Internet Under Attack: World's Largest DDoS Attack Almost Broke The Internet

from the the-hidden-war dept

Update: Gizmodo is calling bullshit on these claims. They're likely correct that this attack was not a "threat" to the overall internet, but I also believe that Gizmodo is underplaying the potential problems from open resolvers.

We've known for a while that there are a number of people out there who really dislike Spamhaus, one of the more well known providers of a blacklist of spam IP addresses. For what it's worth, there are times when it feels like Spamhaus may go overboard in declaring an IP or range of IP addresses as spammers. And, to some extent, because of that, it seems like some who use the Spamhaus list rely on it a bit too strongly. That said, Spamhaus is doing important work in helping to stop the internet from being overrun with spam, and that's a good thing. But sometimes those who it pisses off aren't particularly nice people. Last week, Spamhaus added hosting company Cyberbunker to its spamlist. Someone didn't like that very much, and thus began a very big DDoS attack using open DNS recursors. Spamhaus went to Cloudflare, who was able to mitigate the worst of the attack.

But... that just lead to round two, in which whoever was behind the DDoS went much, much bigger attacking a bunch of the providers who provide Cloudflare with its bandwidth. Basically, it was massive firepower directed at some key points on the internet. And it was a pretty big deal. Cloudflare's blog post stays away from getting too expressive about the whole thing, but just the fact that they note the attack came close to "breaking" the internet should get you to wake up.
Tier 1 networks don't buy bandwidth from anyone, so the majority of the weight of the attack ended up being carried by them. While we don't have direct visibility into the traffic loads they saw, we have been told by one major Tier 1 provider that they saw more than 300Gbps of attack traffic related to this attack. That would make this attack one of the largest ever reported.

The challenge with attacks at this scale is they risk overwhelming the systems that link together the Internet itself. The largest routers that you can buy have, at most, 100Gbps ports. It is possible to bond more than one of these ports together to create capacity that is greater than 100Gbps however, at some point, there are limits to how much these routers can handle. If that limit is exceeded then the network becomes congested and slows down.

Over the last few days, as these attacks have increased, we've seen congestion across several major Tier 1s, primarily in Europe where most of the attacks were concentrated, that would have affected hundreds of millions of people even as they surfed sites unrelated to Spamhaus or CloudFlare. If the Internet felt a bit more sluggish for you over the last few days in Europe, this may be part of the reason why.
The attackers say they're protesting Spamhaus acting as the internet's police:
Questioned about the attacks, Sven Olaf Kamphuis, an Internet activist who said he was a spokesman for the attackers, said in an online message that, "We are aware that this is one of the largest DDoS attacks the world had publicly seen." Mr. Kamphuis said Cyberbunker was retaliating against Spamhaus for "abusing their influence."

"Nobody ever deputized Spamhaus to determine what goes and does not go on the Internet," Mr. Kamphuis said. "They worked themselves into that position by pretending to fight spam."
Of course, all of this has exposed clearly a big vulnerability in the setup of the internet, and suggest that slowing down the internet on a large scale is entirely possible. But it's also made security folks that much more aware of how urgent it is to fix the a key vulnerability that made this possible: the fact that there are so many open DNS resolvers out there, that can be used to launch massive DDoS attacks. Because of that, security folks are rushing around to see if they can convince people to close as many of the approximately 21.7 million open resolvers out there:
While lists of open recursors have been passed around on network security lists for the last few years, on Monday the full extent of the problem was, for the first time, made public. The Open Resolver Project made available the full list of the 21.7 million open resolvers online in an effort to shut them down.

We'd debated doing the same thing ourselves for some time but worried about the collateral damage of what would happen if such a list fell into the hands of the bad guys. The last five days have made clear that the bad guys have the list of open resolvers and they are getting increasingly brazen in the attacks they are willing to launch. We are in full support of the Open Resolver Project and believe it is incumbent on all network providers to work with their customers to close any open resolvers running on their networks.
Basically, over the last week or so, there's been a war going on, concerning parts of the core of the internet, and while it might not have impacted you yet (or, maybe it did), it's likely that the next round will be even bigger. In the meantime, the race is on to shut down open resolvers to try to keep the internet working, and hopefully to cut down on the power of such attacks.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: ddos, internet, internet infrastructure, under attack
Companies: cyberbunker, spamhaus


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    Jay (profile), 27 Mar 2013 @ 6:21pm

    Hmmm...

    Call me skeptical but I'm thinking this is a way to try to pass CISPA in the chaos.

    It won't help solve the problem but politicians would use the "cyberwar" to begin a real war.

    link to this | view in thread ]

  2. icon
    silverscarcat (profile), 27 Mar 2013 @ 6:54pm

    OH!

    So THAT'S why all the porn sites suddenly stopped working.

    link to this | view in thread ]

  3. icon
    Ninja (profile), 27 Mar 2013 @ 7:23pm

    Interesting. There could be ways to tackle this problem without having to wait patiently for some clueless people to close such resolvers. I wonder what it'll be.

    I also believe the attackers aren't interested in 'breaking' the internet. But the US could use this to do some major damage and then put in place the cyber-Patriot Act. Regardless of ppl calling it horseshit or whatever it's a matter to keep an eye. If it's fairytales then nice, we are near April 1st but if not..

