I thought ya'll might be interested to hear that yet another DNS blacklist
has been taken down out of fear of the DDoS attacks that took down
Osirusoft, Monkeys.com, and the OpenRBL. Blackholes.compu.net suffered a
joe-job earlier this week. Apparently the joe-jobbing was enough to
convince some extremely ignorant mail admins that Compu.net is spamming
and blocked mail from compu.net. Compu.net has also seen the effects of
DDoS attacks on other DNS blacklist maintainers. They've decided that the
risk to their actual business is too great and they are pulling the plug
on their DNS blacklist before they come under the gun by spammers.
Ron Guilmette, maintainer of the Monkeys.com blacklists has posted a
farewell from Monkeys.com to news.admin.net-abuse.email. Ron cites the
total lack of interest in the attacks by both big network providers and
law enforcement authorities as the ultimate reason he's pulling the plug.
It's truely a sad day for spam fighters everywhere.
So, my question for NANOG is how does one go about attracting the
attention of law enforcement when your network is under attack? How does
the target of such an attack get a large network provider who's customers
are part of the attack to pay attention? Is media attention the only way
to pressure a response from either group? These DDoS attacks have
received some attention in mainstream media:
Apparently it hasn't been enough. Legal remedies take too long and are
cost prohibitive (unless you're the DoJ). Subpoenas and civil lawsuits
take months if not years. Relief is needed in days if not hours.
In a message written on Wed, Sep 24, 2003 at 11:28:39AM -0500, Justin Shore wrote:
So, my question for NANOG is how does one go about attracting the
attention of law enforcement when your network is under attack? How does
the target of such an attack get a large network provider who's customers
are part of the attack to pay attention? Is media attention the only way
to pressure a response from either group? These DDoS attacks have
received some attention in mainstream media:
People will pay attention as soon as there is money in black lists.
ISP's are businesses. If losing the customer is cheaper than helping
them far too many will choose to lose the customer. Many black
lists don't pay the ISP at all, indeed they are offered as free
services for the good of the community. As a result they get the
response that any freeloader would, none.
For better or for worse you get to vote with your dollars, which
really means no dollars, no vote, no support.
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
Patrick Greenwell
Asking the wrong questions is the leading cause of wrong answers
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
> So, my question for NANOG is how does one go about attracting the
> attention of law enforcement when your network is under attack?
How
> does the target of such an attack get a large network provider
who's
> customers are part of the attack to pay attention? Is media
> attention the only way to pressure a response from either group?
> These DDoS attacks have received some attention in mainstream
media:
People will pay attention as soon as there is money in black lists.
ISP's are businesses. If losing the customer is cheaper than helping
them far too many will choose to lose the customer. Many black lists
don't pay the ISP at all, indeed they are offered as free services
for
the good of the community. As a result they get the response that
any
freeloader would, none.
RBLs Sounds like a great application for P2P.
Perhaps, but it also seems like moving an RBL onto a P2P network would
making poisoning the RBL far too easy...
joe-job earlier this week. Apparently the joe-jobbing was enough to
convince some extremely ignorant mail admins that Compu.net is spamming
and blocked mail from compu.net. Compu.net has also seen the effects of
Speaking of joe-jobs, what's the "proper" proceedure for dealing with
such? The company I work for is currently undergoing an admitedly minor
joe-job. (about 300 or so bounces that I've seen since mid last week or
so.)
Any suggestions for dealing with this?
A current count and list of last-source IPs so far are listed below:
That's what I was getting ready to suggest. As it stands now we have at
least somewhat of an assurance that the zone we're working with isn't
tainted. I only use DNSBLs that offer zone transfers. I only get an AXFR
from authorized NSs for that DNSBL. Assuming that NS hasn't been
compromised I feel fairly safe in assuming that the data I'm getting is
valid. It might not be but I feel that it is. If a P2P system was
devised for distributing RBL zones then some for of validation for the
distributed zones will have to be created. That would most likely involve
a central server. Now you have a server to DDoS again. *sigh* We should
just educate spammers with clue-by-fours and make the world a better
place.
Basically it's of spoofing the source of spam so as to appear to come from
an innocent person. I've been on the receiving end of it a couple of
times. Basically the innocent person gets flooded with bounces from
poorly written MTAs and anti-spam scripts. Think email-based virus
bounces. You didn't send the virus; you aren't even infected. However
some machine somewhere is infected and spoofed your address as source of
the infected email. You of course end up with the bounce and
blame from uneducated people for being infected (which again you are not).
Hmm probably something that isnt going to happen now that all domains are valid
a la verisign
Its when spammers take your domain name and use it as their from address, it
*used* to get around sender verify in smtp which a lot of smtp servers
implement.
Basicalyl if you're being joe jobbed you will get the bounce messages from all
the email addresses the spammers are sending to that dont exist.
The one that they're doing on my own domain which I mentioned on list some
months ago is still going strong with many Mbs of bounces per day.. I think its
fair to say there is very little you can do as tracking the source is almost
impossible..
Web of trust, yada yada. Still distributed, still resiliant.
And/Or, encrypt the zones/updates.
Admittedly this is all off-the-cuff and I haven't given it much
thought(scalability and performance issues immediately come to mind,)
but it might be an interesting enough problem to sit down and
research/think about at some point. It certainly would be interesting to
find some more "substantially non-infringing" uses for P2P.
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
Patrick Greenwell
Asking the wrong questions is the leading cause of wrong answers
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
It has been mentioned in other places on the net (ok, yammerings on slashdot, but this made a bit of sense) that blacklisting is a perfect P2P application.
Each mailserver could keep a cryptographically verified list, the list is distributed via some P2P mechanism, and DoS directed at the 'source' of the service only interrupts updates, and only does so until the source slips an updated copy of the list to a few peers, and then the update spreads. Spam is an economic activity and they won't DoS a source if they know it won't help their situation.
I'm not an expert in DNS, email server configuration, or routing, but it seems to me that the whole thing requires a distributed solution to harden it against spammers, and that the logical place for this is the SMTP daemon itself, possibly coupled with some global registry that sells digital certs for a reasonable annual fee, much how domain names are handled now (Verisign excluded, of course).
That depends on how detailed the bounce is, to an extent. Many of the
bounces actually contain a complete copy of the message that generated the
bounce. Ie, the full spam and nothing but the spam. From that you can
find the original source IP. Of course that source IP may very well be an
open proxy. You're screwed if that's the case. However since you have a
complete copy of the spam you can still follow the money trail. Spammers
have to get their money somehow. The actual spam will give you many
places to start. Of course once you have that you still have to convince
a provider to take action against their customer.
With the possible exception of the new California law, I've yet to see any case in which the benefit from nailing a spammer (in terms of damages, or even reduced attacks) comes even close to covering the amount of time it took to find and pursue them. I doubt even the big ISPs recover their cost--their goal seems to be deterrence. However I'd be happy to donate somewhere.com's bogus inbound traffic (we bounced ten million messages last year, definitely looking at more than twenty million this year) to the cause.
There is a pretty secure P2P system (Groove) that was developed by Ray
Ozzie. Focus is on security on the wire, on the box, everywhere with
serious authentication - Diffie-Hellman exchanges and all the right
security toys. Admittedly when I run it at home the lights in the
neighborhood dim.
I am wondering, though if there might be a way to use its kind of
services for some behind the scenes secure discovery - removing the
hackability of most of the P2P systems.
No I don't know how it scales, what it's throughput and licensing
limitations are..
I just heard P2P and immediately went outside the box.