short Botnet list and Cashing in on DoS

Most ISP's truly don't want this as their own problem. I personally
don't blame them. Luckily the ISP I work for has no home users.

Most ISP's wouldn't have to deal with this problem if corporations took
the time to release better products. I was faced with the question of
"What do you do for infected clients?" What can an ISP do. Most of the
times ISP's become the de facto MS technical support team and it is rather
unfair and costly to have technical support staff on the phone constantly
putting out MS' fires. They are left with the prospect of losing clients
when the client is told "It's an MS problem you have to contact MS", yet
they've called MS and spoke with someone likely in another country who has
no clue, called Dell and spoke with yet another clueless person, and all
they wanted to do was surf the net. What do you tell a client when they
start stating "Well then I want to cancel my service" because they don't
understand, and won't care to since they're frustrated. Sure take a hit
with one client cancelling an account, what happens when it grows?

As for the prior responses of "You will get DoS'ed" this I am aware of.
Problems that concerned me were more of the tracking issues, coupled with
the fact that there would be no guarantee that admins would do anything
about it. Take the case of that one Californian who hijacked a /16 a while
back I believe from a county over there. Admins like this are liable to
sit back and do nothing since along the line someone is going to be paying
money for the traffic. It is rather sad, and worse when you contact their
upstream and they too do little. Consider (and I will keep mentioning them
this since it bugs me) EV1, Everybody's Internet. Not only do they host
some botnets, malware spewing servers, spam relays, terrorists related
sites, their excuse is "Well we don't know who we rent to"

Now I know laws are being worked in along the way, but if you own a home
and rent it out, then it gets subletted, the re-sub'ed, let's say fifty
transactions occurred, you own the home. If someone down the line is
running drugs out of the apartment your house is gone.

Yes their is little that can be done right now, but yet there ARE
things that CAN BE DONE. I'm one that is skeptical about laws since laws
abroad would mean nothing here and vice versa, but where are things
headed? Spend more on infrastructure to support these issues when you
shouldn't have to or buy bigger equipment to handle filtering when you
shouldn't have to. I say nip it at the bud, if you're an upstream provider
and you see some of these issues, three strikes shut these things down, or
nullroute them, don't just sit twiddling your thumbs "Oh but that won't
help your idea is silly because foo_x reason." Have something better in
mind propose it. I'm sure some of these networks that are getting DoS'ed
out of existence would love to hear them. Hell some might even pay you to
implement them.

this since it bugs me) EV1, Everybody's Internet. Not only do they host
some botnets, malware spewing servers, spam relays, terrorists related
sites, their excuse is "Well we don't know who we rent to"

They don't. When you have few thousands of dedicated servers and you can
claim that you know *exactly* what is each server used for, then you can
talk back.

Now I know laws are being worked in along the way, but if you own a home
and rent it out, then it gets subletted, the re-sub'ed, let's say fifty
transactions occurred, you own the home. If someone down the line is
running drugs out of the apartment your house is gone.

And these laws (drug forfeiture) are grossly unfair, are used as a revenue
generator by many municipalities, thus increasing pressure on prosecutors
to try to seize as much as they can. Let's not use one bad law as an
excuse to have more.

Yes their is little that can be done right now, but yet there ARE things
that CAN BE DONE. I'm one that is skeptical about laws since laws abroad
would mean nothing here and vice versa, but where are things headed?
Spend more on infrastructure to support these issues when you shouldn't
have to or buy bigger equipment to handle filtering when you shouldn't
have to. I say nip it at the bud, if you're an upstream provider and you
see some of these issues, three strikes shut these things down, or
nullroute them, don't just sit twiddling your thumbs "Oh but that won't
help your idea is silly because foo_x reason." Have something better in
mind propose it. I'm sure some of these networks that are getting DoS'ed
out of existence would love to hear them. Hell some might even pay you
to implement them.

Don't sit twiddling your thumbs coming up with Final Ultimate Solutions to
DDoS problems (FUSSDP) ideas and refusing to listen to foo_x reasons why
it won't work. Listen and come up with better ideas, we'll love to hear
them. Present them at BOF at NANOG.

-alex

Most ISP's wouldn't have to deal with this problem if corporations took
the time to release better products. I was faced with the question of
"What do you do for infected clients?" What can an ISP do. Most of the

An ISP doesn't really have to do anything, either. As long as it is not in their financial interest or they are bound to it by law.

Thing is, not everybody even calls tech support.

times ISP's become the de facto MS technical support team and it is rather

[snip]

understand, and won't care to since they're frustrated. Sure take a hit
with one client cancelling an account, what happens when it grows?

You lose. But how much does it cost to hire a few more tech support guys?

