Forgot your password?
typodupeerror
Security The Internet IT

Malware and Botnet Operators Going ISP 131

Posted by ScuttleMonkey
from the spam-is-big-business dept.
Trailrunner7 writes to mention that malware and botnet operators appear to be escalating to the next level by setting up their own virtual data centers. This elevates the criminals to the ISP level, making it much harder to stop them. "The criminals will buy servers and place them in a large data center and then submit an application for a large block of IP space. In some cases, the applicants are asked for nothing more than a letter explaining why they need the IP space, security researchers say. No further investigation is done, and once the criminals have the IP space, they've taken a layer of potential problems out of the equation. 'It's gotten completely out of hand. The bad guys are going to some local registries in Europe and getting massive amounts of IP space and then they just go to a hosting provider and set up their own data centers,' said Alex Lanstein, senior security researcher at FireEye, an anti-malware and anti-botnet vendor. 'It takes one more level out of it: You own your own IP space and you're your own ISP at that point.'"
This discussion has been archived. No new comments can be posted.

Malware and Botnet Operators Going ISP

Comments Filter:
  • Filtering easier? (Score:5, Insightful)

    by Anonymous Coward on Monday December 21, 2009 @05:57PM (#30517404)

    If they own the IP block (or it's assigned exclusively to them) then wouldn't that make it a lot easier to block them? Why complain? Just find out their range and shitlist it.

    • Re:Filtering easier? (Score:5, Interesting)

      by JWSmythe (446288) <jwsmythe@jws[ ]he.com ['myt' in gap]> on Monday December 21, 2009 @06:35PM (#30517808) Homepage Journal

          The article (and story here) are a bit deceiving.

          The LIR is usually the ISP. So, they're filling out the IP justification form to ask for a block of IP's, just like anyone with their own rack or cabinet would. Big deal. I once had over a dozen /24's, but it was for legitimate purposes, and I properly (and honestly) justified them.

          I watched spammers do that in the past. They'd get multiple T1's (at their location) or ethernet handoffs (in datacenters). They'd be able to do a spam run for about 3 days on a block of IP's. When they got the complaint, they'd simply switch to another line. Say they have 7 of these circuits. It would take 21 days before they rotated back around to the original provider. If one should (oh my gosh) cut them off for the illegal activity, they'd simply bring in new circuits under new names.

          By combining providers in a single rack, that saved them the money of needing more servers. They'd frequently have a few cabinets, in a few different datacenters. So, 4 racks, 7 circuits each, would give them 28 unique identities. At 3 days before the line is burnt, that would give 84 days before they'd rotate back around to the original line.

          They would let a line sit idle for 84 days. That would just be stupid. They'd run multiple campaigns at the same time, so they'd rotate through them. It was an art, playing providers and the spam traps. They'd send a nice apology to the provider when they got the notice to stop, saying some machine was compromised, and the complaints would stop after just a couple days, and no one would care.

          Of course, some legitimate traffic would be hosted on these lines also, just to make things look good. In a 40u rack, they may have 30u's populated with spam servers, and a couple u's with web servers and what looked like paying customers on them.

          It's just like a black market operation run by the mob. Sure, you can buy merchandise in the store front. You'd never see the mobsters counting out suitcases full of cash, or shelves full of stolen merchandise bound for other places. No one questions what you're doing, because your store front *looks* legitimate.

          All they're indicating is that the spammer crowd has realized that there is no money in spam any more, and they've migrated to malware.

          All in all, it's not hard to get a cabinet, nor a circuit or three, in a datacenter. You don't even need a legitimate company. You just need to *appear* that you have a legitimate company. $100 and a few minutes of your time will incorporate a company to use. Corporate address? A PO box somewhere. Company phone? A "magicjack" or throw away cell phone. The only things that would tie anything to anything would be who's signing the contracts, which can be anyone. For minimum wage, you can have an employee of your illicit corp sign off on papers as "CEO".

          At one job, I wasn't listed as an "officer" in the company, so I couldn't sign anything. I got annoyed with trying to deal with the provider, so the next time I called to do something, I was "Vice President of Information Technology", and suddenly I was allowed to make changes. It was with the CEO's blessing, so I wasn't doing anything wrong. It was just to get through the providers annoying "protective" measures. The CEO never even got a phone call asking if I was allowed to make the changes. He just saw it reflected on the next bill.

    • I think this is for the command and control servers, not for the spam spewers.. So the blocking would have to be done at the router level, not spam filter level.. And quite frankly, blocking all mail from X is alot less dangerous of a precedent than black hole routing X. Really sucks if you knock those guys out of business, and someone else gets that IP space someday!

      • I think this is for the command and control servers, not for the spam spewers.