    In any case, even if some bored kids do break the internet this way there's no reason for anything like CISPA. But it will be used as an example of why it's needed...

    link to this | view in thread ]

  4. identicon
    Anonymous Coward, 27 Mar 2013 @ 8:10pm

    Oh, is this an example of the cybersecurity FUD you were talking about? Members will be running down the corridors tomorrow to co-sponsor and "enhance" CISPA reform.

    link to this | view in thread ]

  5. identicon
    Anonymous Coward, 27 Mar 2013 @ 8:21pm

    Re:

    Why do you need to be inflammatory for?! Mike just made a mistake that many others like the New York Times and Ars Technica. You could have simply pointed that out the way Rikuo did.

    link to this | view in thread ]

  6. identicon
    Anonymous Coward, 27 Mar 2013 @ 8:32pm

    Re:

    Gizmodo is a bunch of horseshit.
    Regardless of whether or not they're right about this.

    link to this | view in thread ]

  7. icon
    Nigel (profile), 27 Mar 2013 @ 8:48pm

    Re:

    I read one on the telegraph, that was, quite simply, wrong.
    Bunker=everyone loses their mind.

    N.

    link to this | view in thread ]

  8. identicon
    Anonymous Coward, 27 Mar 2013 @ 8:54pm

    My god! Don't you all see what's going on! It's a goddamn diversion for a fire sale! The end is near! The end is near!

    /MOTHER FUCKING S!

    link to this | view in thread ]

  9. icon
    Watchit (profile), 27 Mar 2013 @ 9:08pm

    Yeah, it's starting to look like a bunch of hyperbole on Cloudflare's part. But that's silly, they wouldn't gain anything from scare mongering... oh wait! They do!

    link to this | view in thread ]

  10. icon
    Manabi (profile), 27 Mar 2013 @ 9:34pm

    Not sure the OpenResolver list is useful

    I manage a couple of servers, I just checked that site for the IPs of them all, and one server it has listed. But... It's configured to not allow recursion except to a limited set of IP addresses that are other servers specifically allowed to access it for DNS lookup. I just tested it and it is NOT allowing recursion to other addresses, so it's working properly.

    Apparently BIND reports that recursion is enabled, even if it's not available for the IP address doing the check. So how many of those servers are like mine, allowing recursive lookups for only specific IPs and not doing recursion to the Internet at large? Those servers aren't part of the problem.

    The site seems to recognize this but not explicitly, only saying that of the 27 million servers they list, only roughly 25 million post a threat. If they want the owners of servers to fix things, they need to provide more information than they have available. Hopefully this is just a hurried attempt to get the site up and they'll be adding more info. Otherwise I suspect it's going to be useless in the goal of reducing the number of open resolvers.

    link to this | view in thread ]

  11. icon
    Miff (profile), 27 Mar 2013 @ 9:37pm

    At the very least, say goodbye to open dns resolvers after this...

    link to this | view in thread ]

  12. icon
    G Thompson (profile), 27 Mar 2013 @ 9:39pm

    Re:

    Gizmodo, and i really hate to say this.. is absolutely correct in this matter.

    also 300gps is a drop in the ocean to T1 systems..

    As for the Open DNS resolvers out there, well yes it CAN be a problem but it's not as bad as anyone thinks it is and upstream systems are in place to mitigate any problems.

    Another way to remove these 21.7million 'open' resolvers (my bullshit detector just exploded at that figure) is to actually update, and there's a notion, BIND to the latest version. Something that should be done anyway.

    also giving it the 'recursion no' option is a good thing no matter what!

    The rest of the article about Spamhaus and Cloudfare is FUD made to let them moan and market there services and complain how someone didn't like them. Oh and make people think things like CISPA are needed even more so. [Look at who benefits from CISPA and who controls both orgs]

    Yes Spamhaus is ok, but it's not the only Spam black lister and anyone who has looked at the way Spamhaus actually manages and authenticates (rarely) their lists knows that they have a huge false flag problem

    link to this | view in thread ]

  13. icon
    G Thompson (profile), 27 Mar 2013 @ 10:03pm

    For those interested this article at RT [ http://rt.com/news/spamhaus-threat-cyberbunker-ddos-attack-956/ ]shows a lot more about what Spamhaus actually is and the reasons why Cyberbunker think it was attacked.

    Personally I can't stand Spamhaus and how they try to place themselves above actual laws and due process. And neither can a lot of other people, Cloudfare also have a lot of explaining to do as to why they tried to push the attack onto their upstream provider LINX and why they didn't remove the Spamhuas site (as per industry standard practice) instead of allowing there other 1000+ customers to suffer losses due to one specific attack to a SINGLE customer. And lets not get into that the attack was NOT on the IX infrastructure but instead purely directed at Cloudfare/Spamhuas only, and Cloudfare then used there IX IP's to bear traffic instead which is WRONG and a cause for any customer of Cloudfare to re-assess their contract !

