Re: How many backbones here are filtering the makelovenotspam scr eensaver site?
On Fri, 3 Dec 2004, Elmar K. Bins wrote: And while Cisco's autosecure feature looks fine in most parts (saves a lazy overworked bum like me a lot of typing), it does not do much good - in my opinion - when it comes to bogon filtering. I prefer knowing what the filter looks like, and it does not seem to give me that, nor any way of modifying the list (correct me if I'm wrong). See pages 9, 10 and 12 of the PDF I posted. Specifically, it sets up: ip access-list extended autosec_iana_reserved_block, and ip access-list extended autosec_complete_bogon which you of course can change like any other ACL. -Hank
Re: How many backbones here are filtering the makelovenotspam scr eensaver site?
Hank :-) that, nor any way of modifying the list (correct me if I'm wrong). See pages 9, 10 and 12 of the PDF I posted. Specifically, it sets up: ip access-list extended autosec_iana_reserved_block, and ip access-list extended autosec_complete_bogon which you of course can change like any other ACL. Yup, read the last bits now, so at least that holds no more fear. Unfortunately one still has to mop all routers every time. Thanks for correcting that, Elmi. -- Begehe nur nicht den Fehler, Meinung durch Sachverstand zu substituieren. (PLemken, [EMAIL PROTECTED]) --[ ELMI-RIPE ]---
Re: How many backbones here are filtering the makelovenotspam scr eensaver site?
Hank Nussbacher wrote: On Fri, 3 Dec 2004, Elmar K. Bins wrote: And while Cisco's autosecure feature looks fine in most parts (saves a lazy overworked bum like me a lot of typing), it does not do much good - in my opinion - when it comes to bogon filtering. I prefer knowing what the filter looks like, and it does not seem to give me that, nor any way of modifying the list (correct me if I'm wrong). See pages 9, 10 and 12 of the PDF I posted. Specifically, it sets up: ip access-list extended autosec_iana_reserved_block, and ip access-list extended autosec_complete_bogon which you of course can change like any other ACL. This is broken by design. Routers would ship with the iana_reserved_block list of when they were manufactured. If the user is stoopid enough not to be able to get his filters from Cymru directly then he should not have any filtering at all because he is never going to update it anyway in the future. Ergo lots of black holes for newly allocated address spaces to the RIR's. The cure will be far worse than the disease if routers would come with pre-configured bogon lists. And you are missing a big point; What bogons are bogons? In an enterprise setup the RFC1918 space (10/8, 172.16/12, 192.168/16) is most likely not a bogon while it most likely is for an ISP. Breaks right here. On top of that it is solving a non-problem. There is only little junk coming from the non-iana allocated ranges. And that is easily taken care of by filtering inbound traffic at the customer edges (ie. allow customers to send only traffic with source IP's out of the assigned IP range). If you do any bogon filtering at all then do it with some automatically updating system like an BGP bogon feed from Cymru. -- Andre
Re: How many backbones here are filtering the makelovenotspam scr eensaver site?
On Thu 02 Dec 2004 (15:21 -0500), Steven Champeon wrote: on Thu, Dec 02, 2004 at 02:56:29PM -0500, Hannigan, Martin wrote: Possibly. What will happen if the Lycos botnet gets hijacked? The conversations between the clients and the servers don't appear to be keyed. If a million clients got owned, it would be the equivalent of an electronic Bubonic Plague with no antidote. You mean, like the existing botnets we already know exist but are already under the control of spammers? What's the difference? Why is everyone so upset about Lycos and nobody seems to be doing much of anything about the /existing botnets/, which conservative estimates[1] already put at anywhere from 1-3K per botnet to upwards of 1-5M hosts total[2]? Some people regard what's being done with this system as being on exactly the same level as any other cracker's work. Look up vigilante some time and consider carefully whether or not this is applicable. -- Jim Segrave [EMAIL PROTECTED]
Re: How many backbones here are filtering the makelovenotspam scr eensaver site?
On 3-dec-04, at 10:57, Andre Oppermann wrote: Routers would ship with the iana_reserved_block list of when they were manufactured. If the user is stoopid enough not to be able to get his filters from Cymru directly then he should not have any filtering at all because he is never going to update it anyway in the future. Ergo lots of black holes for newly allocated address spaces to the RIR's. Exactly. (Unless IANA reserved != unallocated but IANA does call unallocated space reserved.) The cure will be far worse than the disease if routers would come with pre-configured bogon lists. Indeed. In fact, the whole bogon filtering thing is more harmful than useful. If you do any bogon filtering at all then do it with some automatically updating system like an BGP bogon feed from Cymru. What exactly does this feed do for me? Wouldn't bogons be everything that isn't in the global routing table?
Re: How many backbones here are filtering the makelovenotspam scr eensaver site?
On Fri, Dec 03, 2004 at 10:57:15AM +0100, Andre Oppermann wrote: If you do any bogon filtering at all then do it with some automatically updating system like an BGP bogon feed from Cymru. How does the BGP bogon feed from cymru protect against more-specific bogons ? -- Cliff Albert [EMAIL PROTECTED]
RE: How many backbones here are filtering the makelovenotspam scr eensaver site?