        Apparently you've never heard of snowshoe spamming. Botnet spam is easy to block with automation because it comes from easily identifiable residential broadband IP space. The CBL is expert at this, and even simple FQrDNS checks within your MTA stop most of it. Snowshoe spam is not easy to block because until you get hit with the first run from a given /27 or /24 you have no idea of the reputation of those netblocks, because most dnsbls don't target them. Until Spamhaus recently started a snowshoe specif

    • Boo to the writer... or to the Europeans... which is it? So, like 2 years ago, when I launched my own consultancy, I also wanted to offer hosting. Like every other geek out there. I just remember that there was no way to get my own block from IANA/ICANN (whoever the he!! it was)... unless I had some insane amount like $2500 US. Anyone can confirm that? Did the price thing change? I just remember feeling cheated that an average Joe couldn't fill out the right paperwork and file a reasonable fee to get his
      • by Onetime77 (567812)

        once you jump through the hoops the first time it works out to about $1-2 USD/IP address. This is based on a request of a /22 which is still considered a "micro-allocation."

    • Re:Filtering easier? (Score:4, Interesting)

      by RobertM1968 (951074) on Monday December 21, 2009 @10:41PM (#30519704) Homepage Journal

      In addition to that, as many people seem to erroneously use the term, this makes them an OSP, and not an ISP.

      That aside, virtually every ISP and OSP has an ISP they "report to" - thus this should in no way make shutting one of these company's/criminal's/site's internet access down any more difficult than in the past. Basically, unless you are a backbone owner, you're paying for a connection to the Internet via someone else and having lines installed by someone else.

      In addition, I'd suspect it makes it easier to get them disconnected as they cannot claim (in the US) safe harbor if they are knowingly and/or through actions of their own; placing such botnets online on "their" network. The provisions of the law here are to protect those ISPs and OSPs who get snared in the actions of end-users (not their own malicious actions), only if and when they take appropriate actions to deal with it (those actions dependent on the infraction type... for instance, for copyright infringement, following the rules in the DMCA). In this case, they are causing two strikes to be against them from the get-go...

      I'd surmise, that unless a botnet operator buys a big chunk of the Internet "backbone" that the Internet cannot survive without, that regardless of the number of IPs they own, following standard procedures against their ISP will result in the same ends as before. And I would further surmise that even if they did buy a big fat pipe, this would also make it easier to block them at peering points (which in some cases, if done drastically, would help convince their upstream provider to disconnect them even faster than the paperwork and complaints filed).

      But that's just my guess... from I dunno... years in the business, including working for UUNet before they got entangled in the MCI-Worldcom debacle (you know, back in the day when besides running the 2nd largest (behind IBM) and then largest part of the backbone, they were actually the real provider for the majority of MSN's and AOL's networking and end user connections. So... as I said, it's just a guess... the Internet landscape has changed a lot from those days of antiquity... but I suspect my guess is pretty close to the true reality of the situation, thus meaning this article on threatpost is massively (and incorrectly) overstating the significance of this.

      Then again, I haven't RTFA, so I am only going by a summary - even though my experience on /. has shown that's a bad idea... (but it is more fun having conversations about things that way). ;-)

    • by fredklein (532096)

      Or just use Email Certification.

      Long story short, everyone who wants to send Certified mail has to be 'certified' by their ISP. (UN-certified mail would still be possible, if you wish.) Getting certified is nothing more than providing enough information to positively identify you, and costs a nominal fee.

      In return, you create a public/private key pair, and give the public one to the certifier. The private key goes into your email server, which adds some headers to each outgoing email. One of these is encryp

      • Your post advocates a

        (X) technical ( ) legislative ( ) market-based ( ) vigilante

        approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

        ( ) Spammers can easily use it to harvest email addresses
        ( ) Mailing lists and other legitimate email uses would be affected
        ( ) No one will be able to find the guy or collect the mone

        • by RMH101 (636144)
          beat me to it, goddammit! thanks!
        • by fredklein (532096)

          Your post advocates a

          (X) technical ( ) legislative ( ) market-based ( ) vigilante

          approach to fighting spam.

          God, I hate this shit. ::sigh::

          (X) Users of email will not put up with it

          There's nothing to 'put up with'.

          (X) Many email users cannot afford to lose business or alienate potential employers

          They won't. If the sender is Certified, they get the email. If the sender is not certified,they just have to look in their 'spam' folder, or white list them... just like people do now.

          (X) Lack of centrally controllin

  • Easier to block? (Score:5, Insightful)

    by phil reed (626) on Monday December 21, 2009 @05:58PM (#30517418) Homepage
    Maybe I'm not being smart today, but doesn't that actually make it easier to block the bad guys, once their address space is identified?
    • But who enforces the blocking and how?
    • Re:Easier to block? (Score:5, Interesting)

      by CannonballHead (842625) on Monday December 21, 2009 @06:00PM (#30517440)

      Out of curiosity... does that make that IP space sort of permanently black-listed? e.g., if the "bad guys" go out of business and "good guys" buy the IP space... how do the new owners clear the IP space of its bad name?

      Seems like a shame to start throwing IP space away because there's no way to make it clean again.

