Re: monkeys.dom UPL being DDOSed to death
Dan Hollis wrote: the operator hosting the hijacked PC is guilty if they are notified and refuse to take action. which seems to be all too common these days with universities and colocation companies. In many cases they also are incompetent or incapable of taking action since there is hardly any Disconnecting abusers for dummies books on the shelf. Not that incompetence would work too well as defence, but you would have to take it that far or have some way of getting the abusers off the network without waiting for the slow and incompetent and deal with the consequences of mistakes later. Pete
Re: monkeys.dom UPL being DDOSed to death
Kai Schlichting wrote: On 9/23/2003 at 5:16 PM, Mike Tancsa [EMAIL PROTECTED] wrote: - BGP anycast, ideally suited for such forwarding proxies. Anyone here feeling very adapt with BGP anycast (I don't) for the purpose of running such a service? This is a solution that has to be suggested and explained to some of the DNSBL operators. If someone reading this has gone forward with a private mailing list to discuss all these issues, I'd be happy to receive an invitation to donate my [lack of] smarts to the cause. I'm trying to get the funds together to create a free for free DNSbls anycast network, however it's not cheap, and the idea hosters are not gonna do it for free. / Mat
Re: monkeys.dom UPL being DDOSed to death
On Tue, 23 Sep 2003 16:32:55 -0500, Jack Bates wrote: Question: Why is it not illegal for an ISP to allow a known vulnerable host to stay connected and not even bother contacting the owner? There are civil remedies that can be sought but no criminal. Various theories of criminal liability could certainly be applied e.g. attractive nuisance (like leaving an unfenced swimming pool for children to drown in). However this kind of very plausible action would take an aggressive public prosecutor with a good computer forensic staff and a seriously injured victim. Since the public prosecutors can hardly handle the criminals at MCI, Enron, the leading finance firms, we may have to wait a while. Jeffrey Race
Re: monkeys.dom UPL being DDOSed to death
Geo. wrote: Blacklists are just one kind of filter. If we could load software that allowed us to forward spams caught by other filters into it and it maintained a DNS blacklist we could have our servers use, we wouldn't need big public rbl's, everyone doing any kind of mail volume could easily run their own IF THE SOFTWARE WAS AVAILABLE. A distributed solution for a distributed problem. The benefit of using a blacklist like monkeys or ordb is that there is only one removal process for all the mail servers. The issue is that when the webserver is dDOS'd, it is very hard for people to get removed. Running local blacklists on common themes (such as open proxy/open relay) has the same issue. Yes, one can blacklist the site, but how do you get it delisted once the problem is fixed? I had openrbl.org in my rejections for awhile so that people could find all the blacklists that they were on. Since the dDOS of openrbl, I've had to change it to my local scripts which don't cover near what openrbl did. -Jack
RE: monkeys.dom UPL being DDOSed to death
The benefit of using a blacklist like monkeys or ordb is that there is only one removal process for all the mail servers. The issue is that when the webserver is dDOS'd, it is very hard for people to get removed. There shouldn't be a need for any removal process. A server should be listed for as long as the spam continues to come from it. Once the spam stops the blacklisting should stop as well. That is how a dynamic list SHOULD work. Geo.