    As for Cloudfare's blog post.. Total marketing hype and a cause for concern is there usage of the top graphic of the two faces which in reality is actually the photo used by the English band Massive Attack [ http://www.audiodrums.com/2010/01/18/new-massive-attack-paradise-circus-ft-hope-sandoval-of-mazzy-st ar/ ]. They hype and FUD and bullshit is strong in this whole story

    link to this | view in thread ]

  14. identicon
    Pixelation, 27 Mar 2013 @ 10:17pm

    There outta be a law

    Oh my God! It's Cyber-Warfare. Congress, please save us!

    link to this | view in thread ]

  15. identicon
    horse with no name, 27 Mar 2013 @ 10:30pm

    almost broke the internet is like almost pregnant. it didn't happen, so no biggie.

    Even if it did "break" the internet, what would really happen? For a while, some sites might not be reachable. The world would not end, people would not starve, the planet would not stop spinning. If it happens, it happens, move along and go watch TV for a while instead.

    link to this | view in thread ]

  16. identicon
    The Old Man in The Sea, 27 Mar 2013 @ 10:34pm

    Effects of attack on Spamhaus and Cloudfare for us

    About the only effect I've seen so far has been a slow down of video downloading from youtube (woodworking videos). I thought it was because I had reached my limit on downloads. But my downloads were still far too fast for that.

    Yawn, yawn to attack.

    A note though, a town in the west of the state had a fire in the local exchange which did knock out communications and the last to get back up was the internet (apparently took weeks to fix). So for my book, actual physical destruction stops access rather than software related problems.

    link to this | view in thread ]

  17. icon
    lfroen (profile), 27 Mar 2013 @ 10:57pm

    Load of crap

    First of all: it's technically impossible to "overwhelm" T1 network. It's not your crappy $50 home router; it's designed to remain functional under near 100% utilization.
    Second, 100G is not that match (in such network). There're routers where _every_ _single_ _port_ is 100G.
    Yes, you read this correctly: while your home router port is usually 1G, and typically utilized at 30%, in T1 networks, routers designed to be "wire-speed", and can utilize all of 100G ports at almost 100% at once without hanging/stacking/etc.
    So no, Internet was not close to be "broken", whatever it means; and yes, Techdirt again publish rubbish about technical subjects. Please stay on patents/copyrights topics next time.

    link to this | view in thread ]

  18. identicon
    Anonymous Coward, 27 Mar 2013 @ 11:20pm

    Has the time come yet to utilize a few of them Bunker Buster bombs that we have?

    link to this | view in thread ]

  19. identicon
    Anonymous Coward, 28 Mar 2013 @ 12:18am

    Dvorak also thinks the real target was Wikileaks:

    http://www.pcmag.com/article2/0,2817,2417142,00.asp

    link to this | view in thread ]

  20. identicon
    Anonymouse, 28 Mar 2013 @ 12:43am

    The resolvers arem

    link to this | view in thread ]

  21. identicon
    Anonymouse, 28 Mar 2013 @ 12:43am

    The resolvers are't the issue the ISP

    link to this | view in thread ]

  22. identicon
    Anonymouse, 28 Mar 2013 @ 12:51am

    The resolvers are't the issue the ISPs are

    don't know why it submitted before I pressed submit, the issue here is that the various ISPs should put ingress and egress filters on their gateways, if the source address trying to leave my network isn't on my network it goes to /dev/null, the same for incoming traffic, if the destination trying to enter my network isn't on my network or routed by me to another network again it goes nowhere, the main problem is solved this way. Even if all the DNS servers out there reachable are only the ones that are authorative for a few zones are the ones remaining, this can still cause problems, the network needs to be cleaned up from a routing perspective, but I guess too many lazy ISPs and their techies couldn't care less about what traffic traverses their pipes.

    link to this | view in thread ]

  23. identicon
    Anonymouse, 28 Mar 2013 @ 1:00am

    Re: Not sure the OpenResolver list is useful

    The problem is, even if you don't recurse for everyone, you probably respond to recursion queries for those you dont recurse for with a "que? authorative server is" which of course still generates traffic. This is a minor issue compared to correct egress filtering on the border gateways of every ISP that *should* be in place, but in most cases is not.
    The reason this kind of attack works is because UDP (simple DNS query) does not handshake, so you can get some machines under your control to send falsified UDP query packets with the falsified source address of your target to even legit DNS servers, those that will always be around and they will respond to your target, not you, obviously, but if the target address does not fall within the scope of the ISP, where you remote machine is sitting and this ISP has proper egress filtering, this would fail, since the packet would get silently dropped, so no issue.

    link to this | view in thread ]

  24. identicon
    Anonymous Coward, 28 Mar 2013 @ 1:11am

    Re:

    I would be less surprised to find out that Cyberbunker was a CIA front.

    link to this | view in thread ]

  25. identicon
    Anonymous Coward, 28 Mar 2013 @ 2:15am

    Hey, what's with "open resolvers" somehow being bad all of a sudden?! Has everyone forgotten that the likes of OpenDNS are the main thing standing between us and widespread censorship? No one should trust their ISP's own DNS servers after the whole "six strikes" thing.

    link to this | view in thread ]

  26. icon
    Zakida Paul (profile), 28 Mar 2013 @ 2:49am

    Re: Hmmm...

    Nail on the head. That is exactly what this event will be used for. Governments will use it to scare people into supporting every draconian piece of legislation it thinks of that erodes our freedoms in the name of security.

