit of discussion in the security community as to whether these various efforts are measuring the wrong things, or if it is indeed valid and useful to keep public attention focused on the bigger providers, since these are generally US-based and have the largest abuse problems in terms of overall numbers."

naming/disempowering unprecedented evile

call it what you like, it's all around us.

never a better time to consult with/trust in your creators. the lights are coming up all over now as well.

Re:naming/disempowering unprecedented evile

[Jurily]

Are they that bad?

New Jersey

And New Jersey is responsible for crack problems in inner cities, because so much crack is transported on I95.

Re:New Jersey

And New Jersey is responsible for crack problems in inner cities, because so much crack is transported on I95.

He's not blaming the series of tubes, he's blaming the ISPs for harboring spammers, botnets, etc. Next, considering he publishes in the WP, I expect he will make a call for gubmint regulation of teh interwebs. Next stop nanny state! I'll take freedom, including all the spam and botnets that true freedom allows, over the alternative any day. FREEEEEEEEEEDOOOOOOOOOOOM! ;)

Re:New Jersey

[sopssa]

Some of the ISP's in the list are huge hosting companies, namely ThePlanet, Layered Tech, Leaseweb, OVH.. You have no idea how big they are unless you've visited one of their data centers. They host millions of servers. How would they check it all? For that matter, who wants their data center staff snooping around in your server?

Being one of the largest hosting companies in the planet obviously brings in bad guys too.

Re:New Jersey

[agoliveira]

Please. If you are a big company you need to be prepared to deal with larger portions of the same: good tools, good (and bigger) staff, a specialized security/response team. It's like any other company, One can't expect to run a large company with the same resources used in a small one.

Re:New Jersey

[sopssa]

I'm fairly certain that they have specialized security/response teams. The difference between small and big companies is that the big ones are known by everyone. Even if they have a prompt response team they can't pre-screen servers, and even snooping around in them would be illegal. Obviously the huge companies will be better known to everyone and hence get more customers, good and bad.

Re:New Jersey

[agoliveira]

I do agree they are more targeted but that is a price they have to pay for their size and there are ways to investigate without snooping around one's servers. Also, what about the hundreds of complains I sent? I've never got one single reply.

Re:New Jersey

[FlyingGuy]

And yet you still expect them to sell you hosting for 19.95 a month, provide you with basically unlimited bandwidth, unlimited storage,do not even THINK about deep packet inspection or traffic shaping and let you do most anything you want to do!

Sorry but your comment is laughable man. The old saying of, "Speed, Quality, Price" Choose 2 still applies.

Re:New Jersey

[Capt.+Skinny]

He's not blaming the series of tubes, he's blaming the ISPs for harboring spammers, botnets, etc.

GP's not blaming I95, he's blaming states that manage a big chunk of it for harboring crack dealers, distributors, etc.

Neither states nor ISPs should be complacent about mischief within their borders, but the more traffic that passes though a state/ISP, the bigger that state/ISPs share of the problem will be.

Re:New Jersey

[Antique+Geekmeister]

True, but you also have to prepare a budget for it. You can choose the contracts for careless or even malicious customers who would not accept a more sane or secure overall environment, including spammers and l33t d00dz who insist that "the Internet is free!!!" and "why can't I run my own NFS/SMB/HTTP/SMTP/FTP/IRC/Bittorrent server, I paid my $19.99/month!!!!" And slapping them down and turning them away lowers your potential customer base: a lot of ISP's worry a lot about "market penetration", and rely on being the locally dominant player. Following up properly on complaints against those abuse customsers also takes serious engineering and legal reources, none of which generates revenue.

Conversely, some ISP's do well with the superior service being security aware can provide. They don't get overwhelmed by surprise Bittorrent or FTP deluges against hosted servers, they channel outbound SMTP through servers that require authentication so the spambots can achieve nothing without passwords and they disconnect machines spewing Windows worms around their local network. and they keep their routers up-to-date with security patches to avoid getting re-routed. Some of us appreciate the resulting protection, and pay for it in our monthly bill rather than in expensive internal engineering cleaning up the messes.

Re:New Jersey

[agoliveira]

No, I'm not. I'm quite happy to pay more for quality. If you are willing to cope with this sort of crap, that's your choice but remember that the whole internet idea is about collaboration. If you put up too much crap, you will start to get blocked and your 19.95/month won't worth a dime.