Re: monkeys.dom UPL being DDOSed to death
Geo. wrote: There shouldn't be a need for any removal process. A server should be listed for as long as the spam continues to come from it. Once the spam stops the blacklisting should stop as well. That is how a dynamic list SHOULD work. Depends on the type of listing. Open proxies and open relays are best removed by request of owner once they are fixed or staled out after a retest at a later time, although retests should be far and few between (many use anything from 1-6 months). Just because spam is not temporarily coming from an insecure host does not mean that the host has been secured. Direct Spam is difficult to automatically detect, and reports are not always accurate (see SpamCop). It tends to be a very manual process. A lot of work goes into maintaining a list like SBL or SPEWS. Spam is also very transient which makes local detection of a spammer's activities difficult. They may just be focusing on someone else for a week or two before plastering your servers again. If you removed them, they will do considerable damage before they get relisted via the manual process (delay between first email received and first recipient reporting can easily exceed hours). The other issue with shared listings is what one considers acceptable or unacceptable. Easynet, for example, lists a lot of mail senders which I accept mail for due to user demand. They consider the email spam or resource abuse (broken mailers) while I am meeting the demands of my customers who are paying to receive the email. This isn't a collateral damage issue. It is an issue of where a network decides to draw the line on accepting or rejecting email. -Jack
Re: monkeys.dom UPL being DDOSed to death
Hi! http://www.openrbl.org is also offline due to a DDoS. The official announcememt can be read here: http://groups.google.com/groups?hl=enlr=ie=UTF-8oe=UTF-8newwindow=1safe=offselm=vn1lufn8h6r38%40corp.supernews.com Bye, Raymond.
Re: monkeys.dom UPL being DDOSed to death
On Tue, 23 Sep 2003, Raymond Dijkxhoorn wrote: After Osirusoft was shut down most likely Infinite-Monkeys are doing down also ?? Anyone SERIOUSLY interested in designing a new PTP RBL system 100% immune to DDOS, please drop me a line. By seriously, i mean those who actually want to solve the problem, not those who want to be whiny pedants. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
Re: monkeys.dom UPL being DDOSed to death
Raymond Dijkxhoorn wrote: [Mimedefang] monkeys.dom UPL being DDOSed to death Jon R. Kibler [EMAIL PROTECTED] Tue Sep 23 14:15:01 2003 The computer security industry really needs to figure out how to get law enforcement to take these attacks seriously. It would only take a few good prosecutions to put an end to these types of attacks. Any thoughts/suggestions? This is really a dark day for those of us fighting spam. I looks like the spammers have won a BIG battle. The only question now is who will be the causality in this war? This goes beyond spam and the resources that many mail servers are using. These attacks are being directed at anti-spam organizations today. Where will they point tomorrow? Many forms of breaking through network security require that a system be DOS'd while the crime is being committed. These machines won't quiet down after the blacklists are shut down. They will keep attacking hosts. For the US market, this is a national security issue. These systems will be exploited to cause havoc among networks of all types and sizes; governmental and commercial. Windows Update may be protected for now, but it still has limitations. It can be killed to the point of non use. Then how will system get patched to protect themselves from new exploits? The problem will escalate. There are many financial institutions online. Does anyone doubt that their security can be penetrated? What about DoD networks? There are a lot of social aspects to internetworking. Changes need to be made. Power needs to be allocated appropriately. A reconing needs to occur. All the businesses that make and spend mass amount of money due to the Internet need to strongly consider that there won't be a product if the social ramifications are solved. Users don't want to be online and check email just to find hundreds of advertisements, pornography, and illegal material in their inbox. Users don't want to hear that they've been infected with the latest virus and can no longer be online until they fix the problem; usually resulting in money. Users don't want to hear that they can't reach site X because of some change in architecture. If the general masses get fed up with the Internet, there won't be an Internet. Millions of dollars are easily being lost because of malicious activity on the Internet. Millions more are being lost due to differences of opinion in the governing bodies of the Internet. Is everyone so short sighted and greedy as to not recognize that they are dying a slow financial death? -jack