      • Re:Easier to block? (Score:5, Informative)

        by Zerth (26112) on Monday December 21, 2009 @06:09PM (#30517562)

        That's why your lists should have a time component.

        If you do something naughty, you're blacklisted for an amount of time, then greylisted for the next step up. If you do something naughty while greylisted, you get blacklisted for the remainder and greylisted the next step up again.

        Mine goes 15 minutes/1 day/2 weeks/3 months/1 year. I've yet to blacklist anyone for a year.

        • Re:Easier to block? (Score:5, Interesting)

          by gknoy (899301) <gknoy@@@anasazisystems...com> on Monday December 21, 2009 @07:31PM (#30518324)

          Do you have any helpful links to guides that would explain how to do that? I'm sure I am not the only network-care neophyte who would like to have a safe and spam-free system at home, so I'm sure it would get you modded informative.

          • by Zerth (26112)

            Not anything step by step. If your anti-spam software or mailhost supports scripting(or is OSS) and pulls from a manipulable data source(sql, text, dns), you just need to set up a rule for each case that both drops the connection and inserts the IP & timestamp back into those lists.

            Then have a script in cron that deletes anything older than the max time for each list

            Spamassassin probably has a plugin for this already, but I can't be bothered to get with the future:)

            One easy thing you could do is to rep

          • Re:Easier to block? (Score:5, Informative)

            by nacturation (646836) * <nacturation&gmail,com> on Monday December 21, 2009 @11:54PM (#30520240) Journal

            Run spamd on OpenBSD or other OS that supports it. Works beautifully.

            http://www.openbsd.org/cgi-bin/man.cgi?query=spamd&sektion=8 [openbsd.org]
            http://www.openbsd.org/cgi-bin/man.cgi?query=spamd-setup&sektion=8 [openbsd.org]
            http://www.openbsd.org/cgi-bin/man.cgi?query=spamd.conf&sektion=5 [openbsd.org]
            http://www.linux.com/archive/feature/61103 [linux.com]

            By default, email gets greylisted. In other words, the first two tries are rejected with a temporary failure message, the third try gets through. Real mail servers will retry, spammers often won't. Mail that gets through is whitelisted for that combination of sender, recipient, and IP for a month or so. You can also up-front blacklist IPs by whatever criteria you want -- published blacklists, country IP ranges, and so on. You can specify specific email addresses as spam traps, so you setup fromlamespammer@example.com on your mail server and put that as a hidden mailto link on your home page, and anyone who emails that obviously harvested it and their IP gets blacklisted.

            Combine that with Bob Beck's greyscanner (google for it) which looks for individual IPs trying to send from multiple domains and blacklists them for a period of about a month. I've found it eliminates about 99% of all spam. You should still do things like proactively whitelist clients and mail servers which send from a pool of servers (otherwise it'll get delayed quite a bit). And the occasional spam that gets through should get its IP address blacklisted.

            It has the additional benefit that if you run a busy mail server, running this in front significantly reduces the load on the mail server. So you end up with less spam, less wasted storage space, and a snappier mail server.

      • Re: (Score:3, Insightful)

        by mysidia (191772)

        No.. it's worse than that. IP addresses aren't bought or sold.

        Once they are no longer using the IPs, once they cancel the connection, the IP delegation goes away.

        If the IPs came from the ISP, that ISP has to re-use such IPs: they count against the ISP's ability to justify need for more IP addresses.

        If the IPs came from a RIR, once the justification goes away, the IP addresses are supposed to be returned, or they get revoked when the recipient of the IPs stops paying their annual maintenance fees.

        I

        • Re: (Score:3, Insightful)

          by RMH101 (636144)
          this is kind of the point, isn't it? It imposes an incentive on ISPs to vet their customers and not harbour spammers. If they do, they'll end up with a block of IPs that no-one wants. SORBS et al give them notice, if it's ignored then eventually they get blacklisted. Other ISPs can choose to use those blacklists if they want, or not, depending on whether they think the net effect is beneficial.
          There is no cabal
      • Happened to me. launched a site on Pair networks a few years back and had problems with my outgoing mail. Turned out the guy who had the IP address before me was blacklisted. Pair just pushed me over to a new address. No problem.
      • Don't worry, once we we've needlessly partitioned away every last block of ipv6 addresses, we can repeat the exercise again with ipv8 :)
    • Re: (Score:2, Interesting)

      by Conchobair (1648793)
      I would think, that the crimals would use a forged source IP address [wikipedia.org] as not to reveal thier true IP.
      • Re:Easier to block? (Score:4, Informative)

        by denis-The-menace (471988) on Monday December 21, 2009 @06:26PM (#30517712)

        Wouldn't they need to peer with someone?
        If so, then that peer should become the new target for shutdown requests.

        Am I right?