Re:New Jersey

[sopssa]

I do agree they are more targeted but that is a price they have to pay for their size ... Also, what about the hundreds of complains I sent? I've never got one single reply.

Lets take this into another scenario. USA is the main source of spam on the Internet. Does this mean USA as a whole is bad?

Re:New Jersey

[sopssa]

Also, I've heard that one of the large companies, HostGator, gets 1500 new customers every day and they catch around 500 of them being malicious/spammers (even with phone verification!). With that huge amount of customers, and the good-to-bad ratio, it's no surprise if some slip in.

Re:New Jersey

"The old saying of, "Speed, Quality, Price" Choose 2 (if you're lucky) still applies."

      FTFY.

Re:New Jersey

Companies like ThePlanet and OVH explicitly invite bad behavior via pink contracts, and refuse to do anything when you email abuse@them. However, I've not had experience in dealing with Layered or Leaseweb. FDC used to be on that list, but have actively engaged in monitoring abuse reports. However, ThePlanet is going the way of Atrivo, Foonet, and CI Host.

ATT, Limelight, NAC, and Akamai each dwarf all of those companies combined and don't even come close to the amount of abuse each of those providers unleash on the Internet. So, it's not about size.

Re:New Jersey

[sopssa]

The later ones you listed are content delivery networks (CDN). They're mostly used for static things like images. Besides that, signing up with them requires an established business and large up-front payments. Akamai's offices here in Stockholm are close to our place and we've done business with them, and it's nowhere near like just ordering a server from hosting company. Both of those reasons are why they probably don't have as much abuse.

Re:New Jersey

LL will sign up anyone willing to pay, business or not, reputable or not. And while they may own a CDN, they also own a colo hosting facility, as does Akamai (whose CDN also handles dynamic content). The difference is that both of them will look at each order and attempt to figure out intent. Both also rapidly respond to abuse reports. That is why you don't see much abuse from them. Companies like ThePlanet (whose Dallas facility doesn't use AC for half the summer) outright ignore abuse complaints, whereas OVH knows full well what they're being used for, and won't act unless forced to by a court or pressure from uplinks.

Re:New Jersey

Lol Sopssa with the ignorant comment as usual. Are you saying that big companies have to do a shitty job? Maybe they should scale their staff to match their revenue?

The reality is that these companies intentionally provide bad service and don't care about their spammy customers because turfing them costs revenue.

Re:New Jersey

[Machtyn]

Darn, I guess I can never be employed at one of these places. No one would ever confuse me with "big".

Re:New Jersey

[b4upoo]

So driving costs up for these companies as well as the entire general public is OK? If it is fine for others to suffer loss of money why should content creators resent it? Gravy for the goose is gravy for the gander.

Re:New Jersey

[shentino]

It's called letting the feds do their job and get a warrant if they trace illegal activity to a server in a data center.

first po fronm the man.net

[Notegg+Nornoggin]

Would of been a first post, but my ISP slows down the packets to keep us poor colored folk's down.

Wow, I feel bad for ThePlanet.com

[jeffmeden]

These measurements might not be 100% accurate at identifying the root of each of the problem areas, but when an ISP is on all but one of the top ten lists, you have to start wondering what they are doing wrong. ThePlanet.com, what gives? Too many undereducated customers running infected servers? No top level detection and deactivation process in place? Seems like there are a lot of things missing.

Re:Wow, I feel bad for ThePlanet.com

[Hurricane78]

Then again, this also says that the smaller ones are not really worse than the big ones. Which is kinda obvious.

I think if you want to find the core of the problem, you have to follow the money. But I fear that that has already been done, and that it lead right back to the friends of the ones who were searching for it. (Big advertisement companies, big pharma, etc.) Which caused them to do nothing.

My guess is that they use a straw-man company so they appear detached. I have seen this in Internet companies who didn’t want to be affiliated with their porn section. (Sometimes for legal reasons.)

So an independent group should infiltrate them. Just open your own spam business, gain some trust, see who bites, track their money sources back without them knowing...