But as much as you might invest in tech support, some never even answer abuse mail.

As for the prior responses of "You will get DoS'ed" this I am aware of.

Actually, almost a year ago I heard somebody say: "Protection money? Online?!" Pay us or we will DDoS you?! That's stupid. In real life if you payed you at least know that the bad guys:
(1) Really won't trash your place.
(2) Will stop others from trashing your place.

Online, say you paid - so what? They can still DDoS you, and if they won't.. who says somebody else won't?

With every kiddie owning so many Cable/DSL ranges.. it is plain and simple scary.

this since it bugs me) EV1, Everybody's Internet. Not only do they host
some botnets, malware spewing servers, spam relays, terrorists related
sites, their excuse is "Well we don't know who we rent to"

[snip]

I don't care if they see it and don't do anything, I'd start with them answering abuse mail.

Yes their is little that can be done right now, but yet there ARE
things that CAN BE DONE. I'm one that is skeptical about laws since laws
abroad would mean nothing here and vice versa, but where are things

Not necessarily, but yes.. there are always countries like North Korea.

headed? Spend more on infrastructure to support these issues when you
shouldn't have to or buy bigger equipment to handle filtering when you
shouldn't have to. I say nip it at the bud, if you're an upstream provider
and you see some of these issues, three strikes shut these things down, or
nullroute them, don't just sit twiddling your thumbs "Oh but that won't
help your idea is silly because foo_x reason." Have something better in

[snip]

I truly believe that if the uplinks wanted spam, viruses and the rest of the dirt out of their tubes, they would manage it. Thing is - why should they?
(1) Their clients don't like to be "censored".
(2) It's an headache and a setback, on *all* levels.
(3) Everybody in the food chain pays for bigger tubes.

  Gadi.

Most ISP's wouldn't have to deal with this problem if corporations took
the time to release better products.

The average corporation is in business to make money. Releasing a better
product than is required to enable revenue and deal with competition would
be irresponsible to their shareholders. But let's stay out of that rathole
on this latest trip down this topic.

I was faced with the question of "What do you do for infected clients?"
What can an ISP do.

1. Do BCP38. Have your CFO read SAC004. Implement source address validity
checks. Ensure that the ~50% or more of DDoS packets generated in the world
that has invalid source addresses cannot come from your network -- this will
make botnets made up of your clients less valuable in the ddos-for-hire
world -- in other words, malfeasants will try less hard to create them, and
other malfeasants will pay less to acquire them.

2. Filter aggressively. Run a dark-net, and if one of your customers hits it,
blackhole their /32 for both inbound and outbound traffic, flag their record
in your customer database, and wait for them to call. When they call, give
them a list of anti-virus products for their 'puter, and the phone numbers
(yes, sorry, no web access for them at the moment) of some vendors. This
will cost you some top line revenue, but save your margins.

...
Yes their is little that can be done right now, but yet there ARE things
that CAN BE DONE. ... I say nip it at the bud, if you're an upstream
provider and you see some of these issues, three strikes shut these
things down, or nullroute them, don't just sit twiddling your thumbs "Oh
but that won't help your idea is silly because foo_x reason." ...

Yea, verily. This is not an impossible problem for this community; it is
only an impossible problem for any one of us acting totally independently.
And while the solution isn't instant, the tide CAN be turned.

Yea, verily. This is not an impossible problem for this community; it is
only an impossible problem for any one of us acting totally independently.
And while the solution isn't instant, the tide CAN be turned.

Problem is, we are a fighting a war we already lost. It's put out a fire here and there, and break a wave while you're at it.

How about seeing some simple measures such as blocking outgoing port 25? at ISP's? Not a perfect solution, but it's a partial solution for some of the problems. Combined with other solutions we could start seeing a change.

  Gadi.

Gadi Evron wrote:

Problem is, we are a fighting a war we already lost. It's put out a fire here and there, and break a wave while you're at it.

How about seeing some simple measures such as blocking outgoing port 25? at ISP's? Not a perfect solution, but it's a partial solution for some of the problems. Combined with other solutions we could start seeing a change.

Blocking ports one by one and filling the Internet by application level proxies (SMTP gateways for port 25) is not a road worth travelling.

Pete

Blocking ports one by one and filling the Internet by application level proxies (SMTP gateways for port 25) is not a road worth travelling.

Pete

Blocking port 25 for dynamic ranges means they can't send email, so that drone are pretty useless for spammers on that account. Trojan horses would have to use local information for the user's own account (from Outlook or such).

ISP's could then, I suppose, limit every user to 5 emails a minute (or any other number).

That combined with domain-keys and sender-ID could make for a much prettier Internet, don't you think?

