Speaking of spamhaus...

Discussion:

Barry Shein

2013-03-27 15:26:43 UTC

Possibly interesting:

Big DDoS against SpamHaus, allegedly by CyberBunker...

http://www.bbc.co.uk/news/technology-21954636

...Recently, Spamhaus blocked servers maintained by Cyberbunker, a
Dutch web host which states it will host anything with the exception
of child pornography or terrorism-related material.

Sven Olaf Kamphuis, who claims to be a spokesman for Cyberbunker,
said, in a message, that Spamhaus was abusing its position, and
should not be allowed to decide "what goes and does not go on the
internet".

Spamhaus has alleged that Cyberbunker, in cooperation with "criminal
gangs" from Eastern Europe and Russia, is behind the attack...

...

"If you aimed this at Downing Street they would be down
instantly," he said. "They would be completely off the internet."

He added: "These attacks are peaking at 300 gb/s (gigabits per
second).

"Normally when there are attacks against major banks, we're talking
about 50 gb/s."...

--
-Barry Shein

The World | ***@TheWorld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada
Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org

Paul Smith

2013-03-27 15:59:19 UTC

Permalink

Post by Barry Shein
Big DDoS against SpamHaus, allegedly by CyberBunker...
http://www.bbc.co.uk/news/technology-21954636

Yes, I saw that as well. Not really sure what can be learned from it though.

(Though I thought it was pretty cool that people like Google had jumped
in to help Spamhaus 'absorb the traffic')

-

Paul Smith Computer Services
Tel: 01484 855800
Vat No: GB 685 6987 53
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org

Steve Atkins

2013-03-27 16:08:21 UTC

Permalink

Post by Paul Smith

Post by Barry Shein
Big DDoS against SpamHaus, allegedly by CyberBunker...
http://www.bbc.co.uk/news/technology-21954636

Yes, I saw that as well. Not really sure what can be learned from it though.

A 300Gb/s attack that lasts well over a week tells me that spammers are criminals, ISP security desks aren't sufficiently responsive about abuse coming from their networks and that pipes are really quite big.

More on-topic, remember that any FUSSP you come up with needs to be robust against whatever behaviour it provokes your opponent to adopt.

Cheers,
Steve

-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org

Neil Schwartzman

2013-03-27 17:41:12 UTC

Permalink

Post by Steve Atkins
More on-topic, remember that any FUSSP you come up with needs to be robust against whatever behaviour it provokes your opponent to adopt.

oh and also FUSSUP is a mythical beast. Whatever measure the good guys take the criminals will adapt to. Close relays? They use web proxies. Close proxies, they create botnets. One of the long-standing issues initially was that far too many people dismissed spammers as 'stupid' and 'kids in their parent's basement'. They are organized criminal gangs, make no mistake. They will fuck you up physically, and they are to be feared.

http://krebsonsecurity.com/2013/03/the-world-has-no-room-for-cowards/
http://www.cauce.org/2010/11/kidnapping-theft-and-rape-are-not-cyber-crimes.html

David Romerstein

2013-03-27 17:45:26 UTC

Permalink

Post by Neil Schwartzman
One of the long-standing issues
initially was that far too many people dismissed spammers as 'stupid'
and 'kids in their parent's basement'. They are organized criminal
gangs, make no mistake. They will fuck you up physically, and they are
to be feared.
http://krebsonsecurity.com/2013/03/the-world-has-no-room-for-cowards/

As much as I agree with your sentiment, Krebs' attacker(s) in this
instant aren't (known to be) spammers. You've chosen a poor example.

-- D
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org

Graeme Fowler

2013-03-28 09:51:30 UTC

Permalink

Post by David Romerstein
As much as I agree with your sentiment, Krebs' attacker(s) in this
instant aren't (known to be) spammers. You've chosen a poor example.

Speaking very much from the cheap seats, I don't believe that matters a
jot.

Where large amounts of money are involved, whatever the methodology for
making it - people will fight to protect their methods. It's been seen
throughout history.

The point isn't whether or not that's a particularly good example. The
point is that what we (the "Internet community", for want of a better
term) are trying to do is to hurt the revenue streams of a small section
of that "community". That's never well received.

Graeme

-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org

Dan Oetting

2013-03-28 14:57:58 UTC

Permalink

Post by Barry Shein
Big DDoS against SpamHaus, allegedly by CyberBunker...
http://www.bbc.co.uk/news/technology-21954636

Why are forged source addresses tolerated?

I don't care how convoluted the network is, eventually it gets down to a few gateways into a zone with a well defined set of valid addresses. At those gateways they can implement egress filtering to keep invalid packets from getting out. In the wider network where bandwidths may be too high or routing maps too complex for real time filtering, sampling can be employed to detect probably sources of forged addresses.

--Dan O.

-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org

Dave Warren

2013-03-28 21:26:19 UTC

Permalink

Post by Dan Oetting

Post by Barry Shein
Big DDoS against SpamHaus, allegedly by CyberBunker...
http://www.bbc.co.uk/news/technology-21954636

Why are forged source addresses tolerated?
I don't care how convoluted the network is, eventually it gets down to a few gateways into a zone with a well defined set of valid addresses. At those gateways they can implement egress filtering to keep invalid packets from getting out. In the wider network where bandwidths may be too high or routing maps too complex for real time filtering, sampling can be employed to detect probably sources of forged addresses.

In more complicated network environments where your customer owns their
own IPs, they might well use split routing techniques which generates
traffic that isn't forged in a practical sense, but from a technical
perspective, it's indistinguishable.

This is a solvable problem, but inertia is powerful, change is painful.

I still remember a time when I had a couple consumer/SMB grade
connections and could route outbound packets indiscriminately between
the two, taking advantage of my DSL provider's static subnet and my
cable modem's faster upstream. Good times, while it lasted.

--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org

Ian Eiloart

2013-04-08 12:44:44 UTC

Permalink

Post by Barry Shein
Big DDoS against SpamHaus, allegedly by CyberBunker...
http://www.bbc.co.uk/news/technology-21954636
...Recently, Spamhaus blocked servers maintained by Cyberbunker, a
Dutch web host which states it will host anything with the exception
of child pornography or terrorism-related material.

arstechnica has a good account of this attack:

http://arstechnica.com/security/2013/04/can-a-ddos-break-the-internet-sure-just-not-all-of-it/

--
Ian Eiloart
Postmaster, University of Sussex
+44 (0) 1273 87-3148

-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org