    Politicians are so predictable.

    link to this | view in thread ]

  27. icon
    Zakida Paul (profile), 28 Mar 2013 @ 2:51am

    Re: There outta be a law

    Careful, Congress has no sarcasm filter.

    link to this | view in thread ]

  28. identicon
    infirit, 28 Mar 2013 @ 3:33am

    I did not notice a thing

    I am in the Netherlands and I have not noticed anything. Only after reading about it online I was made aware of it.

    link to this | view in thread ]

  29. identicon
    Anonymous Coward, 28 Mar 2013 @ 3:47am

    I believe whoever wrote that blog post on cloudflare doesn't understand much about routing and tier1 providers.

    From experience, any major traffic peak that *can* (not necessarily does) affect their customers will be nullrouted at the first ingress (or egress) router, thus traffic goes nowhere. Then they'll contact you with the reason for the nullroute and the target.

    Also, they assume that at any point there is a single 100gbps router handing the traffic, which couldn't be further from the truth unless you use known low-quality tier1's. Routers are stacked for redundancy and to share cpu power.

    It's not the first laugh we have about some non-tech person claiming the possibility to break the internet, remember the root nameserver one?

    link to this | view in thread ]

  30. identicon
    anonymouse, 28 Mar 2013 @ 3:52am

    wow

    Ok i dont understand the technology or the problme with this massive attack, but if someone could explain it to me like i am five i would really appreciate it.

    From what i have read 300gb of traffic has been directed at spamhous whihc is a site that creates blocklists of potential spammers. They have then been attacked by someone they listed as a spam generating entity.

    Is there now a chance that developers will spend some time preventing these type of attacks from happening again? surely it would be simple enough to prevent ddos attacks by having a system where after a certain amount of attempts to dos attack an entity the servers would automatically restrict and future connection attempts , thereby completely nullifying the attack close to where it is being generated from. Simply block every attempt to attack a specific ip range.
    Maybe i am simplifying this too much and don't understand the problem but surely the main structure of the internet should be able to identify this type of attack and prevent it from spreading.

    link to this | view in thread ]

  31. identicon
    Anonymous Coward, 28 Mar 2013 @ 3:54am

    Re: The resolvers are't the issue the ISPs are

    The problem with that is that people will move their business where there's no filtering in place to allow them the freedom they want.

    Any ISP that has that sort of filter in place will make me ask myself what other sort of packet inspection they're doing, and to what extent they're spying on me.

    Now think about web hosting. How can you deny people running their own nameservers? Sure, block all the traffic but then back to square one. So what then? Force them to take a test? Scan their servers for problems? Ok sure, but not for free, and people don't want to pay... etc.

    White labelled ISPs pride themselves with the lack of filtering and the ability for anyone to resell without branding. This gives their customers ultimate freedom but at a cost of security.

    The solution, as bad as it is, is to wait for attacks to be reported (or noticed) then act to make it stop or bring the server offline. You can only prevent so much while trying to keep freedom and quality.

    link to this | view in thread ]

  32. icon
    Gunntherd (profile), 28 Mar 2013 @ 4:09am

    Totally agree, they (Government) need to "cause" issue's, which keep getting bigger and bigger, which the liberal media will just go along with the claims until the minority beg the powers that be, to do something, which in the end will be the backdoor to taking control of the internet so the children and unknowledgeable internet users will be safe from terrorism by means of a cyber attack. I call bullshit on this too!! Nothing but a power grab to invoke another knee-jerk reaction to do nothing but take control of more of our freedoms.

    link to this | view in thread ]

  33. identicon
    Anonymous Coward, 28 Mar 2013 @ 4:12am

    It's true my internet is running like shit :( oh wait never mind it was a porn torrent lagging me.

    I'm still getting over 11,000 kbs download speeds but I wish I had Google with that GFG 1gbps u/d :(

    link to this | view in thread ]

  34. identicon
    Anonymous Coward, 28 Mar 2013 @ 4:22am

    Re: wow

    Yes simple. Tell every nameserver distributing software/distribution to disable open resolvers by default instead of enabling them. Problem solved.

    If you force the user to read up on a feature because being able to use it, then the user will learn about that feature and make the conscious decision of enabling it or not. I believe RedHat and all its derivatives ship with it enabled by default. Possible other distros as well.

    Theo de Raadt made a presentation about DNSSEC and how it could be used to amplify these sorts of attacks. The video's on youtube. Basically with misconfigured DNSSEC the attack could have been 10x, maybe even 100x worse.

    link to this | view in thread ]

  35. identicon
    Anonymous Coward, 28 Mar 2013 @ 4:26am

    Re:

    The way to weed out SpamHouse is to stop using them. More people are doing it. Remember SORBS? That blacklist that *everyone* used that "broke email" for some hours because their site died a year or two ago? Yeah, no one's using them anymore...

    link to this | view in thread ]

  36. icon
    Josh in CharlotteNC (profile), 28 Mar 2013 @ 5:38am

    Re:

    Yep, Giz has this one right. It's really a shame that Cloudflare is trying to hype this up, they've got a good track record, provide a useful service, and this really hurts their credibility.