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 01, 2004 9:06 PM To: Suresh Ramasubramanian Cc: nanog list Subject: Re: How many backbones here are filtering the makelovenotspam screensaver site? I dont know how many providers are blocking them but at home I have a cox cable connection and they are blocking them... On Thu, 2004-12-02 at 07:04 +0530, Suresh Ramasubramanian wrote: I've heard reports of traceroutes through several backbones timing out or going !H after a few hops, and I note that the impact seems to have been enough for the site's IP to change .. [EMAIL PROTECTED] 06:56:27 [~]$ dnsip www.makelovenotspam.com 213.115.182.123 [EMAIL PROTECTED] 07:01:16 [~]$ dnsname 213.115.182.123 ua-213-115-182-123.cust.bredbandsbolaget.se Hosted on a cablemodem? Tch, tch, how the mighty have fallen The blocks are widespread. The reports of hackers are incorrect. The blackholes are what is stopping them. -M -- Martin Hannigan (c) 617-388-2663 VeriSign, Inc. (w) 703-948-7018 Network Engineer IV Operations Infrastructure [EMAIL PROTECTED]
Re: How many backbones here are filtering the makelovenotspam scr eensaver site?
I think Lycos did not think this through enough. Their response is HUGE. They've essentially launched a Denial of Service on themselves. They would not have needed the larger backbone if they cut down on the size of their response. They could have done anything with their client, but they chose to make it full web service with a valid XML response. Every transaction with their server looks to be about 3K. They could have implemented something minimal, like a basic socket connection and a minimal request, then sent something like a space delimited list of parameters. They could get rid of about 75% of the data and still preserve the same functionality. I personally like the idea, even though it's not original, it just took a large site to back it. Too bad they couldn't do it right. On Thu, 2 Dec 2004 10:28:26 -0500, Hannigan, Martin [EMAIL PROTECTED] wrote: -Original Message- From: Lionel [mailto:[EMAIL PROTECTED] Sent: Thursday, December 02, 2004 8:40 AM To: Hannigan, Martin Cc: nanog list Subject: Re: How many backbones here are filtering the makelovenotspam scr eensaver site? On Thu, 2 Dec 2004 08:27:38 -0500 , Hannigan, Martin [EMAIL PROTECTED] wrote: Hosted on a cablemodem? Tch, tch, how the mighty have fallen The blocks are widespread. The reports of hackers are incorrect. The blackholes are what is stopping them. What amazing efficiency. I can't help but wonder if these same providers are as quick at blackholing spamsite hosts, or blocking the zombies on their user networks from spewing spam on port 25? If you tied all the spammers into a few controllers, you see it happen immediately. I've been following the news reports on this. Here's a quick summary of what I know without making any judgement or opinion: - The lycos screensaver campaign activated Tuesday - Major networks began activating blocks - When the controllers can't be reached, the clients die off - If screensaver is active when controllers die, it runs off the current target list. - If screensaver deactivates, then activates, it can't contact the servers and tells the user it's off the internet (I can't verify the veracity of the update process i.e. if it will die while active) - Blocks started going up early Wednesday morning - The press began reporting hackers due to an apparentdefacement being seen by many users. What they actually saw was the banner of an ISP that had blackholed the traffic and redirected port 80 to a notice. - Lycos moved their application to a hosting facility with bigger pipes - Target sites began using redirects sending the traffic back to Lycos - Press reports are coming out today regarding the blackholes - SpamCop is the source of the target list via a page that is public off of the SpamCop site (SpamCop is does not appear to have complicity) - The effectiveness of the blackholes is rising - There are a reported 100K clients downloaded. Less than you would expect due to the voluminous press coverage. Probably a result of the blackhole activity as well. I'm really not sure if Lycos knows about the blackholes at this point as the press has been reporting hackers all the while. If you think it's hacked, check the route. Here's some operational data captured via ethereal The target list generated by the botnet controller: GET /xml/69426058014054/94772079193788/35264029467456/12122010129438/CONFIG_2865 2023942308.xml HTTP/1.1 Referer: http://backend.makelovenotspam.com/xml/69426058014054/94772079193788/3526402 9467456/12122010129438/CONFIG_28652023942308.xml x-flash-version: 7,0,19,0 User-Agent: Shockwave Flash Host: backend.makelovenotspam.com Cache-Control: no-cache HTTP/1.1 200 OK Server: Resin/2.1.14 Content-Type: text/xml; charset=UTF-8 Content-Length: 2889 Connection: close Date: Thu, 02 Dec 2004 15:22:00 GMT ?xml version=1.0 encoding=UTF-8? mlnstargets location=UStarget id=TVRBd01EQXdOVGt5 domain=myshopinternetcompany.com url=http://myshopinternetcompany.com/?e=aa5100; bytes=357460680 hits=2572309 percentage=100 responsetime01=498 responsetime02=0 location=BR /target id=TVRBd01EQXdOVEk0 domain=grlswaiting4u.com url=http://grlswaiting4u.com/; bytes=206765667 hits=1488797 percentage=100 responsetime01=11866 responsetime02=0 location=US /target id=TVRBd01EQXdOVGc0 domain=1stwebsitetheyourshop.com url=http://1stwebsitetheyourshop.com/?e=aa5100; bytes=317867325 hits=2288427 percentage=100 responsetime01=507 responsetime02=0 location=BR /target id=TVRBd01EQXdOVGcx domain=cheap-r-x.com url=http://cheap-r-x.com/; bytes=355920802 hits=2565612 percentage=100 responsetime01=787 responsetime02=0 location=CN /target id=TVRBd01EQXdOVGcz domain=www.hlplmanhds.biz url=http://www.hlplmanhds.biz/; bytes=317590861 hits=2269503 percentage=100 responsetime01=785 responsetime02=0 location=CN /target id
RE: How many backbones here are filtering the makelovenotspam scr eensaver site?
