Hackers Buying IPv4 Blocks To Evade Detection

Trailrunner7 writes "The number of IP addresses required for large scale botnets to operate effectively can be considerable, and finding large IP blocks to use for them can be difficult. If the botnet operators do find them, the IP addresses often are blacklisted quickly by reputation systems and are then useless for the attackers. Now, in one effort to get around these systems, some attackers are taking advantage of the lack of IPv4 space by either purchasing or renting blocks of IP space with good reputations that have been built up over the course of several years. A number of legitimate trading and auction sites appeared as the IPv4 space became scarcer, and the attackers have gotten involved as well, getting their hands on known good IP blocks and using them for C&C or hosting malware."

IPv4 should be dead already

[Ironchew]

>legitimate trading and auction sites
Well, that's got to wreak havoc on routing tables.

Re:IPv4 should be dead already

[unixisc]

Let's hope activities like this, in addition to IPv4 address exhaustion, contribute to IPv4 being speedily abandoned and replaced by IPv6.

So I'm assuming that botnets can't do multiple levels of NAT to get around this problem?

Re:IPv4 should be dead already

[RoLi]

IPv4 will stay alive for a very long time

If IPv6 would have been designed better, IPv4 would be dead by now... but here we are.

Re:IPv4 should be dead already

[monkyyy]

hmmmm either this is very interesting and insightful, or is short-sighted and missing tons of details; but i dont know that much about ip6 to tell

It's online, patent it!

[tag]

FTFA: "The bad guys can buy or rent these as well, getting inside known good IP blocks so that the reputation systems don't blacklist them as quickly." Criminals establish "safe houses" in nice neighborhoods. Film at eleven.

Re:It's online, patent it!

[MightyMartian]

Oh my goodness, you mean blacklists don't work? My oh my, I don't think anybody ever thought of that before...

Re:It's online, patent it!

[causality]

FTFA: "The bad guys can buy or rent these as well, getting inside known good IP blocks so that the reputation systems don't blacklist them as quickly." Criminals establish "safe houses" in nice neighborhoods. Film at eleven.

Besides, these cat-and-mouse games aren't going to stop the widespread, automated compromises of Windows systems that make botnets possible in the first place. It also won't eliminate the average users' notion that security must always be someone else's problem, that they don't need to learn a few basic things that would make them much harder targets (particularly for trojans and other user-assisted exploits).

Inconvenient though it may sometimes seem, we need to look at the cause-and-effect and address the root of the problem. It sucks that the black-hats are tarnishing the reputations of previously good IP blocks, but they wouldn't do this if they didn't have massive botnets to operate. The very notion of a blacklist, while it can be helpful, is after-the-fact and reactive. It's damage control. It's a game of catch-up where breaking even is defined as winning. It doesn't prevent anything.

What we really need is for the average target to be hardened enough that you can't write a single exploit that works on millions of machines. As long as Microsoft sells their products on the basis of ease-of-use with no warnings made that some knowledge is required to use them safely, they should have some liability. As long as users insist on never slowly learning more and more about the systems they use, they are not victims when someone exploits this. It's not a matter of blame, it's a matter of personal responsibility and whether one chooses to be part of the problem.

Re:It's online, patent it!

Oh horseshit. Microsoft makes ease-of-use it's focus because that is what it's customers want. Does your house come with a warning that trimming the shrubs is required, and if they grow too large it is bad for security? Does the home builder bear liability if someone hides behind the shrub, breaks a window and gets in? Does the homeowner? No to all of those - the only one we hold responsible is the person who broke in. And why single out Microsoft for liability? If Microsoft is liable, why aren't all software vendors (including FOSS)? Equal justice and all that.

Re:It's online, patent it!

[causality]

Oh horseshit. Microsoft makes ease-of-use it's focus because that is what it's customers want. Does your house come with a warning that trimming the shrubs is required, and if they grow too large it is bad for security? Does the home builder bear liability if someone hides behind the shrub, breaks a window and gets in? Does the homeowner? No to all of those - the only one we hold responsible is the person who broke in. And why single out Microsoft for liability? If Microsoft is liable, why aren't all software vendors (including FOSS)? Equal justice and all that.