    CF is not all wrong. The exchange IPs accepting external traffic issue they mention could have ramifications, but the guys running exchanges know their stuff and are rapidly fixing it.

    link to this | view in thread ]

  37. identicon
    Anonymous Coward, 28 Mar 2013 @ 6:26am

    Re: Re:

    We can't blame open DNS resolvers only. Another big problem is that most ISPs don't apply anti spoofing filters for subscribers. So it's easy to fake the source address and use open resolvers as traffic amplifiers to attack some site.

    link to this | view in thread ]

  38. identicon
    Anonymous Coward, 28 Mar 2013 @ 6:27am

    Re: Re:

    Mistake?
    Do elaborate.

    link to this | view in thread ]

  39. identicon
    Anonymous Coward, 28 Mar 2013 @ 6:44am

    Re: The resolvers are't the issue the ISPs are

    This is ABSOLUTELY correct. There is a long and serious discussion on this very point happening on the NANOG mailing list this week: see http://mailman.nanog.org/pipermail/nanog/ if you want to follow along.

    As to Spamhaus: those of you slamming it are (a) spam-supporting parasites or (b) clueless. Spamhaus performs a function precisely equivalent to Consumer Reports: they express an opinion, one which you are free to heed or ignore. This is no different from hundreds of other DNSBLs, RHSBLs, static lists, etc. ALL of them express opinions, NONE of them enforce them on anyone.

    link to this | view in thread ]

  40. identicon
    Anonymous Coward, 28 Mar 2013 @ 6:51am

    Re:

    I'm also no fan of Spamhaus. They make some dumb-ass mistakes from time to time and won't take the responsibility for those. I understand that Spamhaus needs a literal firewall to protect itself against the hate of SPAMmers but they should allow victims of the mistakes they made to contact them easily and fix the problem ASAP.

    Another problem is that a lot of MTAs rely on Spamhaus only. That's a bad design decision and helps Spamhaus to maintain their power! There are much more methods to fight SPAM without using RBLs. There are even more effective! Don't rely on a single third party! It's a massive SPOF!

    link to this | view in thread ]

  41. identicon
    Anonymous Coward, 28 Mar 2013 @ 7:04am

    Re:

    Yeah! It's complete BS that 300Gbit/s are able to almost break the internet. 300Gbit/s is some nice piece of traffic but not enough to cause major trouble. Just checked the statistics for decix (public peering point in Germany). Peak traffic is about 2.5Tbits/s for the last weeks as usual, no spikes for the DDoS. Let's call that a marketing hype!

    link to this | view in thread ]

  42. identicon
    Lurker Keith, 28 Mar 2013 @ 7:10am

    Popehat

    Yesterday, & only yesterday, I had problems getting to Popehat, & only Popehat. I didn't notice anything else.

    No clue if this was related or not. It's the first time I had difficulty navigating to Popehat since I started visiting it around the time The Oatmeal train wreck got underway.

    Granted, I'm in the US.

    link to this | view in thread ]

  43. identicon
    Anonymous Coward, 28 Mar 2013 @ 7:22am

    Re: Re:

    300Gbs is a drop to an IX, but considering even at Tier 1 providers most are only running 100Gbs links or bonding multiple 10Gbs link at peering points. 300Gbs could easily saturate a link. Cloudflare uses anycast to mitigate the DDoS by distributing it against multiple sites, and they don't tell you if that 300 is aggregate traffic or at a single site/switch. Definitely has some marketing aspects in the article. Check out the actual email received from Gizmodo by the ISP: http://cluepon.net/ras/gizmodo

    21 Million seems high, but not impossible. I ran nmap with the dns_recursion script against my vps provider and found quite a few within the same C class that I'm assigned.

    Updating BIND wouldn't help, it's in the configuration about open recursion: allow-recursion { network/cidr };
    For authoritive DNS servers, use RRL: http://www.redbarn.org/dns/ratelimits

    Best option is to stop spoofing with BCP38 so the traffic isn't faked in the first place. This is DNS currently, but it could easily be any udp traffic such as a game server, which of course I see a lot.

    link to this | view in thread ]

  44. icon
    G Thompson (profile), 28 Mar 2013 @ 7:28am

    Re: Popehat

    Well your problem there in not being able to access Popehat was 1: they had an interesting article all about SEX.. Yes SEX *gasp horror eyeswideopen*
    and 2: it seems you need to supply more Pony's to Ken! ;)

    link to this | view in thread ]

  45. identicon
    Pixelation, 28 Mar 2013 @ 7:45am

    Re: Re: There outta be a law

    "Careful, Congress has no sarcasm filter."

    That's just the tip of the iceberg.

    link to this | view in thread ]

  46. icon
    nasch (profile), 28 Mar 2013 @ 8:06am

    Re:

    almost broke the internet is like almost pregnant. it didn't happen, so no biggie.

    If you're having unprotected sex, just because your partner (or you) hasn't gotten pregnant doesn't mean there's no cause for concern.

    link to this | view in thread ]

  47. icon
    nasch (profile), 28 Mar 2013 @ 8:11am

    Re: Re: The resolvers are't the issue the ISPs are

    Any ISP that has that sort of filter in place will make me ask myself what other sort of packet inspection they're doing, and to what extent they're spying on me.