Abuse using port 25 is a major issue today, why not solve it? If a user wants it open, they could always ask for it or even pay more money. Perhaps move to a static IP?

  Gadi.

Gadi Evron wrote:

Blocking port 25 for dynamic ranges means they can't send email, so that drone are pretty useless for spammers on that account. Trojan horses would have to use local information for the user's own account (from Outlook or such).

Next you'll block SIP if we start getting "spam calls"? Or any other application that pops up and is used by the same people sending spam today?

ISP's could then, I suppose, limit every user to 5 emails a minute (or any other number).

That combined with domain-keys and sender-ID could make for a much prettier Internet, don't you think?

You're fixing the symptom, not curing the cause. The immediate root cause is a compromised PC which among other things does send mail across port 25. It�ll also send mail using x-y-z webmail or misconfigured forms, etc.

Abuse using port 25 is a major issue today, why not solve it? If a user wants it open, they could always ask for it or even pay more money. Perhaps move to a static IP?

It would be much more beneficial to deny all packets from AS's which don't have abuse in control.

Pete

Paul Vixie wrote:

2. Filter aggressively. Run a dark-net, and if one of your customers hits it,
blackhole their /32 for both inbound and outbound traffic, flag their record
in your customer database, and wait for them to call. When they call, give
them a list of anti-virus products for their 'puter, and the phone numbers
(yes, sorry, no web access for them at the moment) of some vendors. This
will cost you some top line revenue, but save your margins.

This can be automated to a level where the customer is redirected to a self-service portal allowing him/her to clean up the PC (if at all possible) and after that has been done the connectivity is restored. Saves your helpdesk a call and helps the margins further. (although the productized solution costs some, but the net effect is still the same)

Pete

Next you'll block SIP if we start getting "spam calls"? Or any other application that pops up and is used by the same people sending spam today?

There is the issue of usability. Why does a Cable user on a dynamic range need SMTP open?

You're fixing the symptom, not curing the cause. The immediate root cause is a compromised PC which among other things does send mail across port 25. It�ll also send mail using x-y-z webmail or misconfigured forms, etc.

Webmail, etc. could and would be used, but instead of millions of messages sent openly from each drones - there would be hundreds, maybe thousands.

It would be much more beneficial to deny all packets from AS's which don't have abuse in control.

That's not going to happen any time soon, and if only one ISP does it.. imagine the tech support screams? I'd rather treat the symptoms.

After all, the symptom of high-temperature is not the illness itself, but it could kill.

  Gadi.

Blocking port 25 for dynamic ranges means they can't send email, so that
drone are pretty useless for spammers on that account. Trojan horses
would have to use local information for the user's own account (from
Outlook or such).

my users like being able to send email. i dont think this can work! (and there
are many legit reasons for not using our own smtp servers.. indeed we have custs
on other ISPs network who use our smtp server)

ISP's could then, I suppose, limit every user to 5 emails a minute (or
any other number).

5 emails or 5 recipients? i can send one email with hundreds/thousands of
rcpts.. and again, there are lots of legit reasons for sending a batch of emails

That combined with domain-keys and sender-ID could make for a much
prettier Internet, don't you think?

you mean SPF? i agree, use as many tools as are available in conjunction with
something like spamassassin to score mails as likely spam

Abuse using port 25 is a major issue today, why not solve it? If a user
wants it open, they could always ask for it or even pay more money.
Perhaps move to a static IP?

there are many ways of sending spam that dont use port 25..

individual rules are costly to implement and users wont use a service where you
have to pay more for basic services

Steve

If my ISP block port 25, I'll change ISP next day.

But if it will be _configurable_ (blocked by default, but I can change
setting by simple openimng web page and select checkbox) - why not.

there are many ways of sending spam that dont use port 25..

True, but reducing spam from millions to thousands seems like something good, no?

individual rules are costly to implement and users wont use a service where you have to pay more for basic services

Several big ISP's are blocking port 25 now. I believe this will catch.

It limits the amount of junk coming out from their users, and the usage of their tubes.

I doubt even 0.001% of dynamic range Cable/DSL users will ever call to ask for port 25 to be opened.

This is something ISP's can implement, and it works.

  Gadi.

> there are many ways of sending spam that dont use port 25..

