Avalanche botnet takedown

The Internet, viewed as an organism, quite clearly has, at present,
numerous autoimmune diseases. It is attacking itself. And its immune
system, such as it is, clearly ain't working. There's going to come
a day of reckoning when it will no longer be possible to paper over
this sad and self-evident fact. (And no, I'm *not* talking about
the fabled "Digital Pearl Harbor". I'm talking instead about the
Internet equivalent of the meteor that wiped out the dinosaurs.)

We need a cost effective and performant way of blocking botnet traffic in SP networks. Fact is the only way to enforce network policy is from within the network. Laws, putting the onous on users, notifying infected users, etc will never work. We can't expect to solve them all, but at least make it more diffcult by a large margin to run these things. For example blacklisting domains where spam is coming from doesn't stop the problem, but it does help in a big way.

Over 800k domains, but I bet they were not using nearly that many IPs. It would be nice to take info from various honeypots about CNC servers and just blackhole those IPs in one way or another very quickly. I don't want to suggest a method of doing this, just as a idea to play around with.

In message <20161201124527.9BE453FD@m0087798.ppops.net>,
surfer@mauigateway.com wrote:

What is your suggestion to keep the sky from falling?

My full answer, if fully elaborated, would bore you and everybody else
to tears, so I'll try to give you an abbreviated version.

It seems to be that it comes down to three things... acceptance, leadership,
and new thinking.

  We, the people of this planet, including end users, small ISPs,
  big ISPs, Tier-1 providers, ICANN, and all of the dangling tentacles
  that derive their authority and power therefrom, law enforcement
  globally, and judicial systems globally, have to begin by accepting
  the undeniable reality that traditional law enforcement and judicial
  processes have already been utterly overwhelmed by the new phenomenon
  of international cybercrime, *and*, more importantly, that they always
  will be. If a teenager can hack your bank account in ten minutes,
  but it takes three years to bring him to trial, after which he
  gets a slap on the write and probation... well... any idiot can
  see that this is an ongoing recipie for disaster on a grand scale.
  (And in a way, announcements like the one today about a small
  handful of Internet criminals being busted are actually a bad
  thing, becase they only serve to perpetuate this comforting but
  incredibly incorrect mass delusion that traditional law enforcement
  has the new world of cyberspace well in hand. They don't, and never
  will. And in fact they are just falling further and further behind
  with each passing year.)

  This has to come from the folks at the top of the food chain, the
  Tier-1 providers, and sadly, they have become like the banks...
  everybody hates them, but we all know that we can't live without
  them, and they are free to make money hand over fist while showing
  no signs of accountability whatsoever. (And don't kid yourself
  that there is anything even remotely like independence in any of
  the bits and pieces, starting from ICANN on down, that currently
  pass for what is laughingly called "Internet Governance". All of
  these structures take their cue, and their marching orders, from
  the Internet industry, and the industry, such as it is, can't change
  a damn thing without buy-in from the Tier-1 providers.)

  Unfortunately, in this just-past election, one party's Presidential
  candidate was criticized for being "too close to the banks", in
  particular, Goldman Sachs, and the other one has just selected a
  former Goldman Sachs banker pal of his to run the treasury
  department in the new administration. This shows that without a
  massive sea change in the level of anger among the general populace,
  nothing will change, ever. And so it is also with the Internet
  industry. End users and consumers need to wake up and start actively
  demanding that the industry grow up, grow a pair, and stop just
  sitting idly by while the current ongoing hacking free-for-all
  claims new victims every goddamn day. When and if that ever happens,
  perhaps one or more CEOs of Tier-1 providers will finally wake up,
  smell the coffee, and understand that over a time horizon longer than
  this coming quarter, they need to start showing some leadership,
  and help guide the whole industry towards a better and safer future.

New Thinking
  Even miltary men have, for some time now, been calling cyberspace
  "a new domain of battle, like air, land, sea, and space". Why then
  do our law enforcement and judicial systems, worldwide, fail to
  also and likewise accept and begin to deal with this new reality?