    I'm not a networking expert, but what is the problem with the kind of filtering he's describing? What legitimate reason is there to spoof packets' source address? What reason does an ISP have to accept a packet that is addressed to somewhere it isn't going to be able to send it?

    link to this | view in thread ]

  48. identicon
    Anonymous Coward, 28 Mar 2013 @ 8:34am

    Re: Re:

    I think my previous comment was a bit long, or delay by work...

    300Gbs isn't much for an IX, but significant to a switch as most link are either 100Gbs or bonded 10Gbs from my experience at various DCs in the US.
    Updating BIND doesn't stop recursive attacks or spoofing, using valid configs and RRL will.

    The article is a lot of FUD and marketing for CloudFlare and Spamhaus, but it does show that action needs to be taken in regards to private companies not implementing basic security. BCP38, RRL, ACLs on services, etc...

    link to this | view in thread ]

  49. identicon
    Anonymous Coward, 28 Mar 2013 @ 8:47am

    I hope they can shutdown Spamhaus for good

    this company is as bad as any spammer. If you get put on their list. They charge you $500 to get off of it, or you can wait one month.

    link to this | view in thread ]

  50. identicon
    Anonymous Coward, 28 Mar 2013 @ 9:19am

    Re:

    Honestly, using a BotNet to attack a company that you don't like? It's not like anyone is forcing people to use Spamhaus or Cyberbunker, so why should they be using third parties' internet connections to play out their little shouting match.

    IE. Don't defend DDoS attacks, especially if you are in security...

    Now I do hold some of these third parties responsible to some extent, but there is definitely blame on Cyberbunker if they admit to DDoSing. Did it take out the internet? No... Did it take out CloudFlare a bit? Sure, but that's their marketing pitch and they tried to swing their outage in a positive light.

    link to this | view in thread ]

  51. identicon
    Anonymous Coward, 28 Mar 2013 @ 9:21am

    Re: Re: Re: The resolvers are't the issue the ISPs are

    By definition if it's spoofed you don't know where it's coming from. How do you judge which packet to stop or which to allow? How do you decide it's not a legit packet and block it?

    So then you have to establish deep packet inspection to learn more about the packets, thus more monitoring and very high costs especially if you have lots of traffic.

    The problem is that if you assume the end user will take care of it, you'll have a network with lots of security issues. But if you force security over your users, you'll lose your users.

    DNS is a very basic system required by every business with an online presence. Sure, you can host using DNS hosters, but then you put your DNS in the hands of someone else.

    If distributions concentrated on security instead of user-friendliness, this wouldn't be happening. But when you apt-get install bind/powerdns/etc, it has to work with minimal comprehension and reading of the manual, because you know, otherwise people will stay with Windows.

    link to this | view in thread ]

  52. identicon
    Anonymous Coward, 28 Mar 2013 @ 9:26am

    Re: Re: The resolvers are't the issue the ISPs are

    Wrong. They enforce it indirectly to *everyone*.

    I'm trying to send Bob an email. Bob is using SpamHouse. I can't send Bob an email from home because my ISP is blacklisted for having "dynamic DNS" (let's not get into THAT).

    So I email Alice and ask her to email Bob, which she does. She asks Bob to remove SpamHouse from his blocklists, but Bob also uses his ISP email and cannot do anything.

    SpamHouse are one of the worst out there. They almost always refuse to remove blacklists even when the issue is resolved and you have evidence, if you get an answer at all, and they often refuse to provide the reasons as to why you were blocked in the first place.

    If only they charged for removal we could officially label them a scam.

    link to this | view in thread ]

  53. icon
    nasch (profile), 28 Mar 2013 @ 9:43am

    Re: Re: Re: Re: The resolvers are't the issue the ISPs are

    By definition if it's spoofed you don't know where it's coming from. How do you judge which packet to stop or which to allow? How do you decide it's not a legit packet and block it?

    If it originates from within your network but says it comes from somewhere else, no? Likewise if it's coming into your network but not going anywhere your network can handle. Am I missing something here (genuine question because maybe it's not as simple as it sounds)?

    link to this | view in thread ]

  54. identicon
    Anonymous Coward, 28 Mar 2013 @ 9:50am

    Re: Re: Re: The resolvers are't the issue the ISPs are

    You're full of shit.

    If someone's ISP is refusing email as a consequence of a Spamhaus listing, then it's because that ISP chose to use Spamhaus. Nobody makes them do it.

    Second, sending mail direct-to-MX from dynamic IPs is very, very stupid. It's a worst practice. So no whining that you can't do it, you shouldn't even be trying.

    Third, Spamhaus is very prompt about removing listings once the reason for them has been resolved. In fact, they're TOO prompt, TOO nice about it, and occasionally they get scammed because the reason resurfaces shortly after they pull the listing.

    Fourth, you have to really, REALLY work hard to earn a Spamhaus listing. Either (a) you have to be a prolific spammer or (b) you have to be an utterly incompetent, hopelessly lazy, throughly stupid network/system admin to get onto their list. Spamhaus is VERY lenient and VERY tolerant, often to my annoyance.

    Fifth, it's trivially easy to see why something is listed by Spamhaus: they have a web interface that you can query and thus access a wealth of information. So when you say that "they often refuse to provide the reasons", you are -- once again -- lying.