Re: monkeys.dom UPL being DDOSed to death
http://www.openrbl.org is also offline due to a DDoS. ---Mike At 05:04 PM 23/09/2003, Joe St Sauver wrote: Hi, #This goes beyond spam and the resources that many mail servers are #using. These attacks are being directed at anti-spam organizations #today. Where will they point tomorrow? Many forms of breaking through #network security require that a system be DOS'd while the crime is being #committed. These machines won't quiet down after the blacklists are shut #down. They will keep attacking hosts. For the US market, this is a #national security issue. These systems will be exploited to cause havoc #among networks of all types and sizes; governmental and commercial. Note that not all DNSBLs are being effectively hit. DNSBLs which run with publicly available zone files are too distributed to be easily taken down, particularly if periodic deltas are distributed via cryptographically signed Usenet messages (or other push channels). You can immunize DNSBLs from attack, *provided* that you're willing to publicly distribute the contents of those DNSBLs. And when it comes to dealing with the sources of these attacks, we all know that there are *some* networks where security simply isn't any sort of priority. (For example, make it a practice to routinely see what ISPs consistently show up highly ranked on incident summary sites such as http://www.mynetwatchman.com/ ). Maybe the folks running those networks are overworked and understafffed, maybe they have legal constraints that limit what they can do, maybe their management just don't care as long as they keep getting paid. Who knows? Whatever the reason, no one is willing to depeer them or filter their routes, so they really are free to do absolutely *nothing* about vulnerable hosts or abusive customers. There are absolutely *no* consequences to their security inactivity, and because of that, none of us should be surprised that the problem is becoming a worsening one. Regards, Joe St Sauver ([EMAIL PROTECTED]) University of Oregon Computing Center
Re: monkeys.dom UPL being DDOSed to death
On Tue, 23 Sep 2003, Joe St Sauver wrote: There are absolutely *no* consequences to their security inactivity, and because of that, none of us should be surprised that the problem is becoming a worsening one. china seems hellbent on becoming a LAN. i see the same thing eventually happening to networks which refuse to deal with their ddos sources. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
Re: monkeys.dom UPL being DDOSed to death
On Tue, 23 Sep 2003, Jack Bates wrote: This goes beyond spam and the resources that many mail servers are using. These attacks are being directed at anti-spam organizations today. Where will they point tomorrow? Many forms of breaking through network security require that a system be DOS'd while the crime is being committed. These machines won't quiet down after the blacklists are shut down. They will keep attacking hosts. For the US market, this is a national security issue. These systems will be exploited to cause havoc among networks of all types and sizes; governmental and commercial. It's somewhat funny. Quite some time ago, us IRC server operators warned about this same thing, and were mostly just told to not run IRC servers. The anti-spammers will likely just get told to not run DNSBL's. This only works up until the point that it's YOUR service thats getting hit and people tell you to stop running it. For several years now I've noticed a trend of technologies being used to attack IRC servers being later abused to send SPAM. First it was the open wingates, then the misconfigured Cisco's, then the HTTP Proxies. It looks like the large botnets are now being harvested by spammers to fight the Anti spammers. This is something we IRC server admins, and other high profile services like it which draw such attacks have been dealing with for some time. Ron, good luck with it. You're stuck between a rock and a hard place. If you down it the kiddies win again, and will feel they can bully the next guy. If you don't your network is crippled. It's a no win situation. Jason -- Jason Slagle - CCNP - CCDP /\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . \ / ASCII Ribbon Campaign . X - NO HTML/RTF in e-mail . / \ - NO Word docs in e-mail .