        • Yes, but most mid-level and top-level network providers refuse to do anything about their misbehaving clients, citing concerns such as "common carrier status" and "we have no policy for that" and "contact the registering entity" and "contact abuse@spamserver.com". This has been going on for years in various ways, especially for the 'legal' bulk advertisers as opposed to fraudulent spammers, and 'legal' spam for pyramid schemes, spam that is in complete compliance with the the USA's 'CAN-SPAM' laws but is ne

        • Re: (Score:2, Interesting)

          by mysidia (191772)

          Well, you could send complaints to the provider they peer with.

          Normally that means the provider you send the messages to forwards them to the administrator of the network the spam complained about originates from.

          Blacklisting is still your best bet, if you want to stop spam.

          Spamhaus has a list called DROP [spamhaus.org], the Don't Route or Peer list, for listing hijacked blocks and professional spammers.

          Trend Micro has InterCloud, ICSS/BASE.. which can provide tl. a BGP feed of providers/IP addresses to blacklist

        • by rtb61 (674572)

          It doesn't really matter, the big game 'is' to be an ISP and pretend one of your customers is the culprit, so the pseudo customer gets pursued, while you simply pretend another shady customer has opened up an account. There were quite a few smaller ISPs who had a real reputation for being enablers of digital crimes, so this tactic is really nothing new.

          The whole idea is to hide and make your presence felt, big noisy operations are just targets. Besides the biggest culprits will be intelligence services i

    • Re:Easier to block? (Score:5, Informative)

      by Demonantis (1340557) on Monday December 21, 2009 @06:06PM (#30517526)
      In TFA it mentions that it starts to become spaghetti. As ISP get smart and start blocking that address block the criminal moves on to other things. The lease expires on the block and it is issued to a legit company and then problems happen because the blacklists are not updated by the ISPs. IPv4 also is a very limited size so you can't just rotate around the blocks you issue every 100 or so years (conservatively) and avoid this issue.
      • Re: (Score:2, Funny)

        by mysidia (191772)

        If there were... nobody would bother cleaning old blacklist entries, since the IPs only get recycled every 100 years or so.... no reason to bother.

        Then 100 years later, an IP that was spamming 100 years ago gets re-used... and can't connect to anyone......

        • Re: (Score:3, Funny)

          by Hognoxious (631665)

          Then 100 years later, an IP that was spamming 100 years ago gets re-used... and can't connect to anyone......

          No worries, everyone will be using IPv8 by then.

    • by mjwalshe (1680392)
      and also if they have had to build a dc buy srvers rent space this all leaves a paper trail to them
    • Re: (Score:3, Informative)

      by mysidia (191772)

      There is a strong movement on the public internet registries such as ARIN, RIR, etc, supporting privacy of IP address allocation data. In the future, it is very likely that registry policy may shift in favor of these supporters of internet privacy.

      The result will be you cannot do so much as a WHOIS lookup to find out who these spammers might be if the privacy advocates/spammer have their way, only with a court order...

      Good luck getting that when the spammer lives in a different country, where spam isn'

      • You bring about a few good points, especially about IPv4 running out, and the problem continuing simply with PIv6.
        If we were to try and maybe add a process unto the name acquisition, such as cocacola.com, which would be part of a white list (having gone through approval by some comittee), where any regular website like yours or mine homebrew (could or not be legit) be considered grey list, have some blacklist which would be the actual malware resolvers...and then add a list per country, or even maybe per ty

    • Re:Easier to block? (Score:5, Interesting)

      by xous (1009057) on Monday December 21, 2009 @08:19PM (#30518672) Homepage

      No, it doesn't.

      We had a "customer" that had 15+ dedicated servers with us. This customer received tons of SPAM complaints. Each time they had a different excuse.

      After I disabled the servers and refused to turn them back on without examining them. The "employee" said he wasn't supposed to give me the root passwords but after I said that they would stay down until I got them he reluctantly gave them to me. Upon cursory examination the systems seems clean as a whistle until I realized there were no services actually running. No mail, etc.

      Where was the email coming from?

      I then found that the customer had GRE tunnels configured. This allowed servers in other data-centers to generate and send the spam through our network without having anything of actual value hosted with us.

      The "employee" that was our customer was so convincing that I could have believed that at least he thought his company was legitimate. He even tried to tell me that it was because they couldn't get IP addresses from their current provider they bought dedicated servers from us ($1500/mo) for IP space.

      Obviously the customer was terminated as soon as I found the tunnels.

      • Re: (Score:3, Informative)

        by mysidia (191772)

        Well, you probably broke quite a few laws by using coersion to gain access to a customer's servers. But I for one would overlook it, given the benefits to the world at large (still it could be risky).

        Fortunately, given the use of GRE tunnels, the spammer probably broke more laws, and would probably be a bit hesitant to sue.

        The scenario is atypical. From the sounds of it, most spammers are not buying the cabinet space from the same company that is providing the internet access.

        Of course it's a bre

        • Wouldn't it only be breach of contract if it violated the terms of the contract? Not sure how YOU know what those contracts state.

          • by mysidia (191772)

            In most cases it would be. Most spammers and non-spammers, don't make an agreement with provisions for their landlord to turn off the lights.