But OK, even this fixes nothing. Maybe we should go to the root cause: Whatever results in people, dumb enough to really buy stuff like that. Bad education springs to mind. Media and politics that cause passive people. Etc.
On the other hand, spammers create some needed kind of natural selection, that is hurting the dumb, which gives intelligent people an advantage. Which definitely is not a bad thing for humanity. ^^

Re:Wow, I feel bad for ThePlanet.com

I worked in ThePlanet's department that was responsible for security before leaving several months ago. I can tell you that it's not that they don't care about security, it's that they treat their admins like absolute shit. I wish I could go into details but knowing how malicious my managers were makes me hesitant even posting as AC. In my department, we had every admin with more than a year of experience leave within a three month period (myself included). The replacements for us had to be trained from scratch... as in most of them didn't know how to restart Apache. Being serious about security is worthless if you don't have anyone to deal with security issues.

The only thing ThePlanet cares about is sales. Their sales team (who have no idea what their own servers are capable of) is allowed to promise you absolutely anything if it will make the sale. I lost count of the number of times I had to deal with customers who had been promised that a single server could send out over 1,000,000 emails per day (and I'm sure none of that is spam). The fact that they would promise something like that to begin with should say a lot about how little they about the type of customer they're trying to attract.

Re:Wow, I feel bad for ThePlanet.com

[shentino]

Except that they clog up the tubes and make business difficult for us smart folks.

Not to mention that pissing off a spammer in control of a large botnet can be hazardous to your system when he decides to retaliate with a DDoS attack.

So here we have the circle of spam:

1. Spammers are huge and have massive resources at their disposal
2. Only governments and large corporations have the resources to fight them
3. The people pushing their wares through spammers have their friendly congress critters eating out of the palms of their hands
4. The congress critters, fat on the trough of special interests, willfully turn a blind eye to the spammers that their corporate buddies depend on.

Unless this vicious circle is broken, spam is here to stay.

I commend Blue Security for their efforts. Their martyr like collapse exposed spammers and their criminal syndicate backers for the terrorists that they are.

I think it'a about the same all over

[agoliveira]

One of the largest ISPs in Brazil, Locaweb, is the main source of spam and malware I get and it's not only about numbers. They just ignore every single complain I've done.

Re:I think it'a about the same all over

One of the largest ISPs in Brazil, Locaweb, is the main source of spam and malware I get and it's not only about numbers. They just ignore every single complain I've done.

I suspect that's because their spamming customers pay them money and you don't. To them, you're just a whining bitch. Cuz, ya know, without customers that pay money, companies go out of business. Want to change that? Get the Brazil national congress to regulate the internet heavily like China and USA. Duh. Government loves oppression the way private industry loves money! :D

Re:I think it'a about the same all over

[agoliveira]

By your logic, I could accept money from drug dealers as well, "cuz, ya know, without customers that pay money, companies go out of business" . If they accepting money from spammers and malware dealers, they are liable as well. I could press civil and criminal charges or I can just block their traffic completely (which I've done, BTW). Then I turn from a "whining bitch" to a royal PITA. Thankfully, the Internet is still free around here.

Re:I think it'a about the same all over

By your logic, I could accept money from drug dealers as well, "cuz, ya know, without customers that pay money, companies go out of business".

No, by my logic, I can rent a house to someone because I have a vacancy. If it turns out that person is dealing drugs, WHY THE FSCK ARE YOU WHINING TO ME ABOUT IT?! That's not my job. I'm not the cops. They pay rent and they don't destroy my property. As long as those two things continue to happen, that's all my contract with the tenant covers. If you have evidence that illegal activity is occurring, you take it to the people whose job it is to stop illegal activities.

Secondly, you are equating dealing drugs to spam. Spam (Unsolicited commercial email) is not illegal in Brazil. Small entrepreneurs are allowed to use email advertising just like large corporations. If you are in the US, then yes, it is true that only corporate titans are allowed to spam. Small businesses are shut out unless they want to pay large sums of money to send dead tree spam to your real mailbox. It seems Brazil would rather not chase away their small business and cut down what's left of their rain forests.

If they accepting money from spammers and malware dealers, they are liable as well. I could press civil and criminal charges or I can just block their traffic completely (which I've done, BTW).

That's why you totally went to the cops, right? Oh wait, you didn't because you can't.

Then I turn from a "whining bitch" to a royal PITA.