On Thu, 2 Dec 2004, Hannigan, Martin wrote: -Original Message- From: Florian Weimer [mailto:[EMAIL PROTECTED] Sent: Thursday, December 02, 2004 2:01 PM To: Brett Cc: Hannigan, Martin; nanog list Subject: Re: How many backbones here are filtering the makelovenotspam scr eensaver site? I think Lycos did not think this through enough. Their response is HUGE. They've essentially launched a Denial of Service on themselves. The site that is being blackholed isn't on their network, AFAICS. Actually, I think this is an ingenious PR campaign, but it probably doesn't work the way it was conceived, though I blieve that the net outcome for Lycos will be utterly positive. Possibly. What will happen if the Lycos botnet gets hijacked? to expand on this point, since it seems the screensaver pulls a list which is basically the top newly spammed URL's from spamcop (and possibly other places), what if the owners of the domains being 'attacked' were to point their DNS at a new ip? or set of ips? They can now control the 'bots' instead of lycos doing the controlling. I'm also concerned that lycos is claiming: to only use 95% of the bandwidth the site has. How is that determined by lycos? Do they call each upstream and get verifiable info about the bandwidth toward the site(s) in question? Do they measure each client's output capability (and input capability) to ensure that 100 machines really equals 1.2mbps on a t1 ? There are so many holes in their 'plan', never mind the 'vigilante' parts of it which are horridly distasteful... Lycos has engineered a botnet just like any 14 year old kiddie does nightly, they just did it more publicly and under the guise of 'being helpful'. It's utterly irresponsible of them to promote this activity. -Chris
Re: How many backbones here are filtering the makelovenotspam scr eensaver site?
on Thu, Dec 02, 2004 at 02:56:29PM -0500, Hannigan, Martin wrote: Possibly. What will happen if the Lycos botnet gets hijacked? The conversations between the clients and the servers don't appear to be keyed. If a million clients got owned, it would be the equivalent of an electronic Bubonic Plague with no antidote. You mean, like the existing botnets we already know exist but are already under the control of spammers? What's the difference? Why is everyone so upset about Lycos and nobody seems to be doing much of anything about the /existing botnets/, which conservative estimates[1] already put at anywhere from 1-3K per botnet to upwards of 1-5M hosts total[2]? Steve [1] http://newpaper.asia1.com.sg/top/story/0,4136,67698-1,00.html There may be millions of such PCs around and they can be rented for as little as US$100 ($176)-per-hour. http://www.messagelabs.com/emailthreats/intelligence/reports/monthlies/October04/default.asp Some estimates have suggested a botnet in excess of tens of thousands of computers. [per virus outbreak] http://www.usatoday.com/tech/news/computersecurity/2004-07-07-zombie-pimps_x.htm Small groups of young people creating a resource out of a 10-30,000-strong computer network are renting them out to anybody who has the money, a source in Scotland Yard's computer crime unit told Reuters. http://www.sans.org/newsletters/newsbites/newsbites.php?vol=6issue=43#315 CipherTrust recently published research claiming that all phishing attacks on the Internet are conducted with the use of one of five zombie networks, or botnets. Each botnet comprises roughly 1,000 PCs. In addition, the research shows that 70% of zombie PCs are also used to send spam. http://news.zdnet.co.uk/internet/security/0,39020375,39167561,00.htm Linford said that every week more than 100,000 PCs are recruited into botnets without the owner's knowledge. A botnet is a collection of -- usually -- Windows-based PCs that have been stealthily taken over by malware. Users have no idea that their computer has been corrupted. [2] the CBL, for example, currently lists 1.1M, and (here, anyway) only blocks around 15-25% of our incoming spam. I've seen round robin attacks of upwards of fifty bots at a time (same timeframe, sender, and target, from multiple hosts in multiple countries/ISPs/networks) whereas suspected zombies account for 35-45% of all inbound spam delivery attempts here. -- hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com join us! http://hesketh.com/about/careers/account_manager.htmljoin us!
Re: How many backbones here are filtering the makelovenotspam scr eensaver site?
