Malware and Botnet Operators Going ISP 131
Trailrunner7 writes to mention that malware and botnet operators appear to be escalating to the next level by setting up their own virtual data centers. This elevates the criminals to the ISP level, making it much harder to stop them. "The criminals will buy servers and place them in a large data center and then submit an application for a large block of IP space. In some cases, the applicants are asked for nothing more than a letter explaining why they need the IP space, security researchers say. No further investigation is done, and once the criminals have the IP space, they've taken a layer of potential problems out of the equation. 'It's gotten completely out of hand. The bad guys are going to some local registries in Europe and getting massive amounts of IP space and then they just go to a hosting provider and set up their own data centers,' said Alex Lanstein, senior security researcher at FireEye, an anti-malware and anti-botnet vendor. 'It takes one more level out of it: You own your own IP space and you're your own ISP at that point.'"
Filtering easier? (Score:5, Insightful)
If they own the IP block (or it's assigned exclusively to them) then wouldn't that make it a lot easier to block them? Why complain? Just find out their range and shitlist it.
Easier to block? (Score:5, Insightful)
DNA samples/Chips in fingertips? (Score:5, Insightful)
No further investigation is done
And none should be. They're a potential customer buying IP addresses and hosting, not automatic weapons.
Pretty soon we're gonna be so "secure" it's gonna take an act of congress take a piss.
Hyperbole (Score:5, Insightful)
Re:DNA samples/Chips in fingertips? (Score:4, Insightful)
I agree with your general feelings that you shouldn't need investigating to get a block of IP addresses, but it reduces a scares commodity and is in the best interests of those giving out blocks of IP addresses to check out the companies a bit more.
Is the address space for something else? (Score:5, Insightful)
Hence I suspect the operators want the IP space for other uses. Consider your average spam - we'll say it asks you to buy viagra through joescheapdrugs.com [joescheapdrugs.com]. Now joescheapdrugs.com needs to be purchased, which requires a registrar. It also needs to be resolved via a DNS server somewhere (which isn't always done by the registrar or ISP). If joescheapdrugs.com were an average spamvertised site, it would likely be hosted in one continent, registered through a registrar in another, and resolved by a DNS in yet another.
The IP space would be useful because the DNS could be done in that range, and once the spammers establish an accredited registrar they could sell themselves domains from there too. We all know that
It becomes one-stop-shopping for vendors trying to make a fast buck (or those who don't know better).
Re:DNA samples/Chips in fingertips? (Score:3, Insightful)
Most sane datacenters will be extremely proactive about dealing with abuse complaints about spam, to say nothing about botnets, since they're the ones providing the IPs to the customers.
Capitalism typically makes it hard on the baddies here: datacenters do NOT want to lose saleable IPs to long-lasting blocks.
Re:Old news (Score:5, Insightful)
Re:Escalation (Score:2, Insightful)
Hey, I don't really like this...
I'm studying cool l33t computer security stuff at college at the moment, and what you seem to be suggesting implies that some day computer security will mature, and there won't be as big of a reason to employee peoples like me.. Um, I don't like the way that sounds. You should stop talking..
mod parent down, plz
k thx
Re:Easier to block? (Score:3, Insightful)
No.. it's worse than that. IP addresses aren't bought or sold.
Once they are no longer using the IPs, once they cancel the connection, the IP delegation goes away.
If the IPs came from the ISP, that ISP has to re-use such IPs: they count against the ISP's ability to justify need for more IP addresses.
If the IPs came from a RIR, once the justification goes away, the IP addresses are supposed to be returned, or they get revoked when the recipient of the IPs stops paying their annual maintenance fees.
In any case, the IPs eventually go back to the free pool, and get allocated to someone else.
The registries aren't going to try and "clean" blacklists, neither will ISPs. The recipient of IPs inherits the problem, to deal with any connectivity issues caused by blacklisting.
For IPs received from an ISP though... you should be able to convince your ISP to get you new IPs and allow you to move, if you're willing to take the time and energy to renumber, and (for some ISPs), there may be fees involved in you making the change requests, for the time it takes the ISP to make changes.
In many ways, poorly-maintained blacklists are just as harmful to the internet and end-to-end universal connectivity, as the spammers and malware peddlers are.
Re:Easier to block? (Score:3, Insightful)
There is no cabal