Total PITA for your customers perhaps. I recently dropped such an email account because their aggressive spam blocking prevented communication with my Japanese fiancee. If you like losing customer, continue intentionally dropping their important emails and see how that works out for ya.

Re:I think it'a about the same all over

[antdude]

How about taking legal actions?

Re:I think it'a about the same all over

[agoliveira]

The problem is that we don't have clear laws regarding spamming. There has been some legal actions base on analogies with older things but it's not a clear shot. I rather take it to the technical level and block their traffic and/or see what can I do to add them into some RBL.

Re:I think it'a about the same all over

[shentino]

There's this term called "aiding and abetting" you might want to look up sometime.

If you are aware of illegal activity, you can't just turn a blind eye and tell the whiners to screw off and tell the cops.

Because IF the cops find out you knew about it and didn't report it, *your* ass goes in the cooler too.

Re:I think it'a about the same all over

[sopssa]

There's this term called "aiding and abetting" you might want to look up sometime.

If you are aware of illegal activity, you can't just turn a blind eye and tell the whiners to screw off and tell the cops.

Because IF the cops find out you knew about it and didn't report it, *your* ass goes in the cooler too.

So you are saying The Pirate Bay guys are going to jail?

Re:I think it'a about the same all over

There's this term called "aiding and abetting" you might want to look up sometime.

Perhaps whiner is aiding and abetting if he knows of illegal activity and tells the landlord instead of the cops. He could always play dumb when confronted or claim he was a big pussy who was afraid of the repercussions of reporting the crime though.

If you are aware of illegal activity, you can't just turn a blind eye and tell the whiners to screw off and tell the cops.

Because IF the cops find out you knew about it and didn't report it, *your* ass goes in the cooler too.

Ohhhhh... you meant landlord would be liable? No, I'm afraid that's not called aiding and abetting. That's called hearsay. Duh! To prove aiding and abetting, you'd have to prove collusion between the landlord and the tenant. You'd have to show the landlord rented to the tenant knowing the location would be used for illegal purposes.

Yep, that's what keeps me coming back to /. All the excellent legal advice...

Re:I think it'a about the same all over

[shentino]

Actually, yes.

Don't know the citation for it, but drug activity by tenants has and still does result in sanctions for the landlord.

In fact, there was such a case. Landlord had his building confiscated by the feds after they caught wind of drug dealing by his tenants.

But generally speaking, at least for felonies, if you know about it and don't report it you're guilty of concealing the crime.

Re:I think it'a about the same all over

Actually, yes.

Don't know the citation for it,

Because it doesn't exist. If whiner tells me drugs are being sold in the house, that's hearsay. Hearsay isn't evidence in any court and I certainly could not be held liable for such. He has no proof. If he does, he's the one obligated to report it to the police, not me. If he comes to me instead of the police, I'm calling the police to report him. See how that works? For being a pussy ass bitch, I report his crime of witholding evidence from the police. Now, if anyone goes to jail for failing to report the crime, it's whiner for being a cock guzzling cumdumpster.

Case in point: Spam isn't illegal in Brazil. He whines about it initially, but admits exactly that further down in this very thread. He's already flushed his entire crybaby argument right down the shit can.

Re:I think it'a about the same all over

[shentino]

I am content to know that I am right, and no amount of nay-saying on your part is going to change that even if I don't feel like slogging through the 'net to get a reference I originally read about in a Nolo book regarding landlord tenant law. Especially not for a vulgar pottymouth like yourself.

Shoulda known better than to feed the trolls, I suppose.

ThePlanet

[Manip]

It is a shame that ThePlanet is doing so badly. I've used them before for dedicated hosting and was very happy with the service I received. I will say that they are very "hands off" (which is generally good, but bad in this case). I think one has to remember that this is a chart of which ISPs are most responsive and active in stopping abuse originating from their network and not some kind of general review of the service they offer.

That being said I think all the ISPs listed should be unhappy about appearing on these lists and should actively be trying to fix their reputation or risk getting blacklisted.

Re:ThePlanet

[agoliveira]

They should have entered RTBLs long ago. Maybe this should scare them enough so they start to pay attention to the complains they certainly get.

Re:ThePlanet

[sopssa]

Would you blacklist Google too? They are on the lists too. It's not the problem that they would be actively friendly towards such activity, it's that they're so big companies that they get abused.