On Thu, 2 Dec 2004, Steven Champeon wrote: on Thu, Dec 02, 2004 at 02:56:29PM -0500, Hannigan, Martin wrote: Possibly. What will happen if the Lycos botnet gets hijacked? The conversations between the clients and the servers don't appear to be keyed. If a million clients got owned, it would be the equivalent of an electronic Bubonic Plague with no antidote. You mean, like the existing botnets we already know exist but are already under the control of spammers? What's the difference? Why is everyone so upset about Lycos and nobody seems to be doing much of anything about the /existing botnets/, which conservative estimates[1] already put at anywhere from 1-3K per botnet to upwards of 1-5M hosts total[2]? perhaps the difference is 'reponsible people' don't go out and recruit botnets... Lycos, as a corporate entity with it's business model dependent upon the health and wellbeing of the Internet would try to be 'responsible', or so I would have thought. arguing that there are murderers and rapists out there and that 'nothing is being done' is hardly reason to become one yourself. -Chris
Re: How many backbones here are filtering the makelovenotspam scr eensaver site?
on Thu, Dec 02, 2004 at 12:55:02PM -0800, Chad Skidmore wrote: quoting me: What's the difference? Why is everyone so upset about Lycos and nobody seems to be doing much of anything about the /existing botnets/, which conservative estimates[1] already put at anywhere from 1-3K per botnet to upwards of 1-5M hosts total[2]? Well, the primary difference is that Lycos is trying to market what they are doing as a good thing in a fairly public manner. If their vigilante efforts become accepted as OK then it further opens the door for others to take the next step towards making dDOS attacks ok as long as you feel your motivations are pure. As network operators we all need to make sure that we enforce our AUPs and make it known that breaking those AUPs is not ok just because you feel your motives are pure. Most AUPs have some language that basically states that dDOS and simlar activities are bad and we will take action if you engage in said bad activities. My point was to Martin's question about what would happen if - god forbid - there were large botnets under the control of spammers; a careful reading will suggest that my major point was, duh, that there already are large botnets under the control of spammers. To your other point, how do you know that other botnets are not being identified and taken down every day by network operators? I know for a fact that they are, they just are not nearly as public as this one so those activities go largely unacknowledged. Good point. Simply put, I can (and do) read my own mail server logs. And I can see that many ISPs - regardless of what they may be doing in onesy-twosy increments - simply aren't doing enough to prevent new botnet infections from wasting my server's cycles in futile attempts to deliver spam, outscatter, virus warnings, etc. etc. ad infinitum. This costs me time and money, and many of the same ISPs mentioned above are simply cost-shifting their own responsibility onto me and everyone else, and I'm tired of it. Not to say there aren't responsible ISPs, and I hope that anyone who /is/ a part of the solution, rather than the fertile substrate for the problem, is capable of recognizing that and not taking offense when I point out there are others who could do more. As for go180.net, you don't show up much on my radar, but on Nov 9th we were hit by a spammer from SpokaneHotZone-63.go180.net [66.225.5.63]. I trust this is not a legitimate mail server and I can block it and any other host that looks like it within the same domain, right? Thanks. Otherwise, you may want to do something to distinguish it from the other generic hosts in the same range. -- hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com join us! http://hesketh.com/about/careers/account_manager.htmljoin us!
Re: How many backbones here are filtering the makelovenotspam scr eensaver site?
on Thu, Dec 02, 2004 at 08:58:03PM +, Christopher L. Morrow wrote: On Thu, 2 Dec 2004, Steven Champeon wrote: on Thu, Dec 02, 2004 at 02:56:29PM -0500, Hannigan, Martin wrote: Possibly. What will happen if the Lycos botnet gets hijacked? The conversations between the clients and the servers don't appear to be keyed. If a million clients got owned, it would be the equivalent of an electronic Bubonic Plague with no antidote. You mean, like the existing botnets we already know exist but are already under the control of spammers? What's the difference? Why is everyone so upset about Lycos and nobody seems to be doing much of anything about the /existing botnets/, which conservative estimates[1] already put at anywhere from 1-3K per botnet to upwards of 1-5M hosts total[2]? perhaps the difference is 'reponsible people' don't go out and recruit botnets... Lycos, as a corporate entity with it's business model dependent upon the health and wellbeing of the Internet would try to be 'responsible', or so I would have thought. I agree. I also think it's up to the companies providing the Internet connectivity to the non-Lycos-owned botnets to prevent such activity from affecting others. arguing that there are murderers and rapists out there and that 'nothing is being done' is hardly reason to become one yourself. I couldn't agree more that vigilantism isn't the answer. My earlier remarks were directed to the shock and awe evident in the possibility that - via Lycos - there might be, heaven forbid, /large numbers of computers under the control of spammers, that could be used in spamming and abuse/. All I was pointing out was that, surprise, surprise, there already are. So why anyone thinks Lycos' botnet being hacked is /any different/ from /the current situation/ is utterly beyond my ken. Why would any spammer bother to hack Lycos' botnet? They /already have their own/. -- hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com join us! http://hesketh.com/about/careers/account_manager.htmljoin us!
RE: How many backbones here are filtering the makelovenotspam scr eensaver site?
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, December 02, 2004 4:09 PM To: [EMAIL PROTECTED] Subject: Re: How many backbones here are filtering the makelovenotspam scr eensaver site? on Thu, Dec 02, 2004 at 12:55:02PM -0800, Chad Skidmore wrote: quoting me: What's the difference? Why is everyone so upset about Lycos and nobody seems to be doing much of anything about the /existing botnets/, which conservative estimates[1] already put at anywhere from 1-3K per botnet to upwards of 1-5M hosts total[2]? Well, the primary difference is that Lycos is trying to market what they are doing as a good thing in a fairly public manner. If their vigilante efforts become accepted as OK then it further opens the door for others to take the next step towards making dDOS attacks ok as long as you feel your motivations are pure. As network operators we all need to make sure that we enforce our AUPs and make it known that breaking those AUPs is not ok just because you feel your motives are pure. Most AUPs have some language that basically states that dDOS and simlar activities are bad and we will take action if you engage in said bad activities. My point was to Martin's question about what would happen if - god forbid - there were large botnets under the control of spammers; a careful reading will suggest that my major point was, duh, that there already are large botnets under the control of spammers. Um, not 1 million bots - in concert. -M
RE: How many backbones here are filtering the makelovenotspam scr eensaver site?
