Slashdot Mirror
Spamhaus Calls for Fining Operators of Insecure Servers
Barence writes "Anti-spam outfit Spamhaus has called on the UK government to fine those who are running Internet infrastructure that could be exploited by criminals. Those who leave open Domain Name Server resolvers vulnerable to attack should be fined, if they have previously received a warning, said chief information officer of Spamhaus, Richard Cox. When Spamhaus was hit by a massive distributed DDoS possibly the biggest ever recorded at more than 300Gbits/sec — open DNS resolvers were used to amplify the hit, which was aimed at one of the organization's upstream partners. 'Once they know it can be used for attacks and fraud, that should be an offense,' Cox said. 'You should be subject to something like a parking ticket... where the fine is greater than the cost of fixing it."
This sounds great in theory but, in practice, it's going to be almost impossible to enforce (eg whose definition of 'vulnerable'?) and it would promptly create several new Internet plagues, eg the "Your server has a vulnerability, pay us now to stop us reporting it" spam email.
Virtually serving coffee
Honestly, I used to love Spamhaus, but as the years wore on, I got into the IT world, and I had to interact with them I've come to really loathe them. A decent service, I guess, but every single person that is involved with them comes across like a whining child, and I hate ever having to interact with them.
There is not now, never has been and never will be such a thing as a "Secure Server". Only relative levels of the attempts to keep it unbreached vs. efforts to breach it. Some are very weak but have never been breached while much stronger defended ones have been breached repeatedly.
...as server operators can fine Spamhaus for false positives.
If things like public defecation, nudity, and pan-handling can be successfully argued as free speech (which they all have, at some point, somewhere), I think it would be a pretty simple affair to claim that running open, unsecured internet infrastructure is also a form of free expression.
"The trouble with fighting for human freedom is that one spends most of one's time defending scoundrels."
An enigma, wrapped in a riddle, shrouded in bacon and cheese
It's fairly accepted that just because a car is left unlocked doesn't mean anyone's allowed to go in and take what's inside it. Even when you do lock it, there are ways to get in. The fault isn't the owner's for not locking it, it's the attacker's fault. I don't see why online services are any different. The interruption of service and potential loss of data is enough incentive to keep them from leaving it insecure in the first place. If not, they'll sure be taking a look at security after.
If we colonize Mars, it won't be the World Wide Web anymore. UWW?
Ambiguity warning! Open DNS servers are perfectly fine, they can be used against censorship or for speed. They should even be encouraged. I use the Caesidean root, for example. What they mean by "open" are drastically misconfigured DNS servers.
Anyway, Spamhaus are a bunch of whining vigilante pussies and bad losers, so fuck them.
For ISPs to simply drop UDP packets that are outbound where source address is not inside their network. Is there some legit use for sending forged UDP packets?
Funny how an organisation as Spamhouse, who is guilty of systematic depriving random and quite innocent internet users of connectivity -- and proud of it too -- , suddenly thinks that whomever interferes with their connectivity should be punished by law. Hypocrisy.
Although I think their service does have its good points, their attitude makes me want to hurl.
That seems like misplaced blame to me. Any connectionless protocol that responds with larger packets than the inbound query can be used for a reflection attack, it's one of the items that comes up from time to time on the NTP Pool server admin's mailing list. We've seen a few attempts at using some of our servers in such attacks, there was a host that went around a few months ago that was sending about 60kbit/s worth of queries to several dozen servers in the pool, mine included. There are a few best practices you can use to mitigate this issue -- noquery with ntpd, firewall rate-limits for both NTP and DNS -- but you'll never actually solve the problem at the application level.
The proper way to address reflection attacks is for network operators to set up rules that preclude forged packets from leaving their network. There's no reason the router solely responsible for 192.168.1.0/24 should be passing along outbound traffic with a source address of 172.25.1.15. A handful of progressive networks have made this change, but they're the exception, not the rule.
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
I've always thought that email should be delivered from account to account according to a network of trust. For you to send me an email, I must trust you, or there must be a chain of trust between us.
This wouldn't be as hard to implement as it sounds because major players like Google and Yahoo can 'trust' eachother. It's not like we would each individually have to maintain compicated and changing trust connections -- although we could if we wanted to. Your IP can establish 'trust' with a 'trust clearinghouse' maybe. And if someone violates the trust, then you break that part of the trust chain and the messages don't get delivered.
