Feeds

back to article 'Bulletproof' ISP for crimeware gangs knocked offline

One of the internet's most resilient and crimeware-friendly networks was knocked offline Friday after the plug was pulled on its upstream service provider, security watchers said. Russia-based PROXIEZ-NET lost its connection to the internet at about 3 am California time, according to Zeus Tracker, a website that monitors the …

COMMENTS

This topic is closed for new posts.

huh ?

"Indeed, at time of writing, vitamelatonin.biz and a handful of other dodgy looking domains continued to map to IP addresses in PROXIEZ-NET's netblock"

Excuse my possible ignorance, however, aren't IP addresses assigned and can not PROXIEZ-NET's netblock be disabled somehow .. the DNS just not responding to those IP addys ?

let them be silent for 6 months, reassign them .. we can use all the spare IPv4 addresses

is it a technical inability or political inablility ?

0
0

@flybert

Theoretically, yes, but it would require the cooperation of a lot of parties and a lot of risk.

Sure, if their records were removed from the root zone, that would kill their entire network, including their legitimate users, if any. There are lots of reasons why that's not likely to happen.

After that, it's all about routing. Just as John Gilmore said, the net interprets censorship as damage and routes around it. Blocking all of the possible paths that could keep their network afloat while not crippling other, proper services would be one hell of a task, even if all the parties involved were willing, which is unlikely, not only for strictly technical reasons, but also philosophical ones--and, of course, the politics.

0
0

Politics & Bribes

It is due to bribes & high upstream rates that allow most "bulletproof" hosts to stay around as long as they do. It is absolutely politics that prevents the IPs from being taken back by the IP assignment agencies. I'm a bit surprised it has never happened as, if i recall correctly, ARIN's agreement with * states they may take IPs back for the nefarious acts of the assignee.

1
0
Nir
Thumb Up

Ofcourse they didn't reply to emails requesting comment

Their internet is down!

3
0
Alert

Could this work?

Suppose a team could be assembled comprising some highly skilled analysts of bot code and a large array of volunteers with systems on residential and similar ADSL networks with dynamic addresses, just the kind the crims seek out to host single- and double-flux botnets.

The idea is, the analyst/coders, once they've gotten the inner details of a given bot, create a decoy, one that behaves exactly like the real one, but which also communicates everything it can that might be useful to the white hats while hiding that behavior from anything the crims can get from their real bots behind dummy data. The bots would be hosted on volunteers' machines, avoiding the thorny issue of a white-hat infection of unknowing botnet system owners, and also allowing the installation of other, separate services to monitor activity and help keep the subterfuge hidden from the bad guys without having to necessarily build all of that into each new bot design itself. Perhaps services and daemons like this could even be made to mimic bots simply by updating scripts rather than necessarily coding and compiling new binaries.

These volunteer decoys would be able to give analysts real-time information on motherships, not necessarily just addresses, but everything the "bad" bots would have to know and be able to communicate in order to function.

Of course, the bad guys would catch on very quickly and try to add features to each new generation of bot to foil this, so the analysts would have to really stay on top of each new strain. Still, this might be workable given sufficient resources and talent.

0
0
Boffin

honeypots and honeynets

One problem with these is that the analyst simulating an infection in order to monitor black hat/malware behaviour has to make sure their infection behaves closely enough to what the blackhat is controlling to fool the blackhat, while also making sure the simulated infection does not behave like a real one in the sense the honeypot/honeynet needs to be part of the solution rather than part of the problem. Various approaches are used, including having outgoing connections go through a custom very restrictive rate-limiting firewall. Most typically a honeynet is setup to become infected, while being strictly monitored and controlled, in order to study the malware used to infect it.

Possibly one of the most useful and effective honeynet techniques is the fully automated spamtrap which attracts great volumes of spam, measuring the addresses from where the spam is relayed so these bot addresses get onto the DNSBL blacklists used by most MTA mail servers in real time.

0
0
Terminator

Let's put it to the test

If someone were to contract out one of these Russian servers and promptly begin pumping out emails which just so happened to refer to a certain few well connected Russian business magnates and politicos in a less than complimentary manner, I'd bet we'd soon find out whether these webhosts are actually as "bullet" proof as they claim to be...

0
0
Anonymous Coward

Hmmm....

I may be a little ignorant here, but who manages the global routing table?

1
0
Boffin

no global routing table

There is no global routing table. Every router has and regularly updates its own viewpoint of which neighbouring node to go through in order to forward to a particular address range. Each router also regularly advertises to its neighbours the address ranges it can help forward the packets it receives.

The Net was designed this way in order to avoid single points of failure, as was the telephone network before it.

There is a centralised system of address block allocation, analogous to the allocation of telephone dialling country codes. To find out more about that a good starting point is the Wikipedia article on Regional Internet Registries http://en.wikipedia.org/wiki/Regional_Internet_registry .

1
0

No--and yes

(The following is my best understanding of the subject and I am not an expert; corrections requested as needed.)

You're on target to say that there is no central routing table that anyone controls or maintains. However, there is (by name, anyway) a global routing table which is defined as the set of Autonomous Systems which are connected such that they can reach anywhere else on the net without the need for a default route.

This table doesn't actually exist anywhere in particular. The Default-Free zone, which may look on the surface like a central reference, is actually nothing like that. As I understand it, routers in this set of ASes by definition know about every other AS in that set and can route directly to each of them (though, unless I have that wrong, doesn't necessarily mean that they are directly connected), and that collection of information is what is called the global routing table. Therefore, the global routing table is generated and maintained in a distributed and independent manner by Border Gateway Protocol (BGP) implemented by those routers (I don't think there are other protocols involved, but that might be wrong too), and it can change continuously when events on the net cause changes in the way BGP and router implementations determine the optimal routes from one point to another.

So, in reference to the original question: there is indeed no place where such a table exists that could be manipulated to cut off a rogue service.

0
0
G2
FAIL

huh?

zeustracker now shows that proxiez is online... are you sure that the plug was pulled properly?

0
0
Gates Horns

why it's called bulletproof

it's called bullet proof because no matter what you do they come back online, and there is nothing you can do :(

0
1
Grenade

ISPs are useless

To me ISPs are useless - and not just those in Eastern Europe. All over. The same go for the registrars. Neither want to disconnect a paying client unless they have to.

One registrar says it's up to the registree to verify the domain the registree is using isn't illegal or using any trademarked name. so I could register www.applehatesadobe.com and the registrar doesn't care - even though they know it's probably not right. Or maybe www.microdoft.com for cybersquatting.

ISPs won't bother if a site on their network is sending popup [and probably malware infested] PDFs or scripts.

0
0
This topic is closed for new posts.