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, December 02, 2004 4:14 PM To: nanog list Subject: Re: How many backbones here are filtering the makelovenotspam scr eensaver site? on Thu, Dec 02, 2004 at 08:58:03PM +, Christopher L. Morrow wrote: On Thu, 2 Dec 2004, Steven Champeon wrote: on Thu, Dec 02, 2004 at 02:56:29PM -0500, Hannigan, Martin wrote: Possibly. What will happen if the Lycos botnet gets hijacked? The conversations between the clients and the servers don't appear to be keyed. If a million clients got owned, it would be the equivalent of an electronic Bubonic Plague with no antidote. You mean, like the existing botnets we already know exist but are already under the control of spammers? What's the difference? Why is everyone so upset about Lycos and nobody seems to be doing much of anything about the /existing botnets/, which conservative estimates[1] already put at anywhere from 1-3K per botnet to upwards of 1-5M hosts total[2]? perhaps the difference is 'reponsible people' don't go out and recruit botnets... Lycos, as a corporate entity with it's business model dependent upon the health and wellbeing of the Internet would try to be 'responsible', or so I would have thought. I agree. I also think it's up to the companies providing the Internet connectivity to the non-Lycos-owned botnets to prevent such activity from affecting others. arguing that there are murderers and rapists out there and that 'nothing is being done' is hardly reason to become one yourself. I couldn't agree more that vigilantism isn't the answer. My earlier remarks were directed to the shock and awe evident in the possibility that - via Lycos - there might be, heaven forbid, /large numbers of computers under the control of spammers, that could be used in spamming and abuse/. Can you direct me toward a singluar entity of 1MM bots controlled by a single master? All I was pointing out was that, surprise, surprise, there already are. So why anyone thinks Lycos' botnet being hacked is /any different/ from /the current situation/ is utterly beyond my ken. Why would any spammer bother to hack Lycos' botnet? They /already have their own/. I think you might be behind on what's going on in botland lately.
Re: How many backbones here are filtering the makelovenotspam scr eensaver site?
on Thu, Dec 02, 2004 at 04:15:34PM -0500, Hannigan, Martin wrote: quoting me: My point was to Martin's question about what would happen if - god forbid - there were large botnets under the control of spammers; a careful reading will suggest that my major point was, duh, that there already are large botnets under the control of spammers. Um, not 1 million bots - in concert. And you know this how, exactly? I'm sure not convinced. -- hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com join us! http://hesketh.com/about/careers/account_manager.htmljoin us!
Re: How many backbones here are filtering the makelovenotspam scr eensaver site?
on Thu, Dec 02, 2004 at 04:18:52PM -0500, Hannigan, Martin wrote: Can you direct me toward a singluar entity of 1MM bots controlled by a single master? No, I cannot. I *can*, and have, forward on reports by those more in the know than I that estimate 100K new bots / day are being added, and I can certainly point to incidents here which suggest that the problem is widespread, that the spammers responsible are few, and that many ISPs continue to refuse to contain the problem. Do the math. 100K / day new bots, added by a few responsible parties, and it's not hard to see that over a brief period of time any one of those parties might control over a million hosts or more. I think you might be behind on what's going on in botland lately. By all means, enlighten me. All I see from my limited pov is that bots are useless if disallowed from sending spam via port 25 outbound, and that every day sees hundreds if not thousands, of new bots trying to send spam to my users, which suggests that /nothing is being done to prevent them from using the available resources/. Convince me otherwise, please. I'm all ears. -- hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com join us! http://hesketh.com/about/careers/account_manager.htmljoin us!
RE: How many backbones here are filtering the makelovenotspam scr eensaver site?
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, December 02, 2004 4:28 PM To: [EMAIL PROTECTED] Subject: Re: How many backbones here are filtering the makelovenotspam scr eensaver site? on Thu, Dec 02, 2004 at 04:15:34PM -0500, Hannigan, Martin wrote: quoting me: My point was to Martin's question about what would happen if - god forbid - there were large botnets under the control of spammers; a careful reading will suggest that my major point was, duh, that there already are large botnets under the control of spammers. Um, not 1 million bots - in concert. And you know this how, exactly? I'm sure not convinced. http://w3.cambridge-news.co.uk/business/story.asp?StoryID=65877 Lycos Europe's 20 million users will all be invited to download the software, but it is available to anyone with an internet connection running either Windows or Mac OSX or Mac OS9 operating systems. http://edition.cnn.com/2004/TECH/internet/12/02/anti.spamvigi.ap/ Around 65,000 people already signed up for the offensive, called Make Love not Spam before Tuesday's official launch on a website by the same name, the company said. It is urging its 22 million users to download the screen-saver, but says anyone with a computer is welcome to it.
Re: How many backbones here are filtering the makelovenotspam scr eensaver site?