Re:ThePlanet

[HangingChad]

It is a shame that ThePlanet is doing so badly.

When I blocked ThePlanet, my silly traffic dropped noticeably. Every day, sometimes two or three times a day, I was getting hacked at from the ThePlanet IP range. Blocking them was a big relief.

Re:ThePlanet

Frankly anyone who thinks ThePlanet provides good quality hosting probably isn't a very serious system or network admin. Their network is terrible, the perform is surely good enough for personal blogs but frankly those of us who have to make informed decisions to keep networks running would never host on that tier of colo provider. There are plenty of ThePlanet horror stories, coupled with the fact that their network is pretty damn slow to begin with. Frankly anyone selling cheap unlimited service is going to give you a level of service that is not mission-critical.

Re:ThePlanet

[EvilIdler]

I guess the hands-off approach is necessary when you have tens of thousands of servers rented out for cheap. When some IPs have been tainted, there should be more pressure on the server owners to get rid of the bad users and get them off the lists.

I've had some customer sites with Hostnine, who use ThePlanet servers. It's pretty bad, because you have no choice of IPs. You'll get a random IP from the location you choose (a few US locations, Singapore, England), and it's a lottery. Most people don't win. Mail being sent from it doesn't reach some places, only rarely making it as far as the spam folder. They are in the process of fixing this now, due to massive customer complaints. But I get the impression H9 are struggling to get the IPs off the lists, while ThePlanet aren't really doing much.

Now I'm with Hetzner, and I've fortunately got clean IPs. Due to the way I select customers (it's only a side-business, or friend service) I'm safe from spammers on the inside. Now to keep the usual hackers off my sites (thanks, fail2ban) :)

Re:ThePlanet

[AlphaCentauri4]

If you report something to Google, they take action very quickly. It's just a pain to report to them, via web form, one URL at a time. When they are getting abused by criminals, it takes them a while to fix the ineffective captchas or to scan their docs/blogs for clones of ones that have already been reported a few hundred times. They do eventually get their act together. They really need a better system for accepting bulk submissions. Currently, they're on top of the Blogspot and Google Docs abuse. But when Microsoft finally gets its act together and boots the spammers off Live Spaces, they'll be giving Google another try. Then we'll be starting all over trying to get the attention of someone with authority to shut down more than one user registration at a time based on the pattern of abuse, without waiting until the spam has already been sent.

Re:ThePlanet

Being on this list is a good thing really. It means you aren't interfering with your customers activities though if you think about it.

Network neutrality

[BadAnalogyGuy]

You take the good. You take the bad. You take them both, and there you have Net Neutrality.

Net Neutrality. When the world never seems to be living up to your dreams, and suddenly you're finding out Net Neutrality isn't all about you.

Re:Network neutrality

There more to the parent than "Score:5, Funny". It's hard to imagine a net neutrality plan that does not prohibit some of the common responses to spam, DoSes, et cetera.

Re:Network neutrality

[AmberBlackCat]

Here's the reference to make it make sense.

Re:Network neutrality

[Nunavut]

Sit ubu sit

They're all scum

[jonaskoelker]

I bet every ISP wants to be a Superior Carrier of Utmost Magnificence ;-)

Laughable

[Threni]

Why would anyone (home user/corporate etc) care about any of that? It doesn't make their network/access any less safe. People go for cost, then performance. If I can get a good deal from an ISP, why do I care about how many follow customers are incapable of managing their systems?

Re:Laughable

[agoliveira]

Because if they do, we would have a lot less of malware and spam therefore more resources available. Isn't that obvious?

Re:Laughable

[Antique+Geekmeister]

Because it does make your network less safe. Having the script kiddies, the spammers, and the harvesters active on your subnet exposes you much more directly to their abuses, and to the likelihood that your logs will be cluttered with the attacks from their servers. It also gets _you_ added to email blacklists and routing table blackholes, because your customers may be tired of the abuse from your network and find it far simply to simply block you.

The expense of a more reliable and secure server is an issue. But there's nothing like the self-righteous DDOS attacks that have occurred against networks that serve abusers to clutter the traffic of even innocent clients: it imperils the service for legitimate, paying customers. Cases like "agis.net", who hosted the Cyberpromo spammers before a DDOS against them finally got them to take action, make a fascinating study in the risks of hosting abusers. Conversely, xinnet.com in China is happy to host spammers: with the size of their service and the limited choices available to consumers in China, they're effectively immune from prosecution or attack.