Re: monkeys.dom UPL being DDOSed to death
On Tue, 23 Sep 2003 14:15:48 PDT, Dan Hollis said: china seems hellbent on becoming a LAN. i see the same thing eventually happening to networks which refuse to deal with their ddos sources. Well.. that's all fine and good, except we first need one large player to put their foot down and say That's enough of this manure, we're depeering you and blocking your prefixes till you clean up your act. Once *one* big player does that, your eventually happening will be pretty fast. pgp0.pgp Description: PGP signature
Re: monkeys.dom UPL being DDOSed to death
Joe St Sauver wrote: Note that not all DNSBLs are being effectively hit. DNSBLs which run with publicly available zone files are too distributed to be easily taken down, particularly if periodic deltas are distributed via cryptographically signed Usenet messages (or other push channels). You can immunize DNSBLs from attack, *provided* that you're willing to publicly distribute the contents of those DNSBLs. Actually, SBL has had a lot of issues. The issue isn't always with the dns zones. It is true that one can distribute the zones to make dDOS more difficult; although not impossible. However, in the case of SBL, they have had issues with the web servers being dDOS'd. The ability to lookup why a host is blacklisted, and in the case of relay/proxy lists to request removal, is also important. There are still a lot of blacklists out there; njabl, ordb, dsbl, reynolds, sbl, and spews (in a round about sort of way). Yet what happens when a business desides to destroy his competitor's website? What happens when someone decides they don't like magazine X or vendor X and attacks their web farms? Shall the Internet be called akamai? Don't get me wrong. It's a good service, but not invulnerable. windowsupdate.com can still be brought to it's knees if the attacker is persistant enough. Of course, when big money businesses are involved, things get done. Yet what about the smaller business or the charity? What about critical infrastructure? Does anyone claim that MAE East and West couldn't be made inoperational by dDOS? How does that shift the network and peering? What are the ramifications? Of the various RPC worms, spybot is the most malicious in intent. Yet what if parts of Swen/Gibe/Sobig.F were incorporated into blaster. Process terminations to make repair difficult and to open the computer to other viruses and vulnerabilites. Installed proxy servers and bots. Keyloggers. Now collect your information, gather your bots, and watch a single phrase create destruction. Things have not improved over the last year. They have gotten worse. The Internet is more malicious than ever. It is quickly becoming the Inner City Projects of communication. Greed and hatred created some of the worst neighborhoods in the world. The same concept will apply to network. If action isn't taken, it will get worse. More money will be lost over the coming years. Many people will be hurt. Communication will be impaired. Question: Why is it not illegal for an ISP to allow a known vulnerable host to stay connected and not even bother contacting the owner? There are civil remedies that can be sought but no criminal. Bear in mind, these vulnerable hosts are usually in the process of performing malicious activity when they are reported. Ron has reported many of the IP addresses that dDOS'd monkeys.com. Under the same token, Ron has also reported to many ISP's about spammers which have abused servers under his control, scanning and utilizing open proxies; which is theft of resources. Why is nothing done about these people? Why is the ISP not held liable for allowing the person to continue in such malicious activity? -Jack
Re: monkeys.dom UPL being DDOSed to death
On Tuesday, Sep 23, 2003, at 17:32 Canada/Eastern, [EMAIL PROTECTED] wrote: On Tue, 23 Sep 2003 14:15:48 PDT, Dan Hollis said: china seems hellbent on becoming a LAN. i see the same thing eventually happening to networks which refuse to deal with their ddos sources. Well.. that's all fine and good, except we first need one large player to put their foot down and say That's enough of this manure, we're depeering you and blocking your prefixes till you clean up your act. Once *one* big player does that, your eventually happening will be pretty fast. In my recent experience, many, many network operators in North America and Europe who are really, really bad at tracking back source-spoofed DDoS traffic through their networks (there are also some notable, fine exceptions I've dealt with recently, who know who they are and should not feel slighted by this generality). If transit was uniformly denied to every operator who was not equipped to deal with DDoS tracking in a timely manner, I think 90% of the Internet would disappear immediately. This is not just an Asian problem. (Incidentally, I think if one big player suddenly decided to throw away the millions of dollars of revenue they earn through providing transit to east Asian countries, the likely effect would be another grateful big player leaping in to take over. I don't see a future in which the well-being of users in other peoples' networks trumps income.) Joe
