Slashdot Mirror

← Back to Stories (view on slashdot.org)

Spamhaus Calls for Fining Operators of Insecure Servers

Posted by Unknown on from the banned-from-the-net dept.

Barence writes "Anti-spam outfit Spamhaus has called on the UK government to fine those who are running Internet infrastructure that could be exploited by criminals. Those who leave open Domain Name Server resolvers vulnerable to attack should be fined, if they have previously received a warning, said chief information officer of Spamhaus, Richard Cox. When Spamhaus was hit by a massive distributed DDoS possibly the biggest ever recorded at more than 300Gbits/sec — open DNS resolvers were used to amplify the hit, which was aimed at one of the organization's upstream partners. 'Once they know it can be used for attacks and fraud, that should be an offense,' Cox said. 'You should be subject to something like a parking ticket... where the fine is greater than the cost of fixing it."

17 of 170 comments (clear)

  1. Another cure that is worse than the disease by melonman · · Score: 5, Interesting

    This sounds great in theory but, in practice, it's going to be almost impossible to enforce (eg whose definition of 'vulnerable'?) and it would promptly create several new Internet plagues, eg the "Your server has a vulnerability, pay us now to stop us reporting it" spam email.

    --
    Virtually serving coffee
    1. Re:Another cure that is worse than the disease by Anonymous Coward · · Score: 3, Interesting

      I disagree. This is a classic example of making [stupid|apathy] hurt. In this case, the hurt is financial, but the effect is there.

      If a company can't be arsed to protect their systems to prevent it, they need to pay for it. If a person (or small business) can't be arsed to have an IT person, either part-time or contracted out through an agency to secure their systems, then they need to pay the price. If that same SMB relies upon their vendor/provider for security, and they fail to deliver, it's time to find another vendor/provider.

      When that price becomes higher than the cost of compliance to prevent an actual, measurable problem then we will see a shift.

      Most people want to do the right thing. For some people, you need to provide the carrot & stick approach.

    2. Re:Another cure that is worse than the disease by bws111 · · Score: 4, Insightful

      How are they at all analogues? Emitted radiation can be directly measured, "vulnerability" can not.

    3. Re:Another cure that is worse than the disease by bws111 · · Score: 4, Insightful

      If your server is sending huge volumes of spam then it is actually doing something, not just sitting there being vulnerable. Fining someone for being involved in sending spam is completely different than fining someone because they could potentially be used to send spam.

    4. Re:Another cure that is worse than the disease by UPi · · Score: 5, Informative

      You are merely lucky. I run 3 small mail servers, all very similar in setup. 1 also receives no spam whatsoever, the other two are flooded by it. I need to use Spamhaus's XBL, SPF and graylisting to stem the tide. If I removed either of the three, SPAM volume would exceed regular mail volume about 20x. (This is not because of a lack of regular mail.)

  2. I used to love Spamhaus by LordKaT · · Score: 5, Insightful

    Honestly, I used to love Spamhaus, but as the years wore on, I got into the IT world, and I had to interact with them I've come to really loathe them. A decent service, I guess, but every single person that is involved with them comes across like a whining child, and I hate ever having to interact with them.

    1. Re:I used to love Spamhaus by Krojack · · Score: 3, Informative

      This is exactly what I ran into. My company got a new block of IP's and several IP's within that was on their block list. I could never get through to them thus never got the IP's removed.

      I stopped using their blacklist years ago because their service is unreliable. They seem to have this "We're better than you" mentality.

  3. As long... by Anonymous Coward · · Score: 5, Insightful

    ...as server operators can fine Spamhaus for false positives.

    1. Re:As long... by FireFury03 · · Score: 3, Informative

      That depends on how much you're letting spamhaus validate actual positives. It has to go both ways.

      We've been having significant problems with the CBL's ill-thought-out policies (and Spamhaus imports data from the CBL)...
      http://blog.nexusuk.org/2013/09/problems-with-cbl.html

      --
      http://blog.nexusuk.org
  4. Free Speech by CanHasDIY · · Score: 3, Interesting

    If things like public defecation, nudity, and pan-handling can be successfully argued as free speech (which they all have, at some point, somewhere), I think it would be a pretty simple affair to claim that running open, unsecured internet infrastructure is also a form of free expression.

    "The trouble with fighting for human freedom is that one spends most of one's time defending scoundrels."