Re:Laughable

[discogravy]

because when the IP address block that was assigned to your IP is blacklisted, you won't be able to do shit except switch ISPs, then switch all your DNS entries (if you're a corp user) or hang out all day waiting for your new cable/dsl/whatever tech to show up to plug in your shiny new cable/dsl/whatever modem. That's why you would care about it.

time for a division

So as by far the biggest abuse problems (botnets, spam, ...) are coming out of the USA since many years, maybe it is time for other countries to black whole USA based addresses. Just stop routing their packets until they become good net citizens.

I don't know how many reports I have seen pointing to the USA as the biggest spam source. It's time to do something about it. Only if there are some consequences will they ever change their behaviour.

Re:time for a division

Why not, I firewall ALL of china and ALL of Korea. Made that decision based on attacks found in my logs. Don't want their business, don't need their business, don't care.

You don't want my business, don't need my business. Firewall me and everyone in my nation. Don't care. fuck you, which is exactly what the Chinese and Koreans are probably saying about me.

I look at it this way. I make A HELL OF ALOT MORE money from other nations then I will ever make from China and Korea. Can you say the same about the United States? Can you make more money elsewhere? Yes/No?

I think you should firewall the US. I don't want to purchase jack shit from you anyway

It's not my problem, my customer is doing this!

[wowbagger]

The big hosting providers ALL have the same attitude when you contact them about abuse:

"WE aren't doing this, that is one of the customers of one of our resellers, we won't do anything, talk to the reseller."

Of course, the reseller says "Screw you, they are paying us good money and you aren't."

Softlayer is a VERY good example of this: a Softlayer hosted site has repeatedly been spamming the Wine Developers mailing list for their crap. I have personally emailed Softlayer about it on more than 10 separate occasions, and have heard ZERO back from them. They don't care (even though their site claims they are aggressively anti-spam - BULLSHIT! words are cheap, actions are not, and Softlayer HASN'T ACTED!)

The spam problem isn't complicated to solve, it is actually pretty simple to solve (though not EASY to solve!) - just follow the "shit flows downstream" principle. If a host is doing bad things, look up who owns the network they are on, and MAKE IT THAT ENTITIE'S PROBLEM to solve it. However the problem is solved - be it "Hey, your server's infected" "OOPS fixed now sorry!", be it "We have blocked outgoing connections from your system until you fix it.", be it "Boss axed me an' Nunzio to has a talk wit ju about youses' server...." - doesn't matter as long as the problem gets solved. If it DOESN'T get solved, then the network owner becomes the problem entity, and you move to their hosts.

The only hard part is bringing some form of negative consequences to bear upon the network owners - you either need a law (and then you have a hard time dealing with systems outside your law's reach - all you can do is place the problem on the point of demarcation to your jurisdiction), or you need something with a wider reach, like publicity.

(and to all you morons about to copy and paste the "spam solutions form" - that meme is old enough to drink and vote, let it die already, OK?)

Re:It's not my problem, my customer is doing this!

[shentino]

I agree.

Anyone in the chain that becomes aware of spam going through their tubes and yet does diddly about it becomes an accessory.

Ohhhhh Please!

[FlyingGuy]

We all demand huge bandwidth, huge amounts of storage and we want it for 19.95 a month.

Do you wonder why everything is over sold? I mean, really do you?

How much does a really sharp *nix admin.engineer cost annually?

Even with really good tools how many physical boxes can on guy keep watch over? How about when each box is hosting 300 accounts, or running 10 VM's? What would anyone guesstimate? Maybe each box is only hosting 30 accounts? I mean the numbers start to add up.

Lets say just for sake of argument that a really good admin can handle the care and feeding of 100 servers. That guy costs you 60K a year benefits and all. You need three shifts because you run 24/7 so that is 180K right there. Lets say you have 10,000 servers do now we are taking 100 guys * 3 shifts so 300 admins * 60,000.00 per year. So payroll just for the admins is 18 million a year and we have not given anyone the weekend off, so that number is a bit low.

You have not yet paid for all the hardware or your bandwidth bill. So right now at 19.95 a month you need about 900,000 customers.