True, but reducing spam from millions to thousands seems like something good,
no?

their market wont change tho, you will just force them to use another method..
at one time open relays were almost exclusively the way used to send spam, now
they arent nearly as popular (or available)

you can see the same with other problems eg dos attacks were once all smurfs,
a lot of effort was put into removing amplifiers and now we have the botnets..

i'm not saying do nothing, just only do things which make sense and are
practical

> individual rules are costly to implement and users wont use a service where you
> have to pay more for basic services

Several big ISP's are blocking port 25 now. I believe this will catch.

we need to look at some examples and what theyre doing exactly.. some redirect
it forcibly to their own servers. but i believe this approach is limited in how
you can apply it.. someone like aol can pretty well classify their users as low
end residential and thats fine ... but move away from this and special
requirements start creeping in and exceptions are not scalable enough.

It limits the amount of junk coming out from their users, and the usage
of their tubes.

I doubt even 0.001% of dynamic range Cable/DSL users will ever call to
ask for port 25 to be opened.

i'd suggest your estimate is too low based on all end users

This is something ISP's can implement, and it works.

this is something *some* isps can do ... and i'm not arguing that we shouldnt do
these little things but its just one limited way and serves more to reduce
problems with your own users than to reduce inbound spam

Steve

> Next you'll block SIP if we start getting "spam calls"? Or any other
> application that pops up and is used by the same people sending spam

today?

There is the issue of usability. Why does a Cable user on a dynamic
range need SMTP open?

Because I am running my own SMTP server @ FreeBSD, for example. It is MY
concern, not ISP concern.

.

Then get yourself a personal colo (http://www.vix.com/personalcolo/) A dynamic ip is no place for a server of any kind.

And it IS the isp's concern. Most of them would consider running a mail server on a home-user grade cable connection to be in violation of their AUP if push came to shove, and they have every right to block you.

-Dan

Then get yourself a personal colo (http://www.vix.com/personalcolo/) A
dynamic ip is no place for a server of any kind.

right! to use the internet as an end host/customer i have to
go get colo, transit there, ... cool!

randy

Then get yourself a personal colo (http://www.vix.com/personalcolo/) A
dynamic ip is no place for a server of any kind.

It is wrong - dynamic IP is just a dynamic IP. Nothing more.

if you are doing any filtering, do not name it IP; nname it _home network
with elements of IP_, for example.

And it IS the isp's concern. Most of them would consider running a mail
server on a home-user grade cable connection to be in violation of their
AUP if push came to shove, and they have every right to block you.

Incorrect - they do not have any such AUP in place. It is your fantasy.

In article <416833A2.9030503@linuxbox.org> you write:

Next you'll block SIP if we start getting "spam calls"? Or any other
application that pops up and is used by the same people sending spam today?

There is the issue of usability. Why does a Cable user on a dynamic
range need SMTP open?

  Cable modem users don't need the IPS's servers for outgoing
  email. They have the "always on" connection needed to
  reliably deliver email. The only reason email went via
  ISP's servers back in the dialup days was to get reliable
  delivery.

  In the US there is even more insentive to bypass the ISP's
  servers. Look are the way they have interpreted the wire
  tap laws.

  Sane end users would also be configuring there systems to
  detect interception of email. Crypto was added to SMTP
  for a reason. ISP's shouldn't be getting in the way of
  using it.

  Mark

Pardon for my possibly ill informed interjection. I was under the impression that the current wind was blowing towards filtering outbound port 25 traffic while allowing outbound authenticated port 587 traffic? The though being that while this was not a FUSSP, it help to prevent unauthenticated "direct to mx" abuses.

In the US there is even more insentive to bypass the ISP's servers. Look are the way they have interpreted the wire tap laws.

This would allow customers to access remote mail servers to avoid ISPs who agree with the (mis)interpretation of the wire tap laws.

Because I am running my own SMTP server @ FreeBSD, for example. It is MY concern, not ISP concern.

Customers (mis)use of their connection is always the ISPs concern. If you are paying a premium for a Pure Pipe (tm), then yes, the way your server functions is your concern, however, since your actions directly influence how other networks accept or deny mail from your ISP as a whole it is very much their concern how you use your connection.

blocking port 25 will make legitimate smtp permanently hard to use, while making non-
legitimate smtp temporarily hard to use.

I disagree, it will temporarily cause many, many people to have broken implementations and temporarily increase load tremendously on call centers. Working for an ISP that does port 25 filtering has not negatively impacted our users ability to use SMTP in any permanent fashion.

I don't under estimate the ability of software vendors and ISPs to roll out new requirements for SMTP to customers in a relatively painless fashion. Our ISP is currently making the transition from SMTP to Authenticated SMTP (we will be discontinuing the former) and I would see implementing port 25 blocking in much the same light with regards to implementation cost and the increased difficulty of using SMTP legitimately.

I agree that BCP 38 should be implemented. I agree that BCP 38 will have a greater affect on network abuse than port 25 filtering. They both have their place and address to partially overlapping groups of abuse imho.