Malware and Botnet Operators Going ISP

Trailrunner7 writes to mention that malware and botnet operators appear to be escalating to the next level by setting up their own virtual data centers. This elevates the criminals to the ISP level, making it much harder to stop them. "The criminals will buy servers and place them in a large data center and then submit an application for a large block of IP space. In some cases, the applicants are asked for nothing more than a letter explaining why they need the IP space, security researchers say. No further investigation is done, and once the criminals have the IP space, they've taken a layer of potential problems out of the equation. 'It's gotten completely out of hand. The bad guys are going to some local registries in Europe and getting massive amounts of IP space and then they just go to a hosting provider and set up their own data centers,' said Alex Lanstein, senior security researcher at FireEye, an anti-malware and anti-botnet vendor. 'It takes one more level out of it: You own your own IP space and you're your own ISP at that point.'"

Filtering easier?

[Anonymous Coward]

If they own the IP block (or it's assigned exclusively to them) then wouldn't that make it a lot easier to block them? Why complain? Just find out their range and shitlist it.

Easier to block?

[phil reed]

Maybe I'm not being smart today, but doesn't that actually make it easier to block the bad guys, once their address space is identified?

DNA samples/Chips in fingertips?

[e2d2]

No further investigation is done

And none should be. They're a potential customer buying IP addresses and hosting, not automatic weapons.

Pretty soon we're gonna be so "secure" it's gonna take an act of congress take a piss.

Hyperbole

[uassholes]

Having a block of IP addresses does not make one an ISP.

Re:DNA samples/Chips in fingertips?

[Darkness404]

Sure, but the thing is IPv4 IP addresses are limited. Because of this, even if they started a botnet today and a year from now were gone, those range of IP addresses still might be blocked by various places.

I agree with your general feelings that you shouldn't need investigating to get a block of IP addresses, but it reduces a scares commodity and is in the best interests of those giving out blocks of IP addresses to check out the companies a bit more.

Is the address space for something else?

[damn_registrars]

Sure, we know a lot of the botnet activities that we care about - distributed spamming, distributed hacking, etc... But I suspect that isn't what they want the dedicated IP space for. People already pointed out that if the lion's share of your spam or hacking attempts came from a single IP block, it would be trivial to block it.

Hence I suspect the operators want the IP space for other uses. Consider your average spam - we'll say it asks you to buy viagra through joescheapdrugs.com [joescheapdrugs.com]. Now joescheapdrugs.com needs to be purchased, which requires a registrar. It also needs to be resolved via a DNS server somewhere (which isn't always done by the registrar or ISP). If joescheapdrugs.com were an average spamvertised site, it would likely be hosted in one continent, registered through a registrar in another, and resolved by a DNS in yet another.

The IP space would be useful because the DNS could be done in that range, and once the spammers establish an accredited registrar they could sell themselves domains from there too. We all know that .com, .org, .net domains not only are not restricted to sales to people/companies/organizations in the US, they aren't even restricted to being sold by companies in the US. So by owning IP space, they can actually keep more of their own money for their operations, thus increasing their profit margins. They can offer hosting, DNS, and registration services for anyone who wants to sell anything, and then sell them spamming services as well.

It becomes one-stop-shopping for vendors trying to make a fast buck (or those who don't know better).

Re:DNA samples/Chips in fingertips?

[scott_karana]

Most sane datacenters will be extremely proactive about dealing with abuse complaints about spam, to say nothing about botnets, since they're the ones providing the IPs to the customers.
Capitalism typically makes it hard on the baddies here: datacenters do NOT want to lose saleable IPs to long-lasting blocks.

Re:Old news

[Zocalo]

No it's not, several of the larger spam/malware gangs including the infamous Russian Business Network have been doing this for several years now. That's partly what prompted Spamhaus to create their solution to the problem: DROP [spamhaus.org]. All it takes is a for the majority of the Tier 1 carriers to adopt the DROP list and it's pretty much game over for this this technique.

Re:Escalation

[el_tedward]

Hey, I don't really like this...

I'm studying cool l33t computer security stuff at college at the moment, and what you seem to be suggesting implies that some day computer security will mature, and there won't be as big of a reason to employee peoples like me.. Um, I don't like the way that sounds. You should stop talking..

mod parent down, plz

k thx

Re:Easier to block?

[mysidia]

No.. it's worse than that. IP addresses aren't bought or sold.

Once they are no longer using the IPs, once they cancel the connection, the IP delegation goes away.

If the IPs came from the ISP, that ISP has to re-use such IPs: they count against the ISP's ability to justify need for more IP addresses.

If the IPs came from a RIR, once the justification goes away, the IP addresses are supposed to be returned, or they get revoked when the recipient of the IPs stops paying their annual maintenance fees.

In any case, the IPs eventually go back to the free pool, and get allocated to someone else.

The registries aren't going to try and "clean" blacklists, neither will ISPs. The recipient of IPs inherits the problem, to deal with any connectivity issues caused by blacklisting.

For IPs received from an ISP though... you should be able to convince your ISP to get you new IPs and allow you to move, if you're willing to take the time and energy to renumber, and (for some ISPs), there may be fees involved in you making the change requests, for the time it takes the ISP to make changes.

In many ways, poorly-maintained blacklists are just as harmful to the internet and end-to-end universal connectivity, as the spammers and malware peddlers are.

Re:Easier to block?

[RMH101]

this is kind of the point, isn't it? It imposes an incentive on ISPs to vet their customers and not harbour spammers. If they do, they'll end up with a block of IPs that no-one wants. SORBS et al give them notice, if it's ignored then eventually they get blacklisted. Other ISPs can choose to use those blacklists if they want, or not, depending on whether they think the net effect is beneficial.
There is no cabal