Most people think like you do: childishly. They will pass up an available, doable solution that will work because it might mean a slight bit more effort for users and might not fulfill their visceral desire to feel the gratification of hanging the black-hats by their toes. I know exactly how you think. Anything that doesn't give users streets paved with gold and their every heart's desire while simultaneously torturing the evil hackers to death would be ... UNFAIR. That makes it against your religion, an anathema to you. Like I said, this is childish.

If you have a widespread, reoccurring problem that causes real material harm, and you have practical, achievable steps you can take to ameliorate it, you take those steps. You then worry about going after the bad guys. They are not mutually exclusive. Hardening the targets doesn't mean the criminals get a pass. Your either-or thinking is pathetic and outdated. I'm tired of how many good discussions it poisons.

It's funny that you mention homeowners. Actually, if a premises is maintained poorly enough, indeed the city or the county will step in and mandate that basic maintainence be performed. Also, you don't need to tell most homeowners to lock their doors at night, to mow their lawns occasionally, to shovel the ice and snow from their sidewalks because they understand that these chores go along with owning your own home. It is considered basic common knowledge. Those who fail to adequately maintain their properties are the small minority. That's not the case with computer users at all and you know it.

Personally I practice what I preach. I read up on security from time to time. I'm not the world's foremost expert, nor do I have to be. You'd be surprised how little research it takes to become a much harder target. It is no exaggeration to say that any literate adult can handle it. Whether you think it's fair or not, the circumstances are offering users the following choices: do nothing and consider it a matter of time until you join a botnet, or put a small amount of effort into informing yourself. Now I know you can't stand that this effort is a cost imposed by bad guys, but in that case you should never put locks on your doors or PINs on your ATM card because those have a non-zero cost and fall into the same category, you hypocrite.

I mentioned Microsoft specifically because I am realistic. I have never seen nor heard of a 50,000-member botnet that exploited *nix or OSX. I don't see many VAX-based botnets. There seems to be a shortage of QNX-based botnets as well. At the moment, Windows is the problem area. If that should change, my focus will change with it. If you think that means the big mean ol' causality is verbally beating up on the poor helpless widdle Microsoft, well then I'm glad you always take the high road whenever it is possible. So be it.

Re:It's online, patent it!

Blacklists works fine, blacklist every IP and I guarantee you won't get any spam.

Re:It's online, patent it!

[tlhIngan]

Besides, these cat-and-mouse games aren't going to stop the widespread, automated compromises of Windows systems that make botnets possible in the first place. It also won't eliminate the average users' notion that security must always be someone else's problem, that they don't need to learn a few basic things that would make them much harder targets (particularly for trojans and other user-assisted exploits).
 

Newsflash - Windows boxes are a lot harder to infect these days. In fact, the vast majority of compromises don't happen because you connected a Windows box to the Internet. They happen because the user browses to some website, and either a drive-by download happens and installs malware (either through a compromised website, or through a compromised ad network), or they run an attachment because the email says to.

In fact, the biggest security risk now is the user, and users will do anything (the Dancing Pigs problem) in order to accomplish their goal.

What we really need is for the average target to be hardened enough that you can't write a single exploit that works on millions of machines. As long as Microsoft sells their products on the basis of ease-of-use with no warnings made that some knowledge is required to use them safely, they should have some liability. As long as users insist on never slowly learning more and more about the systems they use, they are not victims when someone exploits this. It's not a matter of blame, it's a matter of personal responsibility and whether one chooses to be part of the problem.

I thought we all agreed that the whole "walled garden" approach was a Bad Idea(tm)? The primary problem is the user, and the only way to fix that is closed, locked-down devices that can only run vetted apps.

If you consider the lengths to which people can be tricked into spamming others on Facebook (including copypasta of raw Javascript code), limiting the user is pretty much the only way. Heck, even having an "advanced user" option will end up being selected on everyone (instructions to do so will be posted once a user wants to do something like that - dancing pigs, remember?).

Re:It's online, patent it!

[fluffy99]

I think you might have trouble finding 50,000 actual working installations of QNX with internet connections. The simple point being that Windows is by far and large the largest target. No one in their right mind is going to waste time developing a botnet on the small potatoes like QNX, VAX, or Mac.

Re:It's online, patent it!

[causality]

Newsflash - Windows boxes are a lot harder to infect these days. In fact, the vast majority of compromises don't happen because you connected a Windows box to the Internet. They happen because the user browses to some website, and either a drive-by download happens and installs malware (either through a compromised website, or through a compromised ad network), or they run an attachment because the email says to.

