http://news.google.com/news?q=black+frog
How do we make this folly stop? Now that these kids showed up with the
Blue Security bsuiness plan plus a non-working anti-ddos idea (P2P), how
long until the other 10 kiddies thinking about it show up?
Who decides who these botnets attack, regardless of the ddos's being
harmful and regardless of them being useless against spammers?
Gadi.
* Gadi Evron:
http://news.google.com/news?q=black+frog
How do we make this folly stop?
Ignore it? It's an inactive Sourceforge project (with some Google
forums attached), and news reports seem to be based on a Slashdot
diary entry announcing it:
<Spy der Mann - Slashdot User;
There are far more dangerous Sourceforge projects out there. 8-/
* Gadi Evron:
> http://news.google.com/news?q=black+frog
>
> How do we make this folly stop?Ignore it? It's an inactive Sourceforge project (with some Google
forums attached), and news reports seem to be based on a Slashdot
diary entry announcing it:
Ignoring is the high-road. How long are we going to cry about the Internet
being a battle-ground, the wild west, or whatever else if we legitimize
DDoS?
Sometimes being quiet is not going to win the war. There will be other
Blue Frogs.
* ge@linuxbox.org (Gadi Evron) [Thu 25 May 2006, 12:38 CEST]:
Sometimes being quiet is not going to win the war.
It would behoove you, however, to not cry wolf so often
-- Niels.
Maybe it would behoove network operators to not encourage kids to build distributed botnet systems[1] in the name of vigilante justice:
http://www.legrice.net/Okopipi/OkopipiNetworkFlow.jpg
http://www.legrice.net/Okopipi/OkopipiBasicSystemOverview.jpg
Blue Security shouldn't be glorified for what they did, they should be nailed for DoS'ing SixApart.
-david
1: Granted, based on those pictures, we might not have a lot to worry about... 
* ge@linuxbox.org (Gadi Evron) [Thu 25 May 2006, 12:38 CEST]:
>Sometimes being quiet is not going to win the war.It would behoove you, however, to not cry wolf so often
The fact that you believe that I cry wolf, shows just how sad the
situation really is.
Half a million new bots a day isn't that high of a number, I suppose.
How long before ecommerce becomes impracticle? 
Far from relevant to
NANOG. Or is it?
DNS beind abused like there is no tomorrow on the operational level (not
infrastructure level) and no one (almost) even noticing is obviously not
operational.
The Internet is not going to die tomorrow, but I care more about it as an
inter network than any one network connected to it, which is the job of
most people here.
We are all techs, but the decision if for example, block ports at ISP's to
stop worms isn't going to be a tech decision, much like hypocritically,
ISP's these days block streaming media or P2P for extra cash. It's a
business decision that will eventually save or kill the Internet, and to
be honest, I see nothing wrong with it.
I just am happy there are some people who hold back the tide of the war we
already lost, before governments catch up.
Gadi.
Gadi, one of the main issues that people take regarding this is that it
seems as though whenever we turn around, you're starting another "OMG! THE
INTERNUT IS COMING TO AN END!!!!OMGNO!"
And you get some people jumping around, and some people get all in a
frenzy over whatever the perceived issue is. The rest of us just slap our
heads, roll our eyes and go "Oh, great, here goes Gadi on another rant..."
Many people in the internet security world, sorry to say, now have a hard
time believing what you are saying, and believing whatever you believe.
The credibility is just not there any more. It's slipping away, because
there are only so many times someone can cry "FIRE!" in a crowded theater
before people stop believing you. Unfortunetly, that _is_ starting to
happen.
It really seems as though every time we turn around, you're crying Wolf again, and it's bascially getting old.
Sometimes being quiet is not going to win the war.
It would behoove you, however, to not cry wolf so often
The fact that you believe that I cry wolf, shows just how sad the
situation really is.
I would say this is more of a sign of what is going on. People are starting to NOT believe you. Perhaps it is you who should change what is being said, and how you are saying it.
How long before ecommerce becomes impracticle?
NANOG. Or is it?
What makes you believe that e-commerce is becoming impractical? Are there that many attacks against those companies? If so, then why has the press not picked it up? The DoS against SixApart hardly made the convential (BBC, CNN, etc) news.
DNS beind abused like there is no tomorrow on the operational level (not
infrastructure level) and no one (almost) even noticing is obviously not
operational.