Re: monkeys.dom UPL being DDOSed to death
Dan Hollis wrote: china seems hellbent on becoming a LAN. i see the same thing eventually happening to networks which refuse to deal with their ddos sources. This invites the question if the hijacked PC or the hijacker in the sunshine state is more guilty of the spam and ddos? I would expect disconnecting .fl.us have more positive effect to the Internet as whole than would .cn. Pete
Re: monkeys.dom UPL being DDOSed to death
On Tue, 23 Sep 2003, Joe Abley wrote: If transit was uniformly denied to every operator who was not equipped to deal with DDoS tracking in a timely manner, I think 90% of the Internet would disappear immediately. it gets worse. there are operators who *are* equipped, but refuse to deal not only with ddos tracking but with shutting off confirmed sources within their networks. the response is 'we will deal with it when we get a subpoena'. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
Re: monkeys.dom UPL being DDOSed to death
On Tue, 23 Sep 2003, Jason Slagle wrote: It's somewhat funny. Quite some time ago, us IRC server operators warned about this same thing, and were mostly just told to not run IRC servers. A private IRC server with one user isn't much fun. The anti-spammers will likely just get told to not run DNSBL's. This only works up until the point that it's YOUR service thats getting hit and people tell you to stop running it. A private DNSBL with one user works just fine. If whoever is behind this succeeds in driving all the DNSBLs off the net what they'll really do is drive them all underground. In the short term, lots of networks will lose access to the public DNSBLs they've been using. The spammers will rejoice, but that will only fuel the creation of hundreds (maybe thousands) of new private DNSBLs. Necessity is the mother of invention. Those with clue, will run their own. Alot of those without will too. Some will likely even latch onto the last snapshot they got before the DNSBLs they were syncing went offline/private. These will, of course, get out of date and out of sync almost immediately. Once you host a customer who turns out to be a spammer, good luck getting those IPs removed from 1 private DNSBLs. E-mail abuse management may be the next field to really open up with job opportunities as networks will have to contact a large portion of the internet to try to get IPs cleared from everyone's private DNSBL...most of which will be poorly documented if at all. Just over 2 years ago, I posted a message titled Affects of the balkanization of mail blacklisting about how ex-MAPS users were using out-of-sync copies of the MAPS DUL after MAPS went commercial and those networks presumably lost access to the data. I guess that was just the tip of the iceberg. -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: monkeys.dom UPL being DDOSed to death
On 9/23/2003 at 5:16 PM, Mike Tancsa [EMAIL PROTECTED] wrote: http://www.openrbl.org is also offline due to a DDoS. And the ignorance of front-end personnel in LE agencies, unless you are the NY Times and claim $500,000 in purely fictious damages, can be a bit frustrating. Spamcop and Spamhaus have been undergoing intense DDoS attacks for months, and I am only partially aware how they are being mitigated. If certain large operators can donate bandwidth and equipment for IRC servers in locations with OC-12 and better connectivity, AND live through the DDoS attacks that come with it, why not step forward and provide some forwarding-proxy service for some of the websites and distribution sites for DNSBLs, plus possibly proxying DNS traffic? OpenRBL.org has stated (http://www.openrbl.org/index-2.htm) that the bandwidth required for actual application traffic can be very low (0.5Mbps or less), not counting DDoS traffic. No arrangements of that kind have to be public knowledge. Other measures: - Got a spare /20 that can be used to make the forwarding proxy hop around a bit, every 5 minutes or so, with DNS TTLs in the 10-minute range? It's been done with 'moving-target' spamvertised sites like optinspecialists.info , which is currently using a LARGE number of compromised Windows hosts illegally to proxy DNS and HTTP traffic for them. They've been doing it for weeks. Do the