So if I ever receive a spam message, I could check the chain of trust which brought me that message and figure out what link in the chain failed to be trustworthy. I would disconnect that link, and I wouldn't get any more spam from that source. Mix in crowdsourcing and suddenly it becomes practically impossible to get spam out of your mailserver.
It would be possible for email deliverers to do this today. When Google, for instance, notices that practically all emails coming from a certain source are spam, why don't they disallow that source? I know, I know, that's sort of what spamhaus is, and sometimes providers do stuff like that, but it's not consistent enough to be effective.
Who issues the tickets? Under whose authority? Lazy/cheap businesses will just shop around for juristdictions where it's cheaper to operate, no matter what.
Why not just do a name-and-shame, naming businesses and vulnerable services -- but only after the postmaster of the opening domain, or WHOIS domain owner gets notified first. I'm sure that such a list would concentrate minds wonderfully...
I wonder if "open relays" are even that much of a problem these days when I can hire non-"p0wnd" servers in certain Eastern European countries for a pittance? Why bother with "open relays" when I can pay quite reasonable rates to have my SPAM enter the Tubes quite legitimately?
Perhaps Spamhaus is looking for relevancy.
If you want news from today, you have to come back tomorrow.
That sounds like an awful lot of trouble to avoid taking ten minutes to fix the configuration, or yum update for a correct default configuration. Do you also move to some third world country to avoid the law requiring working turn signals?
Would they also fine rape victims for wearing sexy clothes?
Do you even lift?
These aren't the 'roids you're looking for.
This is long overdue, and you know who else should be brought to bear? Organisations like Slashdot with their Slashdot effect! I, for one, thNO CARRIER
While it's certainly possible for Pelosi or her UK counterpart to pass a dumb law so that they can find out what's in it, I don't think that's what Spamhaus is suggesting. In context, they could be talking about either of two things:
First, one could get a ticket for the specific issue that caused the problem in the article. The law doesn't say "your car must be safe", it explicitly says "your turn signals must work". Same here, you could specifically say that this particular common problem could result in a ticket.
Alternatively, TFA made reference to "once you know that your server is participating in an attack". A law could be made that once you're notified that your server is being used in an attack, you then need to take reasonable measures to prevent that from continuing or recurring. Here again "vulnerable" is clearly defined - if your server is still participating in the attack 48 hours after being notified, you can get a ticket. You can defend that ticket if you show that you took reasonable measures to address the problem.
This seems like a great underhanded way to make it illegal to run Tor exit nodes, free VPNs, proxies or similar services that give anonymous people ways to interact with the net.
The entire Internet can be used for attacks and fraud, what would you propose we do?
Change human behaviour?
Make the Internet nothing more than a TV?
"If any question why we died, Tell them because our fathers lied."
No doubt, the UK government fining all those spam relays in Russia, China, and India will put a stop to spam ASAP - Good thinking, Spamhaus!
that say if your car is left unlocked and someone steal it/does something with it you can be charged with leaving it unlocked or get fined by the city
by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
Agreed. I feel exactly the same way. Once you find out how Spamhaus is operated, you realize the Internet would be better off without them. They're a disgrace.
Perhaps they should be fined for inattentive and reckless operation of an internet service, KNOWING it's being used to block mail, and KNOWING that their data is crap, full of spite listings and sources from which no abuse comes.
wants more power to direct peoples lives for their own gain.
by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
Let's assume you could somehow magically solve the enforcement problem. It's still a horrible idea because now there's the question of who issues warnings. Would Spamhaus be the one to issue warnings? Would other, similar organizations get to issue warnings? What if one organization has a draconian view of what constitutes "spamming"? Do their warnings count the same as a group with a more lenient view? Would individual users issue warnings? How do you handle false positives? (Such as: User signs up for newsletter. User forgets signing up. User gets newsletter. User reports newsletter sender as being a spammer.)
This system would just be riddled with problems and - again, even magically solving the enforcement issue - would lend itself to corruption. (Group becomes a "certified spam reporter." Starts issuing warnings and then fines to groups that they disagree with. Or issues fines as a business plan.)
This is a horrible, horrible plan. The only good thing about it is that it is so completely unworkable in the real world that I don't see anyone actually pushing this into existence.