    Sixth, Spamhaus listings rarely happen in isolation. If you check numerous other DNSBLs/RHSBLs, you will see that the same IP addresses/network blocks/domains that show up on one, tend to show up on many. Given that they're all independently run by people with very different criteria -- people who often argue with each other -- then it should be obvious that when this happens, it's not because they all woke up and decided arbitrarily to make it happen. It's because there's a real problem.

    I'm sure none of this will stop you from continuing to lie about Spamhaus, of course. Which spammer did you say you were>?

    link to this | view in thread ]

  55. identicon
    Anonymous Coward, 28 Mar 2013 @ 10:03am

    Re: Re: Re: Re: The resolvers are't the issue the ISPs are

    While I understand the reason's behind not being able to send mail direct-to-MX, it's breaking the end to end principle as well. So blocking direct-to-MX is bad, but a necessary evil.
    Getting listed on a RBL is rather trivial, but a good RBL will respect valid operators that research the reason for the listing and stop the offending emails. I've never had a problem with Spamhaus, so I don't know how easy it is to contact them. Like you stated though, everyone can choose their own hosting provider and use any RBLs or nothing if that is what they wish.

    link to this | view in thread ]

  56. icon
    nasch (profile), 28 Mar 2013 @ 10:12am

    Re: Re: Re: Re: The resolvers are't the issue the ISPs are

    If someone's ISP is refusing email as a consequence of a Spamhaus listing, then it's because that ISP chose to use Spamhaus.

    This would only affect people using their ISPs email address, right? So just one more reason not to do that.

    link to this | view in thread ]

  57. icon
    Mason Wheeler (profile), 28 Mar 2013 @ 10:33am

    Re:

    Why is anyone even using blacklists--Spamhaus or otherwise--in this day and age? Wasn't it proven years ago that Bayesian filtering is both more reliable and less abusable?

    link to this | view in thread ]

  58. icon
    Jesse (profile), 28 Mar 2013 @ 11:01am

    We need CISPA!!!!

    link to this | view in thread ]

  59. icon
    Mason Wheeler (profile), 28 Mar 2013 @ 11:42am

    Re: Re: Re: Re: The resolvers are't the issue the ISPs are

    By definition if it's spoofed you don't know where it's coming from. How do you judge which packet to stop or which to allow? How do you decide it's not a legit packet and block it?


    You make it sound like such a difficult question.

    If it's spoofed, you don't judge it, you don't inspect it, you kill it immediately. If its IP addresses are bad, then it's either corrupt or malicious, so shut it down.

    link to this | view in thread ]

  60. icon
    Mason Wheeler (profile), 28 Mar 2013 @ 11:46am

    Re: Re: Re: Re: The resolvers are't the issue the ISPs are

    Again, why is anyone still using blacklists in 2013, when it was proven years ago that Bayesian filtering is far more effective and less prone to abuse?

    link to this | view in thread ]

  61. identicon
    Anonymous Coward, 28 Mar 2013 @ 11:47am

    Re: Re:

    Correct Mason, unfortunately some admins are stupid, along with some of the major ISP.

    link to this | view in thread ]

  62. identicon
    Anonymous Coward, 28 Mar 2013 @ 1:25pm

    Re: Re: Re: Re: Re: The resolvers are't the issue the ISPs are

    Again, how do you identify it as spoofed without DPI?

    link to this | view in thread ]

  63. identicon
    Anonymous Coward, 28 Mar 2013 @ 1:31pm

    Re: Re: Re: Re: The resolvers are't the issue the ISPs are

    First, it's very difficult to take you seriously when you start off by "You're full of shit".

    Second, *tons* of ISPs allow direct-to-MX from dynamic IPs. Tons. Did I say tons? Tons.

    Third, SpamHouse are known to be the nazis of blacklists and refuse to remove a single listing if other IPs in the same /24 are listed. I've been dealing with them for over 6 years, and it's mostly only problems.

    Fourth, you don't have to work hard. You only need to run a hosting company and let the users take care of it for you.

    Fifth, the interface is useless because you still have to apply to get delisted and the idiot human behind the scenes always refuses, because "you have other networks listed".

    Sixth, Spamhouse block tons of people that no other blocklist do. As I said above, in the web hosting world, they're known as the Nazis. Simple as that. Talk to some people that have inside knowledge for spam management.

    I'm not sure if this will confirm you're a spamhaus employee or just someone without knowledge of spam. Which scammer err.. spamhauser did you say you were?

    I work for a reputable company that fights with those idiots day after day. What scammers do you work for again? Hitler is that you?! Sorry I couldn't resist.

    link to this | view in thread ]

  64. identicon
    Anonymouse, 28 Mar 2013 @ 2:16pm

    Re: Re: Re: Re: The resolvers are't the issue the ISPs are

    You seem to have a lack of networking experience, no packet inspection necessary *ever*, if the source IP address of a packet trying to leave your network is not part of your network it gets dropped, since packets originating from your network should have source IP address that are part of your network. Simple, since the source and destination addresses need to be "looked" at by your router anyway (strictly only the destination), your are not doing any "packet inspection" other than verifying the address validity.

    link to this | view in thread ]

  65. icon
    nasch (profile), 28 Mar 2013 @ 3:02pm

    Re: Re: Re: Re: Re: Re: The resolvers are't the issue the ISPs are

    Again, how do you identify it as spoofed without DPI?

