Malware and Botnet Operators Going ISP 131
Trailrunner7 writes to mention that malware and botnet operators appear to be escalating to the next level by setting up their own virtual data centers. This elevates the criminals to the ISP level, making it much harder to stop them. "The criminals will buy servers and place them in a large data center and then submit an application for a large block of IP space. In some cases, the applicants are asked for nothing more than a letter explaining why they need the IP space, security researchers say. No further investigation is done, and once the criminals have the IP space, they've taken a layer of potential problems out of the equation. 'It's gotten completely out of hand. The bad guys are going to some local registries in Europe and getting massive amounts of IP space and then they just go to a hosting provider and set up their own data centers,' said Alex Lanstein, senior security researcher at FireEye, an anti-malware and anti-botnet vendor. 'It takes one more level out of it: You own your own IP space and you're your own ISP at that point.'"
Re:Easier to block? (Score:5, Informative)
Re:Easier to block? (Score:5, Informative)
That's why your lists should have a time component.
If you do something naughty, you're blacklisted for an amount of time, then greylisted for the next step up. If you do something naughty while greylisted, you get blacklisted for the remainder and greylisted the next step up again.
Mine goes 15 minutes/1 day/2 weeks/3 months/1 year. I've yet to blacklist anyone for a year.
Deal with them all the time... (Score:1, Informative)
I manage the network for a medium sized data center, and I see bogus requests for large blocks of IP addresses all the time. We require a justification letter, that acts more as a clue gathering form to help us weed out the illegitimate requests. All it takes is a few minutes of research to determine if the request is legitimate or not; in fact, it is usually immediately obvious that it's a fake. It's sad that other data centers do not do the same.
Re:Easier to block? (Score:4, Informative)
Wouldn't they need to peer with someone?
If so, then that peer should become the new target for shutdown requests.
Am I right?
Uh, No (Score:1, Informative)
Pipes and buildings and computers need to live somewhere. Find them and shut them down physically.
How do you find them? Follow the money.
They moved stuff into the cloud?
Clouds need to live somewhere. Find them and threaten to shut the cloud down physically. The cloud will then be willing to talk to you, and will shut down the people doing bad things.
How do you find them? Again, follow the money.
It's NEVER hard to shut someone down.
What's hard is organizing the people with legal authority and getting them to give a shit.
Nerds like to think that the internet is some awesome force, and that information wants to be free, etc.
The internet is a fucking physical network maintained by real people. Abstract all you want. Personify all you want. But when you get the suits lined up against you, you're going down.
If you want to test it, just do the something that will get the most suits lined up against you.
USA? Child porn.
Germany? Swastikas and Hitler.
Middle East? A drawing of Mohamed.
The bottom line is that no one gives a shit that grandma's PC is thoroughly owned, or that your inbox is 99% spam, or whatever else.
ISP Level? (Score:1, Informative)
When they start requesting AS numbers, running their own infrastructure or even providing a service maybe then could this story have some merit.
Re:Easier to block? (Score:3, Informative)
There is a strong movement on the public internet registries such as ARIN, RIR, etc, supporting privacy of IP address allocation data. In the future, it is very likely that registry policy may shift in favor of these supporters of internet privacy.
The result will be you cannot do so much as a WHOIS lookup to find out who these spammers might be if the privacy advocates/spammer have their way, only with a court order...
Good luck getting that when the spammer lives in a different country, where spam isn't illegal.
No, because once every /24 in those f****ers block gets on enough blacklists, they get a few more hosts to justify a bigger block, fill out a form to RETURN the IP addresses they got. Their old IPs will be assigned to someone else,
and after the exchange their old IPs for a fresh new block of IPs they have even more /24s than before, and none of them blocked.
Now only the new guy (that happens to be so unlucky as to get their old IPs) is blocked.
Of course the f'ers will pretend to be legitimate extremely well, and make it as hard as possible for people to see reason to ban their whole block.. (E.g. The "shell" ISP will create "fake" separation from spammers who "received space" from their block)
They may do all kinds of weird s**** to make it look like it's not just one spammer.
Alternatively, they just apply for more space, using more shell companies, lather, rinse, and repeat. Until IPv4 is exhausted [inetcore.com], that is.
If they have no problem lying once... it's not the least bit difficult to create 30 more fake companies (or even, make them real companies -- if the spam effort is profitable enough).
This is all assuming they are getting the IPs from the RIRs in the first place, which I doubt is the most common.. that could be too easy to track, since these allocations generally get published very visibly.
LIR ips are just fine for them, and much easier to get.
Also, the RIRs are basically powerless to stop this. Contrary to the article, it's not necessarily about "LIRs being lax".
Once a block of IP addresses is assigned, it is not as if the LIR or RIR can revoke it and force its use to cease.
Revoking IP addresses doesn't magically make them unreachable on the internet -- once the spammer convinced their ISP to announce the address space, they don't need (any longer) to prove they got the IPs legitimately, until/unless they get more ISPs.
The article's terminology is wrong. An LIR is just another name for an ISP. Verizon is an LIR, Level3 is an LIR, Cogent is an LIR, AT&T, Sprint, etc, are all LIRs, any ISP that receives ISP allocations of addresses which are issued to them for the sole purpose of sub-delegating for use with their services, is called an LIR.
Maybe the article means the spammers are getting IP delegations from an ISP LIR, that would make sense. It is very easy to believe, they could do this en masse with very little effort, in fact.
If you buy internet services from an ISP like Verizon, and claim to have X hosts, they will have a very hard time rejecting a request from their customer for those IPs.