I didn't really consider it relevant at the time, but consider the majority of the Windows userbase. They tend to not only be ignorant about technical matters, but they work hard to stay that way and will resent the notion that this should gradually change as they acquire experience. I call them permanent newbies. They're the people who can use computers for seven years and still remain as ignorant now as they were when they first started. They want to learn the basics of how their computers work about as much as an aristocrat wants to fraternize with the help. That's about the contempt with which they view it. That is a conscious decision. It is not an accident. When it causes problems for others, I think they should be held responsible.

Linux tends to attract more technically-inclined users. It's not nearly so easy to trick the average Linux user into running some kind of trojan or opening some kind of backdoor as it is to pull the same trick on the average Windows user. User education -- or better still, users who feel a responsibility to educate themselves the same way you'd seek instruction before operating a dangerous machine -- works every time it's tried.

I thought we all agreed that the whole "walled garden" approach was a Bad Idea(tm)? The primary problem is the user, and the only way to fix that is closed, locked-down devices that can only run vetted apps.

The walled garden approach is in lieu of education. Users who understand the risks and generally know what they're doing don't really need it.

You may or may not see where I'm coming from. What I am about to say is a very easy thing to demagogue, but it's the only method of self-correction available. I think the focus should be on making sure careless/stupid users harm others as little as possible. Otherwise, if they want to take a stupid risk and they get burned, that's their problem. Perhaps some way of holding them responsible when their machines become spam-spewing botnet members is the way to handle this. I think criminal charges would be going too far, but perhaps suspend their Internet access for six months each time an incident happens. Get rid of the low-hanging fruit and it becomes far less profitable for the criminals.

The first step is to stop viewing these adult people who purchase computers and Internet access as victims. View them as reckless individuals who make risky choices despite the very well-known threats, who tend to make the network worse for everyone else as a consequence, providing fertile ground to enable the worst sort of criminals who can cause real material harm. Then find the best way to discourage the kind of ignorance they cherish. None of this means we shouldn't go after the criminals, but rather, that we should understand them as the last links in a long unbroken chain of events that is entire preventable.

Re:It's online, patent it!

[mikael]

A lot of users just see the computer as utility like a cooker or television. They just expect to be able to press a button to do a particular task and have that task complete.

It's a royal pain-in-the-ass when they want to open a file sent by a friend (dancing pig emoticons for E-mail, let alone a zip file) and the PC then tells them that they need to download or purchase XYZ application to view that file. So off they go to start up a browser, search for that file data type, find the application website, click on the download button, click on the execute file button, ignore the warning about the killer space-baboons that are coming to destroy their planet, and just click on the "install application and destroy my computer" button. Problem solved. Back to reading that E-mail before watching the movie.

The insane thing is that so many application disk would actually replace OS DLL files - this was particularly obvious with foreign version CD's. They wouldn't just install the app, but also upgrade the GUI DLL files including the internationalization strings of directory browsing windows.

There really needs to be separate user account levels for system files that should never be touched, device drivers and applications that can be shared between users, and individual user files.

C&C?

[jd]

Why would hackers still be playing Command and Conquer?

Re:C&C?

[DigiShaman]

Command and Control.

Re:C&C?

(Command and Control, obviously)

Re:C&C?

[wasimkadak]

Either you are missing the sarcasm or I am missing the counter sarcasm or there is no sarcasm being missed at all. Either ways, I should have all my bases covered?

Re:C&C?

As a Slashdot user (and one with a low UID, at that), you should know that the age of a game is meaningless. A good game is a good game and C&C is still a good game. That, and the newer C&C games suck. Badly.

Re:C&C?

Whooooosh

Re:C&C?

[TheFakeMcCoy]

There was that big sale on steam over the summer I know I picked up a few C&C titles

Re:C&C?

Well said wasimkadak.

Re:C&C?

All your bases are cover by us.

Re:C&C?

[jd]

That's three states but two bits produces four states, so there must be a base not covered.

Re:C&C?

[jd]

Heh! I still play Bell&Braben-era Elite and occasionally indulge in a round of Chuckie Egg, so yes I do know that. :)

Re:C&C?

[causality]

Either ways, I should have all my bases covered?

No. They are belong to us.

Re:C&C?

[jamiesan]

I don't know.