            The contract specifies services to be provided, and turning off those services is a failure to perform under the agreement, in the most common scenario.

            Even if the terms don't explicitly prohibit the landlord to do so, it may still be unlawful for them to turn off the power without meeting certain advance notification requirements.

            Whether the actual crime is br

        • Re:Easier to block? (Score:4, Interesting)

          by xous (1009057) on Tuesday December 22, 2009 @01:33AM (#30520748) Homepage

          Hi,

          The SPAM was originating from our network which is an TOS violation which allows us to suspend services. I had already disabled the switch ports and the customer was trying to get it back online.

          I had no obligation to waste my time trying looking into the problem to see how the spam was being sent. The customer could have easily went somewhere else instead of accepting the condition for turning the equipment back on.

          I think what this "company" was doing had all their spam services in a data-center and only used their connection with them connecting to GRE tunnels.

          Then they found smaller dedicated hosting companies that offered cheap servers ($100/mo) and tunneled all their traffic to their hosts at other networks.

          It's not a bad tactic as it can sometimes take smaller companies a while to investigate complaints.

          • by mysidia (191772)

            Well, killing connectivity to an IP customer generating spam is a good strategy, and should put single-homed spammers out of business.

            Assuming of course, they are not an innocent victim. But in any case, your IP network is your IP network.

            But as mentioned above, the more insidious spammers might make that impossible, by leasing rack space and power from provider A, transport from provider B, and IP from providers C, D, E, and F..

            Relying on the notion that IP providers C,D,E, and F, have no con

        • by rbcd (1518507)

          Well, you probably broke quite a few laws by using coersion to gain access to a customer's servers. But I for one would overlook it, given the benefits to the world at large (still it could be risky).

          Fortunately, given the use of GRE tunnels, the spammer probably broke more laws, and would probably be a bit hesitant to sue.

          No legal problem there. It's a contract issue.

          • by mysidia (191772)

            No legal problem there. It's a contract issue.

            I wouldn't say it's so clear. A contract issue is definitely a legal issue, and depends on the terms of the contract, and also what country a provider operates in, and what is legal in that country..

            In many countries, the policy of coercing customers into providing access may run afoul of the Data Protection / Wiretap acts, according to the customer information stored on that equipment.

            Also, no matter what the terms of a contract actually say, certain a

        • by Slashcrap (869349)

          Well, you probably broke quite a few laws by using coersion to gain access to a customer's servers.

          No, he quite obviously didn't and only an unbelievable retard would assume that he had.

          Fortunately, given the use of GRE tunnels, the spammer probably broke more laws, and would probably be a bit hesitant to sue.

          Given the rambling bullshit nature of the rest of your comment, I'm seriously wondering if you think the use of GRE tunnels is itself illegal. Obviously that would be incredibly stupid, but well...

      • Nice troubleshooting. Glad you terminated them.

    • IPv4 I would think so, my HOSTS file is 600kB from http://www.mvps.org/winhelp2002/hosts.htm [mvps.org] (I don't soley rely on it as I also use AdBlock+ with FF), but if everything went IPv6 overnight the blocklists could get into some seriously ludicrus filesizes.
  • I thought... (Score:5, Interesting)

    by Darkness404 (1287218) on Monday December 21, 2009 @06:00PM (#30517428)
    I thought the entire reason why botnets were so hard to stop is because they could be on a huge range of IP addresses. With this isn't it trivial to see that Evilnet ISP is a botnet and has the IP addresses xxx.xxx.x.xxx- xxx.xxx.x.yyy and just block those? I mean, yeah, if they had enough bandwidth they could still flood you with requests that slow down the servers because they all need to be blocked, but shouldn't it make blocking them easier?
  • by e2d2 (115622) on Monday December 21, 2009 @06:00PM (#30517432)

    No further investigation is done

    And none should be. They're a potential customer buying IP addresses and hosting, not automatic weapons.

    Pretty soon we're gonna be so "secure" it's gonna take an act of congress take a piss.

    • by casings (257363) on Monday December 21, 2009 @06:03PM (#30517470)

      Mark Foley would probably like that idea.

    • by Darkness404 (1287218) on Monday December 21, 2009 @06:04PM (#30517492)
      Sure, but the thing is IPv4 IP addresses are limited. Because of this, even if they started a botnet today and a year from now were gone, those range of IP addresses still might be blocked by various places.

      I agree with your general feelings that you shouldn't need investigating to get a block of IP addresses, but it reduces a scares commodity and is in the best interests of those giving out blocks of IP addresses to check out the companies a bit more.
      • Re: (Score:3, Insightful)

        by scott_karana (841914)

        Most sane datacenters will be extremely proactive about dealing with abuse complaints about spam, to say nothing about botnets, since they're the ones providing the IPs to the customers.
        Capitalism typically makes it hard on the baddies here: datacenters do NOT want to lose saleable IPs to long-lasting blocks.

      • Sure, but the thing is IPv4 IP addresses are limited.