Uhmmm for some reason those numbers just don't pencil. So thats why ISP's have to oversell everything AND turn a blind eye to a lot of things.

I am a bit doubtful

[Sycraft-fu]

The reason being that when I look at our firewall logs or when we happen to get a system compromised, the US is way underrepresented. The US accounts for a very large portion of the Internet still, and we are located in the US so you might expect to see most attacks from there. However the majority are RIPE or APNIC addresses. You can also see it in things like Conficker infections. If you look at the graph of what got hit how bad (http://www.confickerworkinggroup.org/wiki/uploads/ANY/conficker-all-2009-small.png) you see that RIPE and APNIC are again way overrepresented in relation to the whole.

Now I've not done a scientific study on this, I'll admit, but I do have a reasonable data set and it just doesn't match with what I've seen.

Re:I am a bit doubtful

[buss_error]

The reason being that when I look at our firewall logs or when we happen to get a system compromised, the US is way underrepresented.
.
If you are looking at direct malicious activity, then you are quite correct. However, once you start looking at C&C servers and where they are (which you have to do somewhat indirectly), then you will find that many of them are indeed hosted on major ISPs in the US. So why would someone run C&C from US servers, but have the direct malicious action from outside the US?

I suspect one major factor is the difficulty in obtaining logs from the malicious system (either direct logs from the server or packet logs from the network). Another factor is jurisdiction issues - it is almost impossible to get the Chinese to do anything in their legal system about systems being used in malicious ways. Ditto for many other jurisdictions. So, even if you know where the C&C servers are, it's hard (but not impossible) to put together a case against the bad actors.

There are some interesting things going on with all this stuff, though I'm not party to any of it. I hope that in the next two years or so, it will be much harder for the hackers/spammers to continue to operate.

Old-timer comment

[tverbeek]

I remember when ISPs used to seriously police their users, because there was the potential for them (the ISP) to get kicked off the internet, and have that stick. Network admins listened to complaints from other admins, and if they concluded that a given ISP wasn't keeping house and letting too many net.abusers on, they were considered a rogue ISP and cut off. The rogue net couldn't just call up another network access provider and get reconnected, because their reputation preceded them. I'm not saying I'd want to go back to that (even if it were possible), but as a believer in personal responsibility, I miss those days.

Re:Old-timer comment

Yeees, BBS' were great! oh! oh! the joy when you got a new acoustic coupler!

Gee, who would have guessed?

[Opportunist]

Big and cheap providers are on the top 10 lists of spam and malware? Really? Wow, I am surprised... NOT.

Let's be sensible for a moment and ponder: Why are ISPs hosting a lot of pages a main source of malware? Because they are a main source of traffic and webpages. It's like saying that there are more people in jail in the US than in, say, Andorra. Thus the US are much, much more violent and generally people there must be kinda leaning towards crime, right?

And cheap service means that they can not waste resources on hunting down malware providers. Hell, they can't even dedicate manpower to shutting them down, as long as they're not held accountable for it. Simple calculation: Cost of hosting malware C&C servers? Umm... a bit of traffic, compared to the rest probably not even noticable. Cost of hunting&squishing it? Putting manpower behind it. Do the economy math...

Re:Gee, who would have guessed?

[shentino]

That's easy. Make providers concurrently liable for any abuse they knowingly facilitate.

Giving them a complaint with logs puts them on notice, and then if they don't do jack shit about it afterwards they either don't give a crap, or they are directly profiting from it. Either way, they are facilitating the abuse by knowingly letting it happen.

Re:Gee, who would have guessed?

[Opportunist]

Careful what you wish for. It's only a small step from "must act on complaints" to "must act on complaints about anything from anyone". Like, say, the RIAA complaining that they think they saw copyright infringment happening, and carpet bombing ISPs with such "complaints".

Re:Gee, who would have guessed?

[shentino]

That is also simple.

Assess penalties for frivolous complaints.

I believe the DMCA already has a provision to that effect anyway.

litigation mitigation

[anomalous+cohort]

Why should corporations care? Two words "litigation exposure." A bot-net living in your network takes down an e-commerce site for day. They will see you in court. Good luck with that "don't blame me, blame my ISP" defense.

I think that kind of "not my problem" thinking is what is driving the current cloud computing craze. Corporations seem to think that they can side step the accountability hassle if they outsource IT to the cloud. Good luck with that too.