THIRD BASE!

Re:C&C?

With tesla coils. No doubt!

(Just keep the bombers from getting to your power plants.)

Re:C&C?

[jd]

Nonononono. If you say you don't know, you should be catapulted from the bridge.

Re:C&C?

Who's wife? That's right.

Hackers, or Criminals?

I think you mean criminals.

Re:Hackers, or Criminals?

[Abstrackt]

I think you mean criminal hackers. I'll give you that they're not synonymous, but they're not mutually exclusive either.

Re:Hackers, or Criminals?

No, I don't think he does mean criminal hackers.

We don't refer to embezzlers as accountants or criminal accountants.

Qualifying the word hackers with the adjective criminal might be technically correct, but it's not the way we use words unless we see hackers only as a pejorative and are trying to be an apologist for that view of the word.

Re:Hackers, or Criminals?

[erroneus]

You know, we're not going to defeat the word problem. "Retarded" is a perfectly correct word as is "negro" but neither are allowed. Frankly, I like "negro" better than black (even though they mean exactly the same thing) because I think it sounds cooler -- unfortunately, a bunch of uneducated whiteys couldn't say it right and it became nigger ruining a perfectly good word. And African-American isn't right either... it's just more wrong and inaccurate. And Retarded? well, can't say that any longer either.

No. We'll just have to learn to let go of "hacker" and let the media have it -- they took it already and we will never get it back. We need a new word, that's all... and be sure to create a bad-form of it so that people will know the difference. And we can't use "black hat/white hat" because that's too long. (Kinda like African-american or mentally challenged)

Re:Hackers, or Criminals?

[icebraining]

Frankly, I like "negro" better than black (even though they mean exactly the same thing) because I think it sounds cooler -- unfortunately, a bunch of uneducated whiteys couldn't say it right and it became nigger ruining a perfectly good word.

It's funny, because Negro comes from the Portuguese, well, Negro (although it's pronounced differently), which is much more accepted here than the translated version of Black ("preto").

Re:Hackers, or Criminals?

[Ant+P.]

The correct word is "crackers", but I wouldn't expect tabloid media like Slashdot to have such vocabulary at this point.

How does that help?

Reputation isn't something that takes ages to destroy. Do shitty things, get blacklisted. Also, IP space that hasn't been used for mail servers, porn web sites or dialup isn't cheap.

Ownership = Identification

[Toe,+The]

If somebody buys IP space, then there is a money trail and other identifiers.

How could criminals purchase blocks outright?

Re:Ownership = Identification

Yeah, I'm confused. It's no harder to add an entire /22, or whatever, to an RBL or firewall rule. This is no different from script kiddie who DDoS and randomise the source IP, or hackers who use compromised systems to spam from. We've been dealing with those assholes for over a decade. The fact that they're now so desperate they're actually buying addresses is just funny, if anything.

Re:Ownership = Identification

How could criminals purchase blocks outright?

I'll give you $20 to buy me a six pack of domestic beer.

Re:Ownership = Identification

The point is someone's name is on the papers for that IP block. Why buy the block for criminals if you know you're going to be first place people go knocking?

Re:Ownership = Identification

[Lennie]

They are probably just using some kind of dummy corporation.

They don't get them from a hosting provider, they buy them and route it themselfs. They are their own hosting provider. Like any ISP would do with their own IP-block.

Re:Ownership = Identification

[ThinkWeak]

How could criminals purchase blocks outright?

I'll give you $20 to buy me a six pack of domestic beer.

I have a credit card here and I'll offer $100 for that six pack. Carding has been around for a LONG time.

Re:Ownership = Identification

The logical followup is that corporations have real directors. The logical reply is that the directors have phony IDs. Given that, why not just buy under a phony ID in the first place? The logical reply to that is that the corporation adds an extra layer of obfuscation. Also the corporation can conduct legitimate business and occasionally "fall prey" to criminal activity. At this point, it's really no different from any other large evil corporation, take Monsanto for example. I bet they have some IP blocks.

Re:Ownership = Identification

[NoSig]

They could just get some crackheads to do it for them. They need the money now and don't care about the future. Even if the police come by, buying IP addresses isn't illegal and the crackhead in question probably has no notion what nefarious purposes an IP address can be used for.