I run my own publically accessable DNS servers, and they aren't being abused. You're making it sound like all DNS servers everywhere are being abused, and that we should all stop using DNS.
We are all techs, but the decision if for example, block ports at ISP's to
stop worms isn't going to be a tech decision, much like hypocritically,
ISP's these days block streaming media or P2P for extra cash. It's a
business decision that will eventually save or kill the Internet, and to
be honest, I see nothing wrong with it.
In other words, it seems as though you are for blocking of traffic, and making the internet just another Government-mandated and Gov't-regulated environment? It seems as though that goes against Postel's ideals.
From my perspective, you just want to create big huge firewall, where
nothing is allowed, and everything is scrutinized. That's not what the internet is all about. That's not what it was created for. It seems as though we should perhaps no longer call it the "Big Firewall of China", but perhaps, the "Big Firewall of Gadi".
I just am happy there are some people who hold back the tide of the war we
already lost, before governments catch up.
Even though you are losing credibility amongst your colleagues around the world?
This isn't meant to be a personal attack against you Gadi, but a wake up call to not change your tune, but to perhaps start singing a different song...the song that actually gets things done. Stop fighting with network operators, and start working with them. That tends to get things done more quickly, and also does not burn your bridges (and credibility) in the process.
I think some of the ideas you have are very good, and others not so good. Either way, you have a good start.
Gadi, I'm not saying to stop doing what you are doing, but perhaps to change around how you go about doing what you are doing, and to stop alienating so many of your other colleagues. Instead of working against groups like nsp-sec and NANOG, start working with them. If you can't get vetted, then work towards getting vetted. Work towards repairing the bridges. Quite a bit of what people see is perception, and right now the perception is one of more of a "panic monkey", rather than a calm, logical, "We should really do this, or else bad stuff like example 1, 2, and 3, can happen, and here's the reasoning behind it." Being calm, logical, and working with other network operators tends to get things done more quickly.
NANOG mods, if I am out of line, I apologize, but I feel as though this needs to be said. I am not trying to do a character assassination, just voice my opinion on the latest network issue. If you have issue with it, please send me an email off list, and we can discuss.
Thanks,
-Eric
Personally as a manager I want to know the problem and
then the workable solution. I just don't see that many
bot nets happening anymore.
From my vantage point I do see students writing bot
nets more for programming skills than for malicious
attacks.
With several hundred million people and computers on
the inter network, there will always be an aberration,
caused by some social or mental or emotional defect.
Workable technical solutions, not new laws or rants
will make these issues, less of an issue operationally
in the long run.
-Henry
--- Eric White hill <Eric@bot bay.net> wrote:
Personally as a manager I want to know the problem and
then the workable solution. I just don't see that many
bot nets happening anymore.>From my vantage point I do see students writing bot
nets more for programming skills than for malicious
attacks.With several hundred million people and computers on
the inter network, there will always be an aberration,
caused by some social or mental or emotional defect.Workable technical solutions, not new laws or rants
will make these issues, less of an issue operationally
in the long run.
Hello Henry, I quite agree. However, as far as I see the Internet is no
longer the altruistic friendly place it was built to be, and technical
solutions are either 10 years late or dependant on who implements them.
Do I want to see the government(s) meddle with the Internet? No. Is it
going to happen? Yes, although I wish for it not to, as I am not sure what
effect that will have.
What alternative do you see?
As to botnets, the numbers, unfortunately, speak for themselves.
Half a million new bots a day (give or take a few hundred thousand), which
is really not a relevant number in my opinion.
I'm just happy there are communities such as NANOG out there, but when it
comes down to it, the Good online is based on good faith. The Bad is based
on cold Cash. Some lose as much as a million dollars a day on phishing, as
an example.
-Henry
Gadi.
Citation on the $1M/day, please? (I'm sure the *aggregate* take is well
over that, but what *single entity* is seeing that magnitude losses?)
Although we all see lots of attempts at phishing and it gets lots of press coverage, it is very small compared to regular credit card and bank fraud which happens all the time. According to a study which I recently read (I wish I could remember where) phishing accounts for less than 1-2% of all banking and credit card fraud in the US.