Re:litigation mitigation

[pete6677]

I don't think someone could sue you (legitimately) and have a case just because somebody else on your ISP's network was spewing viruses or other attacks. If it was running on your own in-house network that you control, it would be a different story. But someone can't be held responsible for what their ISP allows in other areas of the network they have no control over.

Re:litigation mitigation

[anomalous+cohort]

IANAL but my guess here is if the attack is coming from the IP of the server(s) where your app is running, then you could listed as a defendant. If you are sharing a server or have a VPS account, then you are still not patching the OS of that machine so it is vulnerable to getting infected and caught up in a bot-net. Even with dedicated machines, an incorrectly patched firewall or security appliance could leave your machines vulnerable.

Re:litigation mitigation

[shentino]

That never stopped the RIAA from suing innocent bystanders...

Look....

[Darkness404]

Look, no matter how much we want ISPs to stop malware, botnets, etc. when they start doing that, they are going to start becoming more evil (as in giving out IP addresses and subscriber names, etc). Content-agnostic ISPs are -always- going to be better for the internet. Unless, you want throttling and your ISP to check for "pirated" content.

Re:Look....

[AlphaCentauri4]

Actually, ThePlanet and SoftLayer are probably pretty good at responding to complaints about pirated content, because the people filing the complaints are doing so on law firm stationery and are prepared to get punitive damages against any firm which fails to take action... The people suffering harm from C&C servers are the people whose computers are infected and the people whose inboxes are full of spam. It's not a single wealthy copyright holder who can justify an expensive legal fight. In general, the victims of botnets are not rich, not powerful, and often not clueful about the internet. And when larger entities -- like ISPs whose servers are clogged with spam sent to their customers -- have tried to use the legal system, they have run into problems with judges who didn't understand the issues.

Major domains being exploited

[Animats]

We've been doing something like this at SiteTruth for two years. We have the list of major domains being exploited by active phishing scams. This is simply a list of domains that are both in PhishTank (about 100,000 entries) and Open Directory (about 1.5 million entries). Today, 84 domains are in both. There's been a surge; it was 54 two days ago.

Domains are on this list for one of several reasons.

1. They had a break-in, and didn't clean it up. Generally, the sites with this problem for long periods are ones without effective contact information, so there's no easy way to tell them about their problem.
2. They have an open redirector. Those are rare now, but were common two years ago. Yahoo, eBay, and Microsoft Live all used to have open redirectors. After much nagging, and some press coverage, the big players have plugged that hole.
3. They're a hosting service, especially a free hosting service. Free hosting services need to be very aggressive about checking themselves for exploits. The smarter players now read the PhishTank and APWG feeds automatically, to detect abuses of their own systems. Right now, "t35.com" is suffering from a massive attack, with 227 pages in PhishTank. Their problem is that they're being attacked by a program, but are cleaning up by hand. Every day they kick off hundreds of phishing pages, but they can't keep up. The previous site with the worst problems was "piczo.com" (some kind of social network/hosting service for teenage girls), but they've been gaining on the problem.
4. They're an ISP There are a few ISPs with phishing sites they just never seem to kick off. Most of the active ones were kicked off long ago. In fact, other than ISPs which are also hosting services, we show only one entry in this category, and it's a DSL line on RoadRunner that redirects to a dead page.
5. They're a "short URL" service. These are popular as a way to get phishing URLs past spam filters. The "short URL" services have become much more aggressive about kicking off phishing URLs over the last year.

While this is to some extent a "blame the victim" approach, it's more effective than "phishing education" aimed at end users. Hundreds of webmasters have to be educated, not hundreds of millions of end users.

Re:Major domains being exploited

[shentino]

Especially since educating the users isn't going to actually stop the abuse.

block lists

[GarretSidzaka]

i recommend peer guardian for some huge lists of malicious IP's

Re:

[clint999]

Why should corporations care? Two words "litigation exposure." A bot-net living in your network takes down an e-commerce site for day. They will see you in court. Good luck with that "don't blame me, blame my ISP" defense. I think that kind of "not my problem" thinking is what is driving the current cloud computing craze. Corporations seem to think that they can side step the accountability hassle if they outsource IT to the cloud . Good luck with that too.