I have a nice Class B address block for sale

172.16.x.x. Used it in my last startup, which unfortunately went under so that address is now available for a below-market price.

Re:I have a nice Class B address block for sale

Liar! That's not your /16-net. I've been using it for a very long time.

Re:I have a nice Class B address block for sale

[Vegemeister]

I'm using 172.17.0.0/16. Why aren't you in my routing table?

Re:I have a nice Class B address block for sale

[FoolishOwl]

You've been hacked, dude. You should use one of those free browser pop-up virus scanners and fix your system.

Bull Pucky

[Spazmania]

I call BS. Hackers don't rent or buy IP addresses for botnets. The bots run on machines each of which has an IP address already. And when they do need IP addresses, they steal them: find an address assignment not currently routed on the Internet and forge papers they present to the ISP claiming to be the actual registrant.

There are a number of protections in place at ARIN and the other Internet Registries which do a reasonably good job preventing hackers from taking actual "ownership" of blocks of IP addresses.

While there is such a thing as a "legitimate trading and auction sites," there are also a lot of snake oil salesman out there right now claiming legitimacy. Here's a hint: the legitimate ones don't cater to the hacker crowd because they know perfectly well they can't effect a registry transfer without meeting the registry's criteria for "legitimate need."

Re:Bull Pucky

[PerfectionLost]

Having haggled with ARIN, I have to say it is a pain in the ass to get IP addresses from them (though they are really nice people on the phone). Hackers hack computers with existing IPs. That's why they are called hackers. Spammers on the other hand, purchase services from hosting providers who have purchased IPs. And if they abuse their IPs they fire them as customers. I know because that's what we do at our datacenter.

Re:Bull Pucky

[Lennie]

While there is such a thing as a "legitimate trading and auction sites,"

While I'm not aware of any auction sites, I do believe it is possible to do trading in Asia/Pacific region:

"APNIC transfer, merger, acquisition, and takeover policy"

http://www.apnic.net/policy/transfer-policy

Which came from this:

"prop-050: IPv4 address transfers"

"Current status Implemented on 10 February 2010"

http://www.apnic.net/policy/proposals/prop-050

And I know there is a proposal for doing simialir things in Europe:

"Post-depletion IPv4 address recycling"

"Current Phase:
Concluding Phase: Awaiting Decision from Working Group Chairs"

http://www.ripe.net/ripe/policies/proposals/2011-03

Re:Bull Pucky

It may not be IP addresses for botnets, but "bad guys" do indeed buy or rent IP space. I've had several questionable offers to lease colocation space with a chunk of my IP space that I turned down because I suspected the users were going to spam fast and hard, then leave me holding now-blocked-and-banned IP space and only the first month's rental money in my hand. And they were willing to pay generously, too. Or perhaps it was intended to host malware sites. It could have been any number of questionable activities. Fortunately a little digging raised a lot of questions for me and made it easy to say "No thanks!"

Re:Bull Pucky

[Spazmania]

In that situation, they're not renting addresses. They're purchasing colo service, for which some number of addresses is appropriate. Same as they have done for nearly two decades using so-called "bulletproof hosting" companies. It's not by any means an IPv4 run-out phenomenon as the article proclaims and they're no renting bare IP addresses from you regardless.

Re:Bull Pucky

A number of protections at ARIN? please specify these protections, we have seen whole /17's being used by sources that can at best be described as 'permissive', and it is surprising that when legitimate ISP's have trouble getting a /22 for their subscribers, abusive operators can get so much IPv4 space, or so called hosters pretend that it is 'clients' on their networks that are at fault.

Re:Bull Pucky

[Spazmania]

Was it ARIN-assigned addresses or legacy addresses which predated ARIN? If the former, did you report it as fraud and supply your evidence that led you to believe that the entity in question was not using addresses according to ARIN's standards? (for legacy addresses, ARIN's rules only really apply when there's a transfer)

Re:Bull Pucky

[unixisc]

Is it a PITA to get IPv4 addresses from them, or both IPv4 and IPv6 addresses? B'cos from what I know, the RIRs are very enthusiastic about proliferating IPv6.

Re:Bull Pucky

[jrumney]

If you think ARIN is a pain in the ass, try getting IPv4 addresses from APNIC.

Re:Bull Pucky

[unixisc]

APNIC had announced quite a while back that they had run out of IPv4 addresses, and all of their ones are available from downstream providers. Has ARIN done anything similar to date?