For a simple /24 or two, most won't ask for much documentation, as long as the price is right, it's not customer-friendly to try that.
The tough questions don't start getting asked, until a request for a larger number of IPs is made, which is sensible. Level of justification and documentation commensurate with the expected usage.
The LIR/ISP will SWIP the listing or list the claimed owner on their RWHOIS Servers, but it won't appear as public knowledge in the RSS feeds [arin.net], that such and such /24 has been allocated.
ISP RWHOIS servers are commonly broken and poorly maintained -- the spammer's new subdelegation may not even become public knowledge.
Re:Isn't this cool? (Score:3, Informative)
Then I would gracefully fall down towards the enemy gate. (I was actually looking around yesterday and it seems there may be a battle room videogame on the way : http://en.wikipedia.org/wiki/Ender's_Game_(video_game) [wikipedia.org] )
What - No William Gibson? (Score:3, Informative)
You can't honestly tell me that you've read Sterling and Stephenson and haven't read Gibson.
Re:Isn't this cool? (Score:2, Informative)
Compare that to the reality we got: cheap ubiquitous internet, cheap ubiquitous hardware to access it, the net is *by default* free and open, and all attempts to any large-scale censoring has failed miserably.
Sadly, I think your statement is incorrect. I'd agree that we've got cheap internet and hardware. China's firewall, as well as Iran's filtering seem to both be large-scale censoring, which has not failed miserably. In most of the rest of the world, while not censored, it may well be monitored. Also consider the recent articles about people providing fake DMCA notices, which may or may not be widespread, and the attempt to get those extended to every country.
Re:Escalation (Score:2, Informative)
Steve
Re:Easier to block? (Score:3, Informative)
Well, you probably broke quite a few laws by using coersion to gain access to a customer's servers. But I for one would overlook it, given the benefits to the world at large (still it could be risky).
Fortunately, given the use of GRE tunnels, the spammer probably broke more laws, and would probably be a bit hesitant to sue.
The scenario is atypical. From the sounds of it, most spammers are not buying the cabinet space from the same company that is providing the internet access.
Of course it's a breach of contract and likely a violation of SLA for a cabinet provider to power down anyone's equipment or start cutting wires, because they think they might be spamming.
The spammer might sue claiming loss of valuable data (due to an unclean shutdown of their server).
Industry standard terms are power can be disconnected at request of customer (for a fee of course), emergency, planned maintenance, and violation of wiring standards (e.g. many major colocation facilities will have many rules on how equipment can be plugged in). But I don't think there are many Enterprise rack residents that accept "We may disconnect you if we feel your servers are doing something suspicious"
Of course network connections are a bit different.
Well, if you buy TRANSPORT from point A to point B, such as a connection from your rack to an ISP, in a major datacenter, you can expect by contract the transport provider cannot examine any data crossing the wire. In fact, they cannot cut the cable, just because they suspect you might be sending spam over it.
Your OC-3 or Ethernet transport from "Point A" to "Point B" is not an internet service. It's extremely unlikely for an Enterprise to negotiate a contract that allows their transport provider to disconnect them.
Following industry standard terms, a transport provider cannot kill the link, even if you are spamming, in fact, even if an internet attack happens to be crossing the link, a transport provider has no right to kill your connection or detect the nature of the traffic that is being transported.
To do so would be breach of contract/SLA on their part, and subject them to unnecessary liabilities (they lose their common carrier status for links that they 'watch').
In most cases, the one and only party that can legally cut off such a professional spammer at the source is the upstream ISPs, transit providers, or peering exchange of the misbehaving party.
Naturally, this is assuming the ISP isn't the same company that provides the rack space. In other situations matters might be different.
And in a major datacenter, there might be a lot of different ISPs to choose from...
I guess, my point is just... the standard arrangements for such facilities can actually serve to protect spammers.
Just like they protect Enterprises (who wouldn't inhabit them otherwise -- if someone could just arbitrarily decide to power off their servers, because they didn't like a file on their website).
Re:Easier to block? (Score:5, Informative)
Run spamd on OpenBSD or other OS that supports it. Works beautifully.
http://www.openbsd.org/cgi-bin/man.cgi?query=spamd&sektion=8 [openbsd.org]
http://www.openbsd.org/cgi-bin/man.cgi?query=spamd-setup&sektion=8 [openbsd.org]
http://www.openbsd.org/cgi-bin/man.cgi?query=spamd.conf&sektion=5 [openbsd.org]
http://www.linux.com/archive/feature/61103 [linux.com]
By default, email gets greylisted. In other words, the first two tries are rejected with a temporary failure message, the third try gets through. Real mail servers will retry, spammers often won't. Mail that gets through is whitelisted for that combination of sender, recipient, and IP for a month or so. You can also up-front blacklist IPs by whatever criteria you want -- published blacklists, country IP ranges, and so on. You can specify specific email addresses as spam traps, so you setup fromlamespammer@example.com on your mail server and put that as a hidden mailto link on your home page, and anyone who emails that obviously harvested it and their IP gets blacklisted.
Combine that with Bob Beck's greyscanner (google for it) which looks for individual IPs trying to send from multiple domains and blacklists them for a period of about a month. I've found it eliminates about 99% of all spam. You should still do things like proactively whitelist clients and mail servers which send from a pool of servers (otherwise it'll get delayed quite a bit). And the occasional spam that gets through should get its IP address blacklisted.
It has the additional benefit that if you run a busy mail server, running this in front significantly reduces the load on the mail server. So you end up with less spam, less wasted storage space, and a snappier mail server.