    Anonymouse's comment below addresses that (sounds reasonable though I'm not that knowledgeable about it). What would DPI tell you about address spoofing that inspecting the headers wouldn't?

    link to this | view in thread ]

  66. identicon
    Anonymouse, 29 Mar 2013 @ 12:17am

    Re: Re: Re: Re: Re: The resolvers are't the issue the ISPs are

    This is quite easy, quite a few ISPs pay per bandwidth, quite heftily, in fact, so traffic not carried (blacklist) is bandwidth not wasted, as opposed to accepting the traffic, then running a Bayesian filter over it and possibly still determining it to be spam, when they could have avoided the traffic and CPU cycles in the first place.

    link to this | view in thread ]

  67. identicon
    Anonymouse, 29 Mar 2013 @ 1:41am

    Re: Re: Re: Re: Re: The resolvers are't the issue the ISPs are

    1st - you did take him serious, else you wouldn't have responded :-)

    2nd - strange you measuring the ISPs by weight, I guess its because they're sinking due to all the SPAM

    3d Maybe SpamHouse are a bit overzealous, but it works... to have a little story, assume everyone on your block uses the loo, like most civilized humans do, but you crap in the hand basin, not to want to talk to anyone on your block may cause peer pressure to make you change your behaviour and use the loo instead, until you do, don't expect me to accept your mail

    4th there's the rub, not working and letting users loose on the infrastructure who are not educated enough about correct internet procedures gets you listed...

    5th oh yes, refer to 3d above

    6th oh yes, again refer to 3d above and there's the second problem, if you're doing *WEB* hosting, why would DNS Blacklisting, which only impacts *MAIL* have anything to do with you?

    I doubt he's a SpamHouse employee, neither am I, but I was happily using their services from '98? '99? onwards.

    Yup a *reputable* company, like the tons referred to in 2nd above...

    There never is a reason to accept mail from a dynamically assigned IP address, if they really want to send out email, simple, they just configure their SMTP server to relay out via their ISPs SMTP server, problem solved and SpamHouse won't have you listed, unless, of course, that ISP transports lots of SPAM out and doesn't do a thing to clean this up.

    link to this | view in thread ]

  68. identicon
    Anonymouse, 29 Mar 2013 @ 2:33am

    Re: Re: wow

    To that other anonymouse, the DNS resolvers are not so much the issue as proper routing procedures not being implemented by ISPs.

    Assume you sit behind an ADSL connection, which assigns you one IP address, the router port on the ISPs end of the circuit, should, once assigning you the IP address, add 2 restrictions on their end:
    1. allow traffic into the network from you, coming from your assigned IP address
    2. drop/block everything else
    To panic about open resolvers ignores ICMP problems and any other services that utilize UDP and that don't require handshaking and are thus prone to being used in spoof attacks.
    The same goes for a leased line connection with a block of IP Addresses
    1. allow traffic into the network from you, coming from your assigned network range, for example 196.15.195.128/27
    2. drop/block everything else
    Then for good measure, on the routers to the rest of the world, allow outgoing traffic from the IP addresses that are local to the ISP and drop/block everything else. No impact on the users, no packet inspection, no developers needing to do anything.

    To identicon, you are missing the big picture, *think of the children*... DNS is a minor and non-issue, the issue is that ISPs knew about the spoofing issues back in the last century and have had the tools/option to setup the rules on their gateways since then, but it is a bit of work and these lazy so and so's should be kicked in the nuts for not implementing this lot ages ago already. Implementing the best practices rules on the gateways would take care of any and all ICMP and UDP spoof attacks, I am sure others may arise, they can then be dealt with in a way appropriate for those attacks, yelling DNS and open resolver does not solve the actual problem. The network as a whole should be cleanly set up, which includes every ISP from tier 1 on down to your local one man shop with half a class C assigned to him.

    link to this | view in thread ]

  69. identicon
    Anonymous Coward, 1 Apr 2013 @ 12:51pm

    Re: Re: Re: Re: Re: Re: The resolvers are't the issue the ISPs are

    1st - I said it was hard.

    2nd - Strange you say that. I never measured anything. I pointed out the obvious, obviously.

    3d No. The correct analogy would be that you prevent everyone from using the hand basin until that one person stops… this punishing everyone because something 1 person did.

    4th Enjoy running your company without clients. I guess you never worked in web hosting - or no much about it for that matter.

    5th oh yes, refer to 3d above - yes exactly

    6th Web hosting includes email. Again, you should learn the lingo before trying to use it without understanding it.

    Yup a *reputable* company, like the tons referred to in 2nd above... said the guy who can't understand basics of web hosting.

    "There never is a reason to accept mail from a dynamically assigned IP address, if they really want to send out email, simple, they just configure their SMTP server to relay out via their ISPs SMTP server, problem solved and SpamHouse won't have you listed, unless, of course, that ISP transports lots of SPAM out and doesn't do a thing to clean this up."

    Exactly, so leave it up to the nazis to decide what is dynamic and what is not, which was exactly the problem in the first place.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.