registrars care? Hell no. (see morozreg.biz, bubra.biz, the domains used for DNS, domains you probably want to add local zone overrides for, in your nameservers, not your HOSTS file. Now we know how Al-Quaeda is hiding their websites, at last. It would be trivial to 'sinkhole' DoS traffic still going on to IPs of the recent past, greatly increasing the chances of catching the perpetrators as they keep switching their trojans to new IPs, hitting a few fully-sniffed honeypots while they are at it. - BGP anycast, ideally suited for such forwarding proxies. Anyone here feeling very adapt with BGP anycast (I don't) for the purpose of running such a service? This is a solution that has to be suggested and explained to some of the DNSBL operators. If someone reading this has gone forward with a private mailing list to discuss all these issues, I'd be happy to receive an invitation to donate my [lack of] smarts to the cause. bye,Kai
Re: monkeys.dom UPL being DDOSed to death
On Wed, 24 Sep 2003, Petri Helenius wrote: Dan Hollis wrote: china seems hellbent on becoming a LAN. i see the same thing eventually happening to networks which refuse to deal with their ddos sources. This invites the question if the hijacked PC or the hijacker in the sunshine state is more guilty of the spam and ddos? the operator hosting the hijacked PC is guilty if they are notified and refuse to take action. which seems to be all too common these days with universities and colocation companies. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
Re: monkeys.dom UPL being DDOSed to death
--On Tuesday, September 23, 2003 6:11 PM -0400 Kai Schlichting [EMAIL PROTECTED] wrote: - BGP anycast, ideally suited for such forwarding proxies. Anyone here feeling very adapt with BGP anycast (I don't) for the purpose of running such a service? This is a solution that has to be suggested and explained to some of the DNSBL operators. Anyone want to offer hardware, colo, bandwidth and a bgp session for a dnsbl anycast solution?
Re: monkeys.dom UPL being DDOSed to death
On Tue, 23 Sep 2003, John Payne wrote: --On Tuesday, September 23, 2003 6:11 PM -0400 Kai Schlichting [EMAIL PROTECTED] wrote: - BGP anycast, ideally suited for such forwarding proxies. Anyone here feeling very adapt with BGP anycast (I don't) for the purpose of running such a service? This is a solution that has to be suggested and explained to some of the DNSBL operators. Anyone want to offer hardware, colo, bandwidth and a bgp session for a dnsbl anycast solution? they still make static targets for ddos, the only difference is theres a few more of them. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
Re: monkeys.dom UPL being DDOSed to death
--On Tuesday, September 23, 2003 4:56 PM -0700 Dan Hollis [EMAIL PROTECTED] wrote: On Tue, 23 Sep 2003, John Payne wrote: --On Tuesday, September 23, 2003 6:11 PM -0400 Kai Schlichting [EMAIL PROTECTED] wrote: - BGP anycast, ideally suited for such forwarding proxies. Anyone here feeling very adapt with BGP anycast (I don't) for the purpose of running such a service? This is a solution that has to be suggested and explained to some of the DNSBL operators. Anyone want to offer hardware, colo, bandwidth and a bgp session for a dnsbl anycast solution? they still make static targets for ddos, the only difference is theres a few more of them. Yep
Re: monkeys.dom UPL being DDOSed to death
Ron, good luck with it. You're stuck between a rock and a hard place. If you down it the kiddies win again, and will feel they can bully the next guy. If you don't your network is crippled. It's a no win situation. If any of the dos'ed to death rbls really want's to get back at the spammers it's easy. Write software that allows any ISP or business to use their mail servers and their customers/employees (via a foward to address) to maintain their own highly dynamic blacklist. Blacklists are just one kind of filter. If we could load software that allowed us to forward spams caught by other filters into it and it maintained a DNS blacklist we could have our servers use, we wouldn't need big public rbl's, everyone doing any kind of mail volume could easily run their own IF THE SOFTWARE WAS AVAILABLE. A distributed solution for a distributed problem. Resistance is NOT futile. Geo.
Re: monkeys.dom UPL being DDOSed to death
On Tue, 23 Sep 2003, Geo. wrote: If any of the dos'ed to death rbls really want's to get back at the spammers it's easy. Write software that allows any ISP or business to use their mail servers and their customers/employees (via a foward to address) to maintain their own highly dynamic blacklist. Already been done. http://spamikaze.nl.linux.org/ -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_