        Exactly. Wake me when they become an IPv6 ISP.
    • by Shakrai (717556)

      Pretty soon we're gonna be so "secure" it's gonna take an act of congress take a piss.

      Boy, that's gonna really suck for the people whose political party of choice happens to be out of power at the time they need to go..... ;)

    • Re: (Score:3, Funny)

      Pretty soon we're gonna be so "secure" it's gonna take an act of congress take a piss.

      If so, that's going to make it damned hard to be a phlebotomist. It's a good thing I only plan on leaving one.

    • No further investigation is done

      And none should be. They're a potential customer buying IP addresses and hosting, not automatic weapons.

      Pretty soon we're gonna be so "secure" it's gonna take an act of congress take a piss.

      Yet, funnily enough, for me to get a measly 16 IPs (for 6 servers, 1 router, 3 dedicated workstations that are not permitted by law to have NAT, one more IP to a NAT router for other client stations and SOB/EOB) I have to justify each and every one of them, including possibly digging out the specific legal requirement for the 3 specialized workstations not being able to be NAT'd and identify the customer to further support why that law applies to them in support of us not being able to NAT those workstation

  • Hyperbole (Score:5, Insightful)

    by uassholes (1179143) on Monday December 21, 2009 @06:03PM (#30517472)
    Having a block of IP addresses does not make one an ISP.
    • by Shakrai (717556) on Monday December 21, 2009 @06:33PM (#30517778) Journal

      But they are providing internet service to the critically underserved market of phishers, extortionists and viagra salesman. I bet they even obey network neutrality and don't inject fake RST packets into your connections too. Clearly they qualify as an ISP ;)

      • Technically, "back in the day" the term Internet Service Provider referred to a provider of online access for companies or individuals (ie: you could connect to the net via dial-up, ISDN, T1, T3, DSL, etc) and the term OSP referred to a company that provided online services (for themselves and/or others) other than connectivity (companies with web properties, web hosting companies, newsgroup hosting companies, email providers, etc).

        Seems "ISP" is the new blanket term for everything. Various US law address

    • by Eil (82413)

      Well, the terminology is debatable. They're talking about the malware and botnet operators getting more organized and reselling their services as malware-friendly ISPs.

      I work for a web hosting company, but the vast majority of our customers are resellers who simply rent a dedicated box with cPanel, toss up a web page, and presto, they're a web hosting company too.

  • Isn't this cool? (Score:5, Interesting)

    by DNS-and-BIND (461968) on Monday December 21, 2009 @06:03PM (#30517474) Homepage

    Remember back in the 90s when everyone was jizzing in their pants about Bruce Sterling and Neal Stephenson's writing, dreaming of actually implementing the ideas therein? Data havens, crypto-anarchism, impregnable anonymity, hackers making a decent living by a life of crime, and so forth?

    Well, now the future is here. Kind of sucks, doesn't it? Careful what you wish for, you just might get it.

    • Re: (Score:3, Funny)

      by lymond01 (314120)

      Umm, my future had me flying through a huge chamber freezing other people's limbs with my gun and scoring points with my helmet.

      We really should have gone with my future...

    • Remember back in the 90s when everyone was jizzing in their pants about Bruce Sterling and Neal Stephenson's writing, dreaming of actually implementing the ideas therein? Data havens, crypto-anarchism, impregnable anonymity, hackers making a decent living by a life of crime, and so forth?

      Somewhere, on a secret global malware authors' intranet, on a site running Slashcode, scammers are praising 2010 as the year of unregulated DoS'ing on the Internet.

    • Re:Isn't this cool? (Score:5, Interesting)

      by JohnyDog (129809) on Monday December 21, 2009 @07:28PM (#30518284)

      Remember back in the 90s when everyone was jizzing in their pants about Bruce Sterling and Neal Stephenson's writing, dreaming of actually implementing the ideas therein? Data havens, crypto-anarchism, impregnable anonymity, hackers making a decent living by a life of crime, and so forth?
      Well, now the future is here. Kind of sucks, doesn't it? Careful what you wish for, you just might get it.

      In those cyberpunk visions the world, political and judicals systems are tightly controlled by corrupt mega-corporations and the net is anything but open. The very act of accessing the network or tampering with it may land you in prison, criticizing the rulers means you're dead and so on. Every piece of hardware is registered, so if you want to get any hacking done you have to turn in to black market (for stuff) and criminals (to get money for stuff), out of pure necessity. (it's the classical tale of occupied country's resistance movement working together with organized crime, right?)

      Compare that to the reality we got: cheap ubiquitous internet, cheap ubiquitous hardware to access it, the net is *by default* free and open, and all attempts to any large-scale censoring has failed miserably. Anonymity is just one unsecured wifi hotspot away on every corner (so you don't need to pay a hacker to get you online), and any attempts at uncovering corruption and truth are met with public support. So the traditional heroes of cyberpunk stories can operate publicly or semi-publicly (think wikileaks), the worst that can happen to them is someone pulling the DMCA on the copied/leaked documents, which rarely results even in fines, much less prison time. The hackers are working on cool engineering projects instead of breaking into companies networks, and the criminals are, well, criminals - since they are no longer needed for the goals of the freedom fighters, all they do is disrupt the free information exchange (ddosing sites for greed, decreasing signal-to-noise ratio by spamming the hell out of everyone etc.), and so are frowned upon even by the neo-anarchists.