    --
    An enigma, wrapped in a riddle, shrouded in bacon and cheese
  5. Open != Open by Anonymous Coward · · Score: 3, Informative

    Ambiguity warning! Open DNS servers are perfectly fine, they can be used against censorship or for speed. They should even be encouraged. I use the Caesidean root, for example. What they mean by "open" are drastically misconfigured DNS servers.

    Anyway, Spamhaus are a bunch of whining vigilante pussies and bad losers, so fuck them.

  6. Wouldn't it make more sense? by rabbit994 · · Score: 3, Insightful

    For ISPs to simply drop UDP packets that are outbound where source address is not inside their network. Is there some legit use for sending forged UDP packets?

  7. Punishment by Anonymous Coward · · Score: 5, Insightful

    Funny how an organisation as Spamhouse, who is guilty of systematic depriving random and quite innocent internet users of connectivity -- and proud of it too -- , suddenly thinks that whomever interferes with their connectivity should be punished by law. Hypocrisy.

    Although I think their service does have its good points, their attitude makes me want to hurl.

  8. Blaming DNS for reflection attacks? by Shakrai · · Score: 4, Insightful

    That seems like misplaced blame to me. Any connectionless protocol that responds with larger packets than the inbound query can be used for a reflection attack, it's one of the items that comes up from time to time on the NTP Pool server admin's mailing list. We've seen a few attempts at using some of our servers in such attacks, there was a host that went around a few months ago that was sending about 60kbit/s worth of queries to several dozen servers in the pool, mine included. There are a few best practices you can use to mitigate this issue -- noquery with ntpd, firewall rate-limits for both NTP and DNS -- but you'll never actually solve the problem at the application level.

    The proper way to address reflection attacks is for network operators to set up rules that preclude forged packets from leaving their network. There's no reason the router solely responsible for 192.168.1.0/24 should be passing along outbound traffic with a source address of 172.25.1.15. A handful of progressive networks have made this change, but they're the exception, not the rule.

    --
    I want peace on earth and goodwill toward man.
    We are the United States Government! We don't do that sort of thing.
  9. or yum update. unsafe car too? by raymorris · · Score: 4, Insightful

    That sounds like an awful lot of trouble to avoid taking ten minutes to fix the configuration, or yum update for a correct default configuration. Do you also move to some third world country to avoid the law requiring working turn signals?

  10. Re:I wonder... by Talderas · · Score: 3, Insightful

    The way I read the summary it sounded like Spamhaus was seeking revenge over being subjected to a DDoS and desiring to use government to enact it.

    --
    "Lack of speed can be overcome. In the worst case by patience." --Znork
  11. Have to agree by Todd+Knarr · · Score: 3, Informative

    I have to agree with penalizing operators of open recursive DNS responders. DNS servers fall into roughly 4 categories:

    1. Internal nameservers within a network, including caching nameservers. These should never be getting legitimate queries from outside the local network, so they never have any reason to respond to those queries.
    2. Authoritative nameservers for a domain. These should never be doing recursive name resolution, and they should be responding only to queries for domains they're authoritative for. Queries for domains the server isn't authoritative for should get a short, to-the-point NXDOMAIN response not signed with DNSSEC.
    3. External private nameservers, ie. ones that live outside the the network they server but are only supposed to serve that network. As with internal nameservers they shouldn't be responding to queries from any networks but the one they're supposed to be serving, they just need more configuration than purely internal ones. They should have a default-deny configuration with the networks they serve listed specifically. Anyone who doesn't know how to do this shouldn't be operating one of these.
    4. Deliberately public nameservers. These are ones that are set up intentionally to be resolvers for anyone who wants to use them. They have to respond to all requests and do recursive resolution. They're the problematic open nameservers. They require configuration to control traffic rates to minimize the impact when they're used for DNS-based attacks. If you don't know how to configure that or you aren't prepared to oversee a public server and respond to abuse 24x7, you shouldn't be running one of these. If you go ahead anyway, the results should be painful for you.

    My guess would be 99+% of all nameservers fall into the first three categories, 95+% fall into the first two, and 90+% of authoritative servers (category 2) are operated by a DNS hosting company rather than directly by the domain owner. If you're in the (relatively) small number needing to run a category 3 server you just need to take a few minutes to read the configuration docs and set it up for "don't respond to queries unless they're from a network I've listed", and if you can't or won't you deserve smacked with the newspaper. If you're in the even smaller number who want to run a category 4 server you need to know what you're doing, if you don't and go ahead anyway you deserve whatever you get (up to and including losing your Internet access).