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
I have to agree with penalizing operators of open recursive DNS responders. DNS servers fall into roughly 4 categories:
My guess would be 99+% of all nameservers fall into the first three categories, 95+% fall into the first two, and 90+% of authoritative servers (category 2) are operated by a DNS hosting company rather than directly by the domain owner. If you're in the (relatively) small number needing to run a category 3 server you just need to take a few minutes to read the configuration docs and set it up for "don't respond to queries unless they're from a network I've listed", and if you can't or won't you deserve smacked with the newspaper. If you're in the even smaller number who want to run a category 4 server you need to know what you're doing, if you don't and go ahead anyway you deserve whatever you get (up to and including losing your Internet access).
I am going to start fining people who don't have sufficient spam filters, don't maintain a failover cluster, or utilize something like cloud flare. (When pigs fly, right?)
Piss off Spamhaus and come down off your narcissistic rooftop. I never asked you to play internet vigilante for me.
Each time someone makes the claim misconfiguration of DNS enables amplification they are contributing to the problem by refusing to address the root cause.
DNS is flawed by design. You can still extract perfectly useful amplification factors out of non-recursive servers or servers with DNSSEC enabled. All turning off recursion does is cut out ultra low hanging fruit while leaving the problem unaddressed.
There are several ways to actually solve this problem.
1. Use TCP for DNS
2. Implement DNS cookies
3. Globally apply ingress filtering with sufficient granularity to prevent source address spoofing.
I think #1 coupled with TCP fast open extension is the best of the three options. With fast open the setup delay is mostly gone, TCP support is already widely deployed and fast open extensions to TCP can be deployed later as available to optimize RTT delay. With IPv6, DNSSEC and the shitty state of IP layer fragmentation support TCP is necessary regardless.
#2 in the form of http://tools.ietf.org/html/draft-eastlake-dnsext-cookies-03 requires more work to push out to DNS infrastructure yet after a few years I can see it following the same trajectory as SYN cookies.
#3 Ingress filtering... am not an operator I don't pretend to know how viable this is to roll out globally, from what comments I have read it is non-viable. This is the only option that would concurrently address all broken UDP protocols susceptible to amplification from a spoofed source address. The downside is spoofing source address can sometimes be a feature. For example it can be used to enable communication without revealing the speakers source address.
Is it the server operator? Or is the OS provider liable for producing a defective product? And if the OS is open-source, who do you go after?
I understand where Spamhaus is coming from... I'd also love to penalize idiots who make the Internet a worse place. But I don't think it's a practical option and trying to implement it opens up a huge can of worms.
Should you be fined if you put someone on your Slashdot "foes"list? It's pretty much the same thing. It's a list of IPs that Spamhaus is wary of because their system detected [criteria].
As it happens, some of their lists also works pretty well as an element to feed Spamassassin to help determine the likelihood that a message is spam. How that's weighted and if it's considered at all is entirely up to the admin of the system you're sending mail to.
If we let the legislature come up with the checklist, they'll tell us we must have a licensed plumber snake the tubes every 6 months.
What would be better is an authoritative body charged with the mandate of inspecting Internet infrastructure and determining if they are vulnerable or not and provide them with solutions to fix their issues. Of course, someone has to pay for this, but still, I think it would make more sense. But that's just my opinion.
Can we change that at first to just start with the very simple:
Organisations transferring IP packets should be kicked off the Internet if they do not implement BCP38.
That would make al kind of spoofed attacks already impossible, that being the DNS, NTP, Quake-alike and many many others...
But, as there is no money to be earned with this, ISPs do not enforce it.
(and yes, it does cost some cash to implement as not all routers support it unfortunately..... )
http://unfix.org
Can we do something instead about all the mail system operators who've handed over spam controls to third parties and accept messages, then blackhole them without telling either the sender or the intended recipient? Whitelists aren't a solution because they don't help fix the actual problem of bad filtering. Individuals who filter their own E-mail can tweak their settings, but servers that reject mail should do so at connection time ... a 5xx or 4xx message response should be *required* if you're not actually going to deliver it.
I'm sick and tired of explaining to customers that their perfectly legitimate E-mails aren't getting through because the person they're trying to contact uses Cloudmark, or some other "easy" solution company.
- Michael T. Babcock (Yes, I blog)
if your network is used in an attack agianst me which costs money to defend against, I should have the ability to reclainm those costs - along with some penalties to make sure you don't just trreat it as a cost of doing business.
The single biggest problem on the Internet at the moment is that the large ISPs have vritually zero acountability to anyone about how they run their network when it's causing damage to those who aren't their own customers.
Spamhaus has managed to get some large networks disconnected for allowing sustained abuse, but there needs to be a much better way of applying bricks to the sides of the skulls of those who need it.