On Thu, 02 Dec 2004 16:18:52 EST, Hannigan, Martin said: Can you direct me toward a singluar entity of 1MM bots controlled by a single master? Well, it was a while ago that some Polish guys were openly advertising their 465K zombie network - I'd be most surprised if it isn't over 1M by now. And remember that hierarchical design is understood in the black hat world too. If somebody has 1M bots, it won't be 1M bots in one network, it will be several hundred subnets of several thousand bots, and some automated way to signal several hundred control nodes to each fire up their several thousand bots. So you may already have whacked off a 1% chunk of that 1M net several times already and not even realized it pgpC7axGKrLbY.pgp Description: PGP signature
Re: How many backbones here are filtering the makelovenotspam scr eensaver site?
on Thu, Dec 02, 2004 at 04:46:00PM -0500, Hannigan, Martin wrote: quoting me: Um, not 1 million bots - in concert. And you know this how, exactly? I'm sure not convinced. http://w3.cambridge-news.co.uk/business/story.asp?StoryID=65877 Lycos Europe's 20 million users will all be invited to download the software, but it is available to anyone with an internet connection running either Windows or Mac OSX or Mac OS9 operating systems. http://edition.cnn.com/2004/TECH/internet/12/02/anti.spamvigi.ap/ Around 65,000 people already signed up for the offensive, called Make Love not Spam before Tuesday's official launch on a website by the same name, the company said. It is urging its 22 million users to download the screen-saver, but says anyone with a computer is welcome to it. Yes, yes - I know that Lycos has tens of thousands. What I want to know is how you know that there aren't existing 1M bot zombie nets aside from the Lycos attempt (which as you can see, is thus far only comparable to the 100K/day estimate given by Steve Linford). -- hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com join us! http://hesketh.com/about/careers/account_manager.htmljoin us!
RE: How many backbones here are filtering the makelovenotspam scr eensaver site?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 -Original Message- From: Steven Champeon [mailto:[EMAIL PROTECTED] Posted At: Thursday, December 02, 2004 1:09 PM Posted To: NANOG Conversation: How many backbones here are filtering the makelovenotspam scr eensaver site? Subject: Re: How many backbones here are filtering the makelovenotspam scr eensaver site? My point was to Martin's question about what would happen if - god forbid - there were large botnets under the control of spammers; a careful reading will suggest that my major point was, duh, that there already are large botnets under the control of spammers. I realize that is the point you were trying to make. I also realize that Martin is pretty well aware of botnets and the threat they create. I suspect that most other readers on NANOG are also well aware. What doesn't seem to be as common knowledge as I would expect is that botnets are a commodity. As such they are traded, sold, purchased and even stolen. That last point is particularly important in this case. Lycos has created a large botnet (at least by most people's definition) that is hidden in the guise of a screen saver claiming to only go after the bad guys. This botnet uses a command and control server that is now well publicized, and uses a communication channel that is not encrypted or obfuscated in any way. That makes it a botnet just asking to be stolen. Fortunately the CC server is blackholed by what seem to be a large number of providers and the botnet is now fairly useless. Good point. Simply put, I can (and do) read my own mail server logs. And I can see that many ISPs - regardless of what they may be doing in onesy-twosy increments - simply aren't doing enough to prevent new botnet infections from wasting my server's cycles in futile attempts to deliver spam, outscatter, virus warnings, etc. etc. ad infinitum. It is certainly more than onesy-twosy increments but I agree that the problem is large enough that it certainly feels like a weak attempt from the average user/operator's point of view. This costs me time and money, and many of the same ISPs mentioned above are simply cost-shifting their own responsibility onto me and everyone else, and I'm tired of it. I encourage everyone to vote with their wallet when it comes to this type of thing. Buy your transit from organizations with dedicated security teams that actively engage in SPAM/Bot/Worm/Viri fighting efforts. Those things cost money and take time and are usually unacknowledged efforts. Larger providers seem to make easier targets when it comes to placing blame and saying that they aren't doing enough to combat miscreant activity. I don't believe that is the case overall. They just have a much larger customer base, higher volumes of traffic to inspect, and more politics to work within. Not to say there aren't responsible ISPs, and I hope that anyone who /is/ a part of the solution, rather than the fertile substrate for the problem, is capable of recognizing that and not taking offense when I point out there are others who could do more. I believe that EVERYONE could do more on this front. It is a moving battle that requires constant improvement just to stay afloat, let alone get ahead. For those genuinely interested in improving what they are doing on this front I strongly encourage you to attend the NSP-Sec BOFs at NANOG. You might be surprised what you learn and who you meet that can be helpful. As for go180.net, you don't show up much on my radar, but on Nov 9th we were hit by a spammer from SpokaneHotZone-63.go180.net [66.225.5.63]. I trust this is not a legitimate mail server and I can block it and any other host that looks like it within the same domain, right? Thanks. Otherwise, you may want to do something to distinguish it from the other generic hosts in the same range. Glad you don't see much from us, must mean that the effort put forth by some of our team is not going to waste. You are correct, that is not a legitimate mail server but is an IP from a City Wide wireless network. That network has since been secured to restrict TCP 25 outbound (along with other typical miscreant traffic) so you shouldn't see anything again from that network on port 25. If we rise up on your radar in the future feel free to make use of the typical NOC and Abuse e-mail addresses, they do get answered and acted upon here. Regards, Chad - Chad E Skidmore One Eighty Networks, Inc. http://www.go180.net 509-688-8180 -BEGIN PGP SIGNATURE- Version: PGP 8.1 iQA/AwUBQa+VUk2RUJ5udBnvEQJXPQCeMhYgS4vHzmjP2fpgVeEFySQWw4QAn1f/ g70E3QaL3VOcZvILXD80AqjF =he0W -END PGP SIGNATURE-
Re: How many backbones here are filtering the makelovenotspam scr eensaver site?