Shoot the Spammers

[ebunga]

It should be justifiable homicide to shoot and kill spammers, phishers, malware authors, and those asshats attempting dictionary attacks against a bunch of pop3 accounts looking for a new spam vector. Any nation that does not enact such a law should be labeled a rogue threat to humanity and be nuked until there is nothing left to nuke.

Re:Shoot the Spammers

Oh, come on. You'd nuke your own grandmother.

Re:Shoot the Spammers

[Dunega]

From orbit, just to be sure.

Re:Shoot the Spammers

[Algae_94]

I feel your pain, but come on now. Capital punishment for spamming? It's a tough enough case to push for justifiable homicide if someone physically breaks into your house and tries to rob you. How are you going to press the case that, "he spammed me, so I shot his ass"? Scams, fraud and general douche-hattery are not new. This is just a newer realm for them.

Re:Shoot the Spammers

[Sulphur]

From orbit, just to be sure.

What if she is in orbit?

Re:Shoot the Spammers

[sjames]

One slap on the wrist by a nun with a ruler for each spam sent. Or death if they prefer.

Not sure "hacker" is the right word

[93+Escort+Wagon]

Shouldn't we instead be referring to "botnet operators" or some such? I'm not making the "hacker" versus "cracker" argument, since language and words are dynamic - but even if we just use hackers in the pejorative sense, we're talking about a much larger group than just the subset who run botnets.

Re:Not sure "hacker" is the right word

[ShaunC]

The word "hacker" is now so permanently ruined, we ought to just stop using it altogether. These days, leaving your Facebook or Twitter account logged in on a shared machine, and then having someone else notice that fact and make a posting under your account, is what the general population considers "hacking" to be.

How is this different

[fafaforza]

from getting IP space from a datacenter and using it until it gets a bad reputation.

And besides, if you have a block of IPs just to cycle it between botnets and spammers, just because it changes hands doesn't clean the block's reputation. So these blocks will also get blacklisted in short order.

Re:How is this different

[Rich0]

Yup. This isn't really anything new to IT either - just an extension of the company-buys-Schwinn and churns out $80 Walmart bikes story. To an MBA a reputation that cost a century to build is just an asset whose NPV is less than the cash you can get for pimping it on anything with two wheels.

So?

[Arancaytar]

As the summary, these spammers (to use the appropriate term; botnets aren't much use for "hacking") are basically reverse Midas to IP blocks: Whatever they touch is blacklisted. All that this means is that non-blacklisted address space becomes scarcer to the point where either these assholes can't afford it, or ICANN introduces new rules to seize address space that is abused (which would be a worrying precedent on the censorship & net neutrality front), or everyone switches to IPv6.

Frankly, I wouldn't mind something that speeds that along. It will never reach wide adoption without pressure.

Re:So?

Or people start to figure out that blacklisting by IP address is at best a very short-term, temporary measure. It can help mitigate an active attack, but frankly it doesn't do jack shit in terms of actual security.

And that doesn't even get into the problem of pissing off large companies or blacklisting popular resources by mistake. For example, let's say you blacklist several large scopes from a "rogue" ISP who have a lot of hacking/virus/spam/fraud activity. Then they get shut down, and someone happens to purchase that 'dirty' space... let's say Google for example. Now, your users are going to be more than slightly pissed off that you're blocking Google- they don't give a shit about how it happened.

To be blunt, blacklisting by IP is the first refuge of the incompetent Admin.

Re:So?

[Pi1grim]

Wonder how fast will IPv6 non-blacklisted IPs run out with all the spammers out there.

Also, on an unrelated note — some day governments will realize, that "child pron" distraction no longer works and will switch to spammers and and botnet operators, that is sure to distract the public's attention while slowly imposing measures to control the internet.

Re:So?

But if you think big picture, isn't that also good for the hackers? Poison all the IPv4 space, use it all up, and that fosters IPv6 even faster, where blacklisting is even harder?

Re:So?

Are you aware of the size of IPv6 address space?

Re:So?

[unixisc]

True, but it depends on the usage. If the Botnets are content w/ a single /64, then it's easy for such an entire /64 to be blocked. But if they possess different /64s, or more, then the problem may not get any better.

Although one thing about that, though - if the botnets need large #IP addresses to work in the first place, they may indeed consume very few /64 blocks, thereby having little hold on others.

