Russian Business Network (RBN) - the Controversial hosting firm fingered by many as a nexus of malware exploits and cybercrime more generally - has suddenly dropped offline. Trend Micro reports that the infamous network dropped off the net at around 0200 GMT on Wednesday, possibly after its upstream service providers pulled its …
IP range please.
Upstream ISPs should act quicker
The upstream ISPs shouldn't have waited until the Washington Post started running articles about the problem. One would hope that ISPs would be more dilligent about ditching offenders like RBN.
Of course, if RBN moves to China, the ISPs there could fall foul of Beijing's head-rolling policy. This year the Chinese authorities executed a fellow for unauthorized use of the Chinese Olympics logo on pirated Windows CDs. Perhaps after a few heads roll the Chinese ISPs will boot RBN out, too.
Block their IP on every Router
Just block their networks on every border router you have (as we do) will sort that problem by it self.
As a web site administrator who's usually faced with many fake registrations, which mostly push porn, drugs, dodgy loans and so on, I've noticed a big fall off in these registrations in the last couple of days.
Hopefully these guys will be off line for ever. (Wishful thinking I fear).
IP Addresses for the RBN
Slashdot had a story about this. The linked comment is a complete list of the IP ranges turned into a list of iptables commands.
On reading this i checked my spam box - and lo and behold i havn't had 'your account was accessed/blocked' emails from natwest bank/(royal) bank of scotland today - normally i get about 15-20 of them.
(I'm not a customer of either bank which makes it slightly amusing)
This may be like playing....
...Wackomole. My web forum has been getting signup requests from the Panama Branch of the RBN. IP range is 188.8.131.52 - 184.108.40.206. Do a 'whois' on that range and see details.
/usr/bin/curl -s http://www.spamhaus.org/drop/drop.lasso |/bin/grep ^[1-9]|/usr/bin/cut -f 1 -d ' ' |/usr/bin/xargs -iX -n 1 /sbin/iptables -A INPUT -s X -i eth0 -j DROP
Take a look at www.fspamlist.com, especially under export.
RBN Offline Really?
I must admit sometimes I get really depressed about the standard of journalism and commercial bias with Internet security issues nowadays.
What started as Washington Post blog article concerning the dropping of “some” RBN IP addresses and another “regular” shift of their operation bases. Within 48 hours Trend Micro reporting the RBN has “no” internet connectivity, to grab a few clicks and as Johnny Come Lately hint to claim the credit, here The Register just copies this fabricated story.
For Anonymous Coward, the reason there has been a drop off over the last few days is Bleeding Threats RBN blacklist going into operation, http://doc.bleedingthreats.net/bin/view/Main/RussianBusinessNetwork
Just yesterday for example the on average 130,000 internet users per day still visited the RBN’s fake, anti-spyware and anti-malware products http://rbnexploit.blogspot.com/2007/11/rbn-fake-tools-rogue-software-bank-of.html .
How come? The RBN have been using alternative DNS routing and name servers for four years.
So everyone now believes 60-70% of all the current online exploits have gone away? Who gains by this stupidity? – Ah... Trend Micro, Symantec, MS$, security journalists? et. al . – Come on you mugs keep buying the products which can maybe put your PC right “after” exploitation!
You know, the guy who can understand what you wrote and what to do with it probably doesn't need to read it here in the first place.
Could someone translate that into English ?
This isn't a real hit for RBN...
Lets face it, they have more assigned IP's than just this one AS which doesn't get peered anymore.
AS40989 is gone, true:
Which gets rid of AS28866 (AkiMon), another of there networks, but what about AS41731/AS41173? They have a loads of ASN's, and simply blocking one range isn't going to really help.
This really isn't the last we will hear!
Actually, I never thought of it so it's good to read it here :)
It downloads the "Spamhaus Don't Route Or Peer List" parses the IP addresses and adds them to the firewall.
- Crawling from the Wreckage Want a more fuel efficient car? Then redesign it – here's how
- Review Xperia Z3: Crikey, Sony – ANOTHER flagship phondleslab?
- Human spaceships dodge ALIEN BODY skimming Mars
- Pics Whisper tracks its users. So we tracked down its LA office. This is what happened next
- Ex-US Navy fighter pilot MIT prof: Drones beat humans - I should know