On Thu, Dec 02, 2004 at 04:18:52PM -0500, Hannigan, Martin wrote: Can you direct me toward a singluar entity of 1MM bots controlled by a single master? Nobody can, except the single master who's in control of same, and whoever that is -- if there is -- is unlikely to voluntarily share that information publicly. That's part of the problem: we know that that are huge numbers of them. How huge? 10e7 was probably a good estimate early in 2004, 10e8 is starting to look plausible given reported discovery rates. And the quasi-related problem of spyware/adware is exacerbating it: it's not like that cruft is exactly fastidious about making sure that it doesn't open the door to things worse than itself. We don't know how many there are. We probably can't know how many there are -- unless they do something to make themselves noticed, and surely those controlling them are smart enough to realize this and keep plenty in reserve. We can only know how many have made themselves visible, and even knowing that's hard. We don't know who's controlling them: are we up against 10 people or 10,000? We don't know everything they're doing with them. We don't know everything they're going to try to do with them. We don't know where they'll be next: they may move around (thanks to DHCP and similar), may show up in multiple places (thanks to VPNs) or they may *really* move around (laptops). We don't know how many are server systems as opposed to end-user systems. We don't know how to how to keep more from being created. We don't have a mechanism for un-zombie'ing the ones that already exist (other than laboriously going after them one at a time). We don't have a means to keep them from being re-zombied -- just as soon as the latest IE-bug-of-the-day hits Bugtraq. We don't have a viable way of controlling their actions other than disconnecting them entirely: sure, blocking outbound port 25 connections stops them from attempting spam delivery directly into mail servers, but surely nobody is so naive as to think those controlling these botnets are going to shrug their shoulders and give up when that happens? There are all kinds of other things they could be doing. *Are doing*. We don't have a clear understanding of who they're being controlled: are they quasi-autonomous? centrally directed? via a tree structure? do they phone home? are they operating p2p? all of the above? And so on. But we darn well should find out. ---Rsk
RE: How many backbones here are filtering the makelovenotspam scr eensaver site?
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, December 02, 2004 5:21 PM To: [EMAIL PROTECTED] Subject: RE: How many backbones here are filtering the makelovenotspam scr eensaver site? [SNIP] As for go180.net, you don't show up much on my radar, but on Nov 9th we were hit by a spammer from SpokaneHotZone-63.go180.net [66.225.5.63]. I trust this is not a legitimate mail server and I can block it and any other host that looks like it within the same domain, right? Thanks. Otherwise, you may want to do something to distinguish it from the other generic hosts in the same range. Glad you don't see much from us, must mean that the effort put forth by some of our team is not going to waste. You are correct, that is not a legitimate mail server but is an IP from a City Wide wireless network. That network has since been secured to restrict TCP 25 outbound (along with other typical miscreant traffic) so you shouldn't see anything again from that network on port 25. If we rise up on your radar in the future feel free to make use of the typical NOC and Abuse e-mail addresses, they do get answered and acted upon here. Glad to hear that. Overall, I'm offering some operational content on the publicity intensive Lycos botnet and provide some level of operational analysis free of judgement of Lycos. I'd be happy to argue about breadth, depth, and width of botnets and their commodity status in email. :) -M
Re: How many backbones here are filtering the makelovenotspam scr eensaver site?
