FireEye's Ozdok Botnet Takedown Observed

FireEye coordinated a takedown of botnet Ozdok or MegaD, on 5-6 Nov 2009, with cooperation by many ISPs and DNS registrars.

Good show! What effects did it have on spam? Not just spam from this botnet; spam in general.

This graph was presented at NANOG 48, Austin, TX, 24 Feb 2010, in FireEye's Ozdok Botnet Takedown In Spam Blocklists and Volume Observed by IIAR Project, CREC, UT Austin. John S. Quarterman, Quarterman Creations, Prof. Andrew Whinston, PI CREC, UT Austin. That was a snapshot of an ongoing project, Incentives, Insurance and Audited Reputation: An Economic Approach to Controlling Spam (IIAR).

That presentation was enough to demonstrate the main point: takedowns are good, but we need a lot more of them and a lot more coordinated if we are to make a real dent in spam.

The IIAR project will keep drilling down in the data and building up models. One goal is to build a reputation system to show how effective takedowns and other anti-spam measures are, on which ASNs.

Thanks especially to CBL and to Team Cymru for very useful data, and to FireEye for a successful takedown.

We're all ears for further takedowns to examine.

-jsq

Community Flow-spec Project

A lightning talk at NANOG 48, Austin, Texas, 22 Feb 2010, by John Kristoff, Team Cymru. See RFC 5575.

Update: PDF of presentation slides here.

+--------+--------------------+--------------------------+
| type   | extended community | encoding                 |
+--------+--------------------+--------------------------+
| 0x8006 | traffic-rate       | 2-byte as#, 4-byte float |
| 0x8007 | traffic-action     | bitmask                  |
| 0x8008 | redirect           | 6-byte Route Target      |
| 0x8009 | traffic-marking    | DSCP value               |
+--------+--------------------+--------------------------+

A few selected points:

• Dissemination of Flow Specification Rules
• Think of filters(ACLs) distributed via BGP
• BGP possibly not the right mechanism
• Multi-hop real-time black hole on steroids
• Abuse Handler + Peering Coordinator
  = Abeering Coordinator?
• Traditional bogon feed as source prefix flow routes
• A la carte feeds (troublesome IP multicast groups, etc.)
• AS path prepend++
• Feed-specific community + no-export

He showed some examples of specs for flows (I can't type fast enough to transcribe those).

Trust issues for routes defined by victim networks.

Research prototype is set up. For questions, comments, setup, contact: http://www.cymru.com/jtk/

I like it as an example of collective action against the bad guys. How to deal with the trust issues seems the biggest item to me.

Hm, at least to the participating community, this is a reputation system.

Solving for the Commons

So simple!

BN > BE + C

Aldo Cortesi channels Elinor Ostrom and summarizes what we need to fix Internet security by enticing the providers and users of the Internet to manage it as a commons. But first, some background.

Since at least 1997 ("Is the Internet a Commons?" Matrix News, November 1997) I've been going on about how Garrett Hardin's idea of the tragedy of the commons doesn't have to apply to the Internet, because:

3FN + FTC = Some Less Spam From Some ASNs

A research project I'm assisting at the University of Texas at Austin notes that:

On Tuesday 2 June 2009, the U.S. Federal Trade Commission (FTC) took legal steps that shut down the web hosting provider Triple Fiber network (3FN.net).

Looking at Autonomous Systems (ASNs) listed in the spam blocklist CBL,

Rip van Security

Gunnar Peterson asks a question:

...how do you primarily rely on network security as we have done for the Web's life, when the Cloud abstracts the network away?

Gunnar points out IT security has been using firewalls and SSL as primary security for every network acccess software change since 1995.

In 1999 when SOAP emerged as a firewall-friendly protocol designed for the explicit reason to go through the firewall, that should have been a wake up call to Information Security that the "firewall + SSL" security architecture was past its prime, but here 10 years later we are still hitting the snooze button.

Here many years after we lost email for everybody but aging geeks and banks, IT security continues to snooze like Rip van Winkle. While the world changes around it:

VZ Port 587: Good Try

Back in February, Verizon announced it would start requiring outbound mail go through port 587 instead of port 25 during the next few months. It seemed like a good idea to squelch spam. Most other major ISPs did it. People applauded Verizon for doing it.

Unfortunately, it seems that if it had any effect it was short-lived. Looking at anti-spam blocklists on a daily basis, a couple of Verizon Autonomous Systems (ASes), AS-19262 and AS-701, do show dips in blocklist listings on the blocklist PSBL in March. But they don't last.

Spammers are very adaptable, partly because the botnets they use are adaptable. Good try, Verizon.

This information is from an NSF-funded academic research project at the University of Texas at Austin business school. Thanks to PSBL for the blocklist data.

-jsq

Tomato monoculture

You Say Tomato, I Say Agricultural Disaster,, By DAN BARBER, New York Times, Published: August 8, 2009:

For years, this kind of breeding has fallen by the wayside — the result of a food movement wary of science and an industrialized food chain that eschews differentiation in favor of uniformity. (Why develop and sell 20 different tomato varieties for 20 different microclimates when you can simply sell one?)

Does it seem that agricultural monocultures are almost always produced by economic greed?

-jsq

"A cyber czar is fighting a network with an org chart."

Good point.

Design in Security; Don't Wait to Defend

Gunnar recommends building in security instead of waiting to catch the horses after they're out of the barn:

The way out of this is for security to get involved in building better systems, getting involved in the system development, Identity management, and coding. Come to the table with useful tools such as Threat Models and Misuse Cases, and make sure you are there early enough to have an impact. Three places to focus are application development, databases, and identity. Time for security to live in code and config not in Visio drawings.

As Gandhi supposedly said about western civilization: "That would be a good idea!"

Iranian Internet Disturbances

Here's an example of some Internet routing in Iran, in this case on the way to the Ministry of Foreign Affairs on Monday 15 June 2009. Normally, routing and latency don't change much. Starting Saturday 13 June, the day after the election, routing and latency have become increasingly disturbed. More here.