Re:So?

[CBravo]

They will probably just block entire /56 since this is the kind of assignment a customer can get. See here: ripe ncc ipv6 training material, page 8.

The funny thing is that the hotmails of the world do not have a AAAA records for their mail servers. That means no ipv6 spam server can reach them.

Re:So?

None of the major e-mail providers seem to offer AAAA records for MX hostnames, what's been holding this up?

Re:So?

[unixisc]

Why is blacklisting harder? The minimum that will typically be blacklisted will be /64, and it may go up to /48. Given the hierarchical structure of IPv6, it seems that it could be much easier.

Now, if within the blacklisted blocks are millions of legitimate sites (but not within the /64), that would be a problem. However, within a subnet, if there is a combination of legitimate users & spammers, then I agree that it would be virtually impossible w/o co-operation of that network's admin.

Did I miss something?

The article says IP blocks are "blacklisted quickly by reputation systems". So why wouldn't these IP addresses they buy be "blacklisted quickly by reputation systems" as well? How are "good reputation" IP blocks any different? Every mom and pop cable or DSL model had an IP address that previously had a good reputation until a botnet infected it. How this any different then hackers signing up for any ISP service?

Re:Did I miss something?

[CBravo]

If you never sent any large quantities of mail, you do not have a good reputation (just 'no reputation'). Trying to send large quantities of mail is impossible to large parties. If you let a warm IP 'cool', its reputation is gone. It takes many months, or longer, to heat it up. One bad mailing = blacklistings (which are 1 to 3 days) + a hit in reputation.

Non-routeable to internet... apk

Trying to sell a non-internet-routable address block (in 172.16.x.x., same as 10.x.x.x or 192.168.x.x - not internet routeable)?

APK

P.S.=> I assume you're just joking though ( & trying to use your "geek/nerd humor" here, right?)... apk

I agree.

I'd like to tack a rider onto your legislation, however:

It should also be justifiable homicide to shoot every last "Herpaderpimsekyoor" Linux lunatic who installs CMS software and never goddamned updates it.

I understand the reason that you generally don't want something living in a docroot to go through yum or apt-get, but for fuck's sake people, I'm tired of hearing about $1000 Walmart gift cards, invitations to join the Women's Professional Network and discount Cialis.

Which reminds me, what ever happened to Rolex spam? I haven't seen offers for real imitation genuine fake Rolexes in forever now.

and advertisers

I think of all ads as spam. It's useless junk-information that i DIDNT ask for.
So also nuke Google, you have my permission. Though aim carefully, dont hit
the search-engine plz.

Title is misleading

This should read "Spammers Buying IPv4 Blocks To Evade Detection"
tsk, tsk, Slashdot.

Buying v4 blocks?

But but but but I thought IPv4 was completely used up and no more could be had because everyone bought them all and no one had any more for public purchase!

Oh right, we were lied to yet again about the sky falling with ipv4 to get us to switch to the horrible clusterfuck of ipv6. Fortunately it didn't work.

Re:Buying v4 blocks?

[unixisc]

It's not completely used up, but it's getting there. There are 3.7 billion routable addresses in all. While it may sound like much, a lot of the companies that were there in the beginning, like IBM, GE, DEC, et al used to get entire Class A addresses, such as 11.x.x.x, 12.x.x.x, and so on. That's part of what there is such a shortage. IPv6 gives us all an opportunity for a fresh start, and solves a whole bunch of other problems along the way.

IPSEC, NAT & Botnets

[unixisc]

I have one question. Can IPSEC in any way prevent Botnets from doing their damage? If that's the case, then moving to IPv6 would indeed be a solution, since there is no NAT involved. Incidentally, to all those who claim that NAT provides security, this is clear evidence that it doesn't, or else, Botnets wouldn't be as successful as they are.

'Blocks' of IP addresses?

[MOtisBeard]

Call me a spellfag, but it's BLOCS, not blocks.

Re:'Blocks' of IP addresses?

[unixisc]

In IPv6, there is the Interface ID, which is the lower 64 bits, the Network ID which is the above 48 bits and the subnet ID, which is the 16 bits in between. But there ought to be terms for the top word of the address, then the next two. Right now, mere use of 'blocks' doesn't make it clear, unless one specifies the #bits of the network ID that's being used.