      • Re: (Score:2, Informative)

        by pantherace (165052)

        Compare that to the reality we got: cheap ubiquitous internet, cheap ubiquitous hardware to access it, the net is *by default* free and open, and all attempts to any large-scale censoring has failed miserably.

        Sadly, I think your statement is incorrect. I'd agree that we've got cheap internet and hardware. China's firewall, as well as Iran's filtering seem to both be large-scale censoring, which has not failed miserably. In most of the rest of the world, while not censored, it may well be monitored. Also con

      • I wish I was as sanguine as you seem to be about the future of the net, though. I don't see it getting any free-er any time soon. China's Great Firewall actually does a pretty fantastic job of censoring the net--even if someone can trivially bypass it, the fact is they *have* to, which has much more moral force than I'd certainly originally considered.

        The future looks wireless, and right now wireless is a hellhole of proprietary bullshit.

        And if you don't think our political and judicial systems
    • Come on, W.G. is one of the founders of the whole cyperpunk genre.
      You can't honestly tell me that you've read Sterling and Stephenson and haven't read Gibson.
  • Sure, we know a lot of the botnet activities that we care about - distributed spamming, distributed hacking, etc... But I suspect that isn't what they want the dedicated IP space for. People already pointed out that if the lion's share of your spam or hacking attempts came from a single IP block, it would be trivial to block it.

    Hence I suspect the operators want the IP space for other uses. Consider your average spam - we'll say it asks you to buy viagra through joescheapdrugs.com [joescheapdrugs.com]. Now joescheapdrugs.com needs to be purchased, which requires a registrar. It also needs to be resolved via a DNS server somewhere (which isn't always done by the registrar or ISP). If joescheapdrugs.com were an average spamvertised site, it would likely be hosted in one continent, registered through a registrar in another, and resolved by a DNS in yet another.

    The IP space would be useful because the DNS could be done in that range, and once the spammers establish an accredited registrar they could sell themselves domains from there too. We all know that .com, .org, .net domains not only are not restricted to sales to people/companies/organizations in the US, they aren't even restricted to being sold by companies in the US. So by owning IP space, they can actually keep more of their own money for their operations, thus increasing their profit margins. They can offer hosting, DNS, and registration services for anyone who wants to sell anything, and then sell them spamming services as well.

    It becomes one-stop-shopping for vendors trying to make a fast buck (or those who don't know better).
    • by Ifni (545998)
      Still doesn't complicate matters much - some software will have to be updated, but if the option were added to refuse to resolve websites that use a particular registrar, or to ignore results from specific DNS servers, then they can be shut out of the average user's Internet experience. Granted, this would have to be done at the DNS provider level (your ISP, or OpenDNS, etc) so the individual user wouldn't have as much control (unless they host their own recursive DNS), but it presents a pretty minor speed
    • We all know that .com, .org, .net domains not only are not restricted to sales to people/companies/organizations in the US, they aren't even restricted to being sold by companies in the US.

      I know I might be nitpicky here, but why do you feel that .com, .org, .net (and .biz, .name, .info and a plethora others) should only be restricted to the US? So Medecin Sans Frontières has no right to a .org in your world because it's French? Heck SAP couldn't get a .com because it's German! I'm just wondering.

      • I live in Canada, and we have the .ca domain. But I've worked for several Canadian companies that have the .com suffix.
      • We all know that .com, .org, .net domains not only are not restricted to sales to people/companies/organizations in the US, they aren't even restricted to being sold by companies in the US.

        I know I might be nitpicky here, but why do you feel that .com, .org, .net (and .biz, .name, .info and a plethora others) should only be restricted to the US?

        I didn't actually say that, and admittedly when typing my post I was concerned about the possibility someone might read it that way.

        The point I was trying to make has more to do with registration of domains. It is trivial for overseas spammers to give the impression of being an American company, and registrar credentials are generally crappy at best.

      • by mjwalshe (1680392)
        err the TLD's .com .org etc are not and have never been "American" they are by design generic domains that have no geographic ties. Though I am surprised that within the EU that member states can restrict the sale of country tld's to residents of that country how that fits with the suposed "free movement of services" i dont know.
  • by Anonymous Coward

    I manage the network for a medium sized data center, and I see bogus requests for large blocks of IP addresses all the time. We require a justification letter, that acts more as a clue gathering form to help us weed out the illegitimate requests. All it takes is a few minutes of research to determine if the request is legitimate or not; in fact, it is usually immediately obvious that it's a fake. It's sad that other data centers do not do the same.