Lycos has created a large botnet (at least by most people's definition) that is hidden in the guise of a screen saver claiming to only go after the bad guys. This is what scares me. Who determines the bad guys? I don't know anyone over at Lycos so I have no trust (or lack there of) in Lycos. Who is to say that Lycos won't decide next month that Yahoo, Google, MSN, _insert your own network here_ are bad guys and point the screen saver at them. Are they likely to do it? Probably not; it would be a PR nightmare for them. But who is to stop them? What if they don't go so extreme and just point the screen saver at gray hat hosts who are open relays or something? My opinion (not that anyone asked) is retaliation is childish and unprofessional. I remember the Internet before Spam, botnets, DDOS, etc. and dream of a day when these are under control again just as much as the next geek. However, stooping to the level of the miscreant is not the answer to the problem in my opinion. Justin Ryburn [EMAIL PROTECTED] Dance like nobody's watching; love like you've never been hurt. Sing like nobody's listening; live like it's heaven on earth. -- Mark Twain - Original Message - From: Chad Skidmore [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, December 02, 2004 4:21 PM Subject: RE: How many backbones here are filtering the makelovenotspam scr eensaver site? -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 -Original Message- From: Steven Champeon [mailto:[EMAIL PROTECTED] Posted At: Thursday, December 02, 2004 1:09 PM Posted To: NANOG Conversation: How many backbones here are filtering the makelovenotspam scr eensaver site? Subject: Re: How many backbones here are filtering the makelovenotspam scr eensaver site? My point was to Martin's question about what would happen if - god forbid - there were large botnets under the control of spammers; a careful reading will suggest that my major point was, duh, that there already are large botnets under the control of spammers. I realize that is the point you were trying to make. I also realize that Martin is pretty well aware of botnets and the threat they create. I suspect that most other readers on NANOG are also well aware. What doesn't seem to be as common knowledge as I would expect is that botnets are a commodity. As such they are traded, sold, purchased and even stolen. That last point is particularly important in this case. Lycos has created a large botnet (at least by most people's definition) that is hidden in the guise of a screen saver claiming to only go after the bad guys. This botnet uses a command and control server that is now well publicized, and uses a communication channel that is not encrypted or obfuscated in any way. That makes it a botnet just asking to be stolen. Fortunately the CC server is blackholed by what seem to be a large number of providers and the botnet is now fairly useless. Good point. Simply put, I can (and do) read my own mail server logs. And I can see that many ISPs - regardless of what they may be doing in onesy-twosy increments - simply aren't doing enough to prevent new botnet infections from wasting my server's cycles in futile attempts to deliver spam, outscatter, virus warnings, etc. etc. ad infinitum. It is certainly more than onesy-twosy increments but I agree that the problem is large enough that it certainly feels like a weak attempt from the average user/operator's point of view. This costs me time and money, and many of the same ISPs mentioned above are simply cost-shifting their own responsibility onto me and everyone else, and I'm tired of it. I encourage everyone to vote with their wallet when it comes to this type of thing. Buy your transit from organizations with dedicated security teams that actively engage in SPAM/Bot/Worm/Viri fighting efforts. Those things cost money and take time and are usually unacknowledged efforts. Larger providers seem to make easier targets when it comes to placing blame and saying that they aren't doing enough to combat miscreant activity. I don't believe that is the case overall. They just have a much larger customer base, higher volumes of traffic to inspect, and more politics to work within. Not to say there aren't responsible ISPs, and I hope that anyone who /is/ a part of the solution, rather than the fertile substrate for the problem, is capable of recognizing that and not taking offense when I point out there are others who could do more. I believe that EVERYONE could do more on this front. It is a moving battle that requires constant improvement just to stay afloat, let alone get ahead. For those genuinely interested in improving what they are doing on this front I strongly encourage you to attend the NSP-Sec BOFs at NANOG. You might be surprised what you learn and who you meet that can be helpful. As for go180.net, you don't show up much on my radar, but on Nov 9th we were hit by a spammer
Re: How many backbones here are filtering the makelovenotspam scr eensaver site?
On Thu, 2 Dec 2004, Justin Ryburn wrote: This is what scares me. Who determines the bad guys? I don't know anyone over at Lycos so I have no trust (or lack there of) in Lycos. Who is to say that Lycos won't decide next month that Yahoo, Google, MSN, _insert your own network here_ are bad guys and point the screen saver at them. Common sense?
RE: How many backbones here are filtering the makelovenotspam scr eensaver site?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 -Original Message- From: Justin Ryburn [mailto:[EMAIL PROTECTED] Sent: Thursday, December 02, 2004 4:18 PM To: Chad Skidmore; [EMAIL PROTECTED] Subject: Re: How many backbones here are filtering the makelovenotspam scr eensaver site? This is what scares me. Who determines the bad guys? I don't know anyone over at Lycos so I have no trust (or lack there of) in Lycos. Who is to say that Lycos won't decide next month that Yahoo, Google, MSN, _insert your own network here_ are bad guys and point the screen saver at them. Are they likely to do it? Probably not; it would be a PR nightmare for them. But who is to stop them? What if they don't go so extreme and just point the screen saver at gray hat hosts who are open relays or something? I agree 100%. I believe that I get to decide what is or is not ok traffic on my network. I define that in my AUP and customers agree to and understand that when they buy service from me. My opinion (not that anyone asked) is retaliation is childish and unprofessional. I remember the Internet before Spam, Also agree 100%. If there is traffic hitting my network that I don't believe is ok then I can choose not to carry that traffic on my network. It doesn't give me the right to attack the originator of that traffic or the person that I believe to be the originator of that traffic. That's why I am a very firm believer in the power of ip route x.x.x.x y.y.y.y null0 command. :) Makes the problem go away for me (for the most part) and doesn't cause anyone else any pain as a result except my customers, who agreed to let me use that power when they purchased service from me. botnets, DDOS, etc. and dream of a day when these are under control again just as much as the next geek. However, stooping to the level of the miscreant is not the answer to the problem in my opinion. Justin Ryburn [EMAIL PROTECTED] Dance like nobody's watching; love like you've never been hurt. Sing like nobody's listening; live like it's heaven on earth. -- Mark Twain - Chad E Skidmore One Eighty Networks, Inc. http://www.go180.net 509-688-8180 -BEGIN PGP SIGNATURE- Version: PGP 8.1 iQA/AwUBQa+yXU2RUJ5udBnvEQLX1gCglUjYXtQXyrSMFdfsQeZg9beq/xsAoI/C jOJ77EI+PIQs01sPNEnBphWK =ZScz -END PGP SIGNATURE-