  Everywhere on earth, law enforcement, judicial systems, and
  governments are, by and large, still trying to pretend that
  cybercrime is a strictly a local matter. It isn't, and hasn't
  been, for about 30 years now.

  Internationalized legal structures are hard to assemble, but they
  are not hardly without precedent. Why should there not be an
  international Internet equivalent of the "Law of the Sea"?

  It is quite common for cybercrimes to cross national borders, and yet
  I personally have so far never heard of a single instance in which
  any cybercriminal has been brought before the International Criminal
  Court in the Hague to stand trial. Why not? Russia and China may
  (and indeed do) seem to have more than a little reluctance to allow
  extradition of their cybercriminals to the U.S. to stand trial. OK
  then. What will be their excuse if we instead say that such defendants
  should be rendered unto, and be brought before the bar in The Hague?

  Are ISPs, by and large, so absolutely desperate for new clients that
  they absolutely and positively MUST sell connectivity to any homo
  sapien who can successfully fog a mirror? If I go to my local
  cable TV provider and I ask them to give me new service, but also
  tell them that I *do not* want to first give them a big fat "security
  deposit", they will say "Ok. No problem. Just give us a minute
  whil we check your credit rating." If that comes back green, then
  they give me service... no big deposit required. On the other hand
  if it comes back orange or red, then I have to pony up a big deposit...
  which, depending on my behavior, I might not ever get back... before
  they will sell me service.

  Contrast this to Internet service. If you reach out and hack my
  router, and if I am on the ball, I can and will report you to your
  (current) ISP, giving the exact date and time of the incident and your
  IP address. In the rare circumstance where (a) this is not your
  first offense while on your current ISP and also (b) your ISP is
  below-average greedy and (c) your ISP is below-average incompetent
  and (d) your current ISP is below-average irresponsible, then you
  -may-... I stress -may-... actually lose your current connectivity.
  But even in that very rare case, of course, you can just waltz down
  the street, the same day, to the next convenient ISP and start all
  over again, barely missing a beat.

  So, when is this industry going to grow up, realize that creative
  individuals, given a single DHCP connection, even perhaps one with
  relatively low bandwidth, can get on and cause $tens of millions of
  dollars worth of either theft or damage? When is the industry going
  to start admitting to itself that individual end-lusers can be
  dangerous, sometimes even to the tune of $tens of millions of dollars?
  In short, when is this industry going to start vetting people, at
  least a little bit, before giving out connectivity to any Tom, Dick,
  or Harry who shows up on the doorstep with five dollars burning a
  hole in his pocket? Where is the equivalent of the "credit rating"
  for Internet users? If I'm running a mom-n-pop ISP, where do I go
  if I want to find out whether or not this unsavory-looking individual
  who slept in my doorway last night is or isn't a guy who has already
  been tossed off his prior two ISPs for gross misbehavior?

  Maybe its time for the industry to create a registry of such people.
  (And don't hand me all of that bleeding heart crap about personal
  privacy, government survelliance, etc. etc. etc. You'll only serve
  to make it evident to all that you're in the same camp with the
  wacko Second Amendment wingnuts and/or the equally wacko Any Rand
  extremist devotees. Time to grow up and realize that if you want
  to participate in, and obtain benefit from, a civilized society,
  then society has a fair right to ask you to give up a little bit of
  something in return. That's the bargain. Take it or leave it. If
  you don't like it, then get the flock off the Internet and go live
  in a cave someplace. And don't let the door hit you in the ass on
  your way out. You will not be missed. And besides all of that,
  you're probably carrying around five credit cards in your walet as
  we speak. So it's more than a liitle disingenuous for you to whine
  about personal privacy as you are checking your credit score five
  times a day.)

Believe it or not, -that- is the -short- version of my solution to the
Internet's problem(s).