  • Uh, No (Score:1, Informative)

    by sexconker (1179573)

    Pipes and buildings and computers need to live somewhere. Find them and shut them down physically.

    How do you find them? Follow the money.

    They moved stuff into the cloud?
    Clouds need to live somewhere. Find them and threaten to shut the cloud down physically. The cloud will then be willing to talk to you, and will shut down the people doing bad things.

    How do you find them? Again, follow the money.

    It's NEVER hard to shut someone down.
    What's hard is organizing the people with legal authority and getting th

    • SO you're saying that *someone* should hack into the spammers boxen and and install a child porn archive or similarly regional taboo - then bring public attention to it? Oooohhh that sounds like a very vigilante grey hat goal to achieve. So whom will take up the gauntlet? Any "NetMan" around to protect us all from organized crime on the net?

  • Escalation (Score:1, Funny)

    by Anonymous Coward

    "Ha ha! Look at us! We've got fat pipes that we can use to DoS almost anyone and spew spam all over the internet! We so rule! Ha ha!"

    (the internet wises up to this; these people get kicked off their ISPs or out of their universities, more people get fat pipes, spam gets blacklisted, damage is mitigated)

    "Well, fine. We'll just use security flaws in swiss cheese-like browsers and operating systems, play on people's stupidity regarding computers, and turn everyone into our spam-dumping and DDoS-employing

    • Re: (Score:2, Insightful)

      by el_tedward (1612093)

      Hey, I don't really like this...

      I'm studying cool l33t computer security stuff at college at the moment, and what you seem to be suggesting implies that some day computer security will mature, and there won't be as big of a reason to employee peoples like me.. Um, I don't like the way that sounds. You should stop talking..

      mod parent down, plz

      k thx

      • Re: (Score:2, Informative)

        I suspect there will always be con artists and suckers to feed them. Crack those books, el tedward, the networks will need you.

        Steve

  • This is nothing new.

    • Yes, typing stuff for other people to see... computers, networks, whatever.

    • Re:Old news (Score:5, Insightful)

      by Zocalo (252965) on Monday December 21, 2009 @06:35PM (#30517804) Homepage
      No it's not, several of the larger spam/malware gangs including the infamous Russian Business Network have been doing this for several years now. That's partly what prompted Spamhaus to create their solution to the problem: DROP [spamhaus.org]. All it takes is a for the majority of the Tier 1 carriers to adopt the DROP list and it's pretty much game over for this this technique.
  • Personally I would be running my own DNS servers / Anon proxies on those blocks of IPs so that bot traffic can be managed better.

    Just my .02
  • ...because if they were, then we'd really have to worry....about.....the unemployed.
  • ISP Level? (Score:1, Informative)

    by Anonymous Coward

    When they start requesting AS numbers, running their own infrastructure or even providing a service maybe then could this story have some merit.

  • We have 4 dedicated servers with about 20 IP's spread across them and started getting mail rejections.This turned out to be because the whole range if IP's the hosters had used got blacklisted by spamhaus for exactly the reason stated in the article - one other "customer" had spammed with his IP's so spamhaus just added the whole range to their RBL.

    • by RMH101 (636144)
      Good. Presumably your ISP had repeatedly ignored requests to bin the spammers, and eventually got themselves blacklisted. Their punishment for this is to get complained at / sued by irate customers such as yourself. Perhaps they won't be so dumb next time.
  • by cl191 (831857) on Monday December 21, 2009 @06:48PM (#30517930)
    "You own your own IP space and you're your own ISP at that point." I believe this sentence was designed to make youtube commenters' heads to explode......your you're you what?
    • Re: (Score:3, Interesting)

      by juliannoble (1154079)
      Yo you, you're your youtube you, yet your youtube's yesterday's you.
    • by jez9999 (618189)

      I believe this sentence was designed to make youtube commenters' heads to explode

      The second 'to' shouldn't be there.

  • Delete the AS [wikipedia.org] from the routing tables and don't peer with them.

  • Servers or not, it's a shitty datacenter that doesn't enforce its AUP with its customers.

    • by dr2chase (653338)
      Clearly we're doing this wrong. Maybe if we frame them for pirating MP3s, the ISPs will move a little quicker.
  • ...which it is in Eu - they are going to slapped down just as hard. And with huge amounts of hardware being confiscated they are not going to try that trick anytime soon.

  • Sounds like a good way to run a wide shallow botnet control tree.

    And Big Crime^WBusiness could control a collection of these small ISPs just like a botnet.
    --
    Does the noise in my head bother you?

  • As such, they still connect to someone upstream, you blacklist their address space, ALL OF IT, and their ISP if they refuse to cooperate.

    Rarely will the national ISPs take this sort of abuse, its rather easy for them to spot. You get plenty of crappy little local data centers that will let them get by with it, and 999 times out of a 1000 you'll never hear anything about it.

    I make about 2 attempts to stop a spammer that does this crap, 3 time I just blacklist the entire ISP.

You will be successful in your work.

Working...