-Robert
Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin
Henry Linneweh wrote:
Personally as a manager I want to know the problem and
then the workable solution. I just don't see that many
bot nets happening anymore.From my vantage point I do see students writing bot
nets more for programming skills than for malicious
attacks.With several hundred million people and computers on
the inter network, there will always be an aberration,
caused by some social or mental or emotional defect.Workable technical solutions, not new laws or rants
will make these issues, less of an issue operationally
in the long run.-Henry
<snip>
Gadi asked if I have any botnets from DA's list on SBC.
Indeed, I have three suspect C&Cs on SBC and a six more on ATT which
I will be happy to share with you off list.
Randy
You can quote me.
Phishing in the US is by far lkess sophisticated than, for example, in
Europe. There the banks are a bit more sophisticated as well in defensive
tech.
I hate for this to be a quote by me, but Super Worms which steal credit
card, account data, login info. etc. for banks, credit card companies and
ecommerce sites online number at the millions a day. Including repeat
customers.
As to signle banks, forget my numbers for a second, I am willing to accept
yours for the sake of argument (we can argue digits over the phone). A
million in losses a day is enough.
Gadi.
According to you, 500,000 bots a day and $1,000,000 in losses a day; so
there is about 50 cents of potential savings per bot to pay for fixing
those computers.
How much does it cost to repair the average compromised computer? For
some people its cheaper to buy a new computer than to fix the old one.
I don't believe most of the numbers published, but lets use some other
people's numbers. One consulting firm estimates $2 Billion in losses a
year. That results in less than $10 of savings per new bot (assuming
500,000/day) to fix the computers. If there are even more bots, the
numbers just get worse.
For comparison, Cardweb's estimate of credit card fraud is about $14
Billion in 2004. Merchants are hit with about 90% of credit card fraud,
and banks about 10%. CFCA's estimate for telecommunications fraud is
about $55-60 Billion in 2003.
Regardless of the numbers, I think we are currently stuck in a very
nasty spot
1. Reduce the cost of fixing/protecting a computer
2. or increase the losses from compromised computers
Either way, the consumer will eventually end up paying for it.
Systems eventually get replaced (including home ones), so to keep up
the bot numbers new systems need to be able to be just as unsecure and infectable as old ones. If new systems were 100% protected the number of bots should in theory start to decrease in the same in the rate opposite or close to the rate of infection. That it does not happen
means that either:
1. New systems are still badly engineered as far as security
or
2. The infections are not as much product of bad system security
design as it is result of social engineering schemes that
certain percent of users are vulnerable to
Indeed, but even worse. The problem is moving to the user side.
Regular type "fake site" phishing is going to be with us for a long time
yet but several of the organized crime groups involved are hard at work at
released Trojan horses using root kit technology daily, which basically
steals your credentials to every HTTPS site you enter, and reports home.
How do banks, ISP's, or whoever else defend from the roblem moving to the
user-side? That is a very interesting question indeed. 
Gadi.
Gadi Evron wrote:
[...]
Regular type "fake site" phishing is going to be with us for a long time
yet but several of the organized crime groups involved are hard at work at
released Trojan horses using root kit technology daily, which basically
steals your credentials to every HTTPS site you enter, and reports home.How do banks, ISP's, or whoever else defend from the roblem moving to the
user-side? That is a very interesting question indeed.
Over here some banks issue customers a password token device that uses a combination of your card, a number sent by the web site and a PIN to generate a one-time password. It seems a reasonable system, and isn't really new technology. However, while bank web site security may be on-topic for other lists I suspect it's wandering off-topic for NANOG.
Regards,
* Gadi Evron:
Ignoring is the high-road. How long are we going to cry about the
Internet being a battle-ground, the wild west, or whatever else if
we legitimize DDoS?
The project needs to gather supporters before they can do any real
damage. Reports exposing their nefarious practices are probably the
best kind of publicity they can get.
Internet IS a wild west. You should live with it. It will never be _quet,
dead american's residential area, where dogs do not bark and kids do not
play themself on streets in age of 8 (normal dogs bark, and normal kids
often play themself when they are 8)_.
It is the whole WORLD, not one country.
So, we must live with it, and do not hope, that it will have numerous _speed
tickets_ and _police officers_ (as 90% of the people live every day, making
their own decisions and protecting themselves.
It is, in fact, a very effectiv way to stop spammers. But it definitely
became a dangerous DDOS service. So - learn how to live with it, it's the
only choice. (Make sure, that no single protocol or botnet can kill the
whole network or deplete all resources, for example).
