back to article CyberRehab's mission? To clean up the internet, one ASN block at a time

A new project aims to mitigate cybercrime by making it in the economic and business interests of ISPs and telcos to clean up the internet. CyberRehab wants to prove that it can establish an IP range that hackers choose to stay away from. If miscreants try to attack, they will lose their infrastructure. The IP range will be …

  1. Alister Silver badge

    CyberRehab wants to prove that it can establish an IP range that hackers choose to stay away from.

    I'm sorry, but most hackers will see this as a challenge, rather than a deterrent.

    1. oystein2

      We're not addressing the hackers. We're addressing the ISP they and their bots are connected to. They can make trouble for the hackers and clean up all their infrastructure.

  2. sitta_europea

    We already drop everything from Africa, so this won't help us at all. More helpful would be if everybody else drops everything from Africa until the collectively clean up their act.

    Here are a couple of our drop lists (ISO country codes and ASNs). '1' means we inspect the packets in case they might be interesting for forensic purposes, but drop them anyway. '2' means we don't even inspect them, just drop them. Our ASN list is currently in its infancy but performing very acceptably.

    AE => 1, AF => 2, AL => 2, AM => 1, AO => 2, AP => 1, AR => 2, AT => 1, AU => 1, AZ => 2,

    BA => 1, BD => 2, BE => 1, BG => 2, BH => 1, BJ => 1, BO => 2, BR => 2, BW => 1, BY => 1,

    CG => 2, CI => 2, CL => 2, CM => 1, CN => 2, CO => 2, CR => 2, CV => 1, CZ => 1,

    DK => 1, DO => 2, DZ => 1,

    EC => 2, EE => 1, EG => 2, ES => 1, ET => 1,

    FI => 1,

    GA => 1, GE => 1, GH => 2, GR => 2, GT => 2,

    HN => 2, HR => 1, HT => 1, HR => 2, HU => 1,

    ID => 2, IL => 1, IN => 2, IQ => 2, IR => 2, IS => 1, IT => 1,

    JM => 1, JO => 2, JP => 2,

    KE => 2, KG => 2, KH => 2, KN => 2, KR => 2, KW => 2, KZ => 2,

    LA => 1, LB => 2, LK => 1, LS => 2, LT => 2, LV => 2, LY => 2,

    MA => 1, MD => 1, ME => 1, MK => 2, ML => 1, MN => 2, MQ => 1, MR => 1, MU => 1, MV => 1, MX => 2, MY => 2, MZ => 1,

    NG => 2, NO => 1,

    PA => 2, PE => 2, PH => 2, PK => 2, PL => 2, PR => 1, PS => 1, PY => 2,

    QA => 2,

    RO => 2, RS => 2, RU => 2, RW => 2,

    SA => 2, SC => 2, SD => 1, SE => 1, SG => 1, SI => 1, SK => 1, SL => 1, SN => 2, SV => 2, SY => 2,

    TG => 1, TH => 2, TJ => 1, TL => 1, TN => 1, TR => 2, TT => 1, TW => 2, TZ => 2,

    UA => 2, UY => 2, UZ => 2,

    VE => 1, VN => 2,

    ZA => 2, ZM => 1,

    AS4837 => 2 # CNCGROUP CHINA169 BACKBONE

    AS7922 => 2 # COMCAST CABLE COMMUNICATIONS, LLC

    AS10796 => 2 # TIME WARNER CABLE INTERNET LLC

    AS11377 => 2 # SENDGRID (http://mainsleaze.spambouncer.org/category/esp-problem/)

    AS12876 => 2 # ONLINE S.A.S.

    AS14782 => 2 # THE ROCKET SCIENCE GROUP, LLC

    AS15083 => 2 # INFOLINK GLOBAL CORPORATION

    AS16276 => 2 # OVH

    AS20150 => 2 # CUBEMOTION LLC

    AS22773 => 2 # COX COMMUNICATIONS INC.

    AS33588 => 2 # CHARTER COMMUNICATIONS

    AS43013 => 2 # YORK DATA SERVICES LIMITED

    AS45102 => 2 # ALIBABA (CHINA) TECHNOLOGY CO., LTD.

    AS46475 => 2 # LIMESTONE NETWORKS, INC.

    AS47625 => 2 # PAUL DAVID HUGHES TRADING AS HOSTING SYSTEMS

    AS53824 => 2 # LIQUID WEB, L.L.C

    AS55163 => 2 # LINKEDIN CORPORATION

    AS200484 => 2 # SENDINBLUE SAS

    AS201536 => 2 # SANDYX SYSTEMS LIMITED

    Please feel free to help us extend these lists.

    1. oystein2

      Africa is never going to solve their problems with the methods used in Europe/US. It's just too expensive to offer an expensive firewall to hide behind while the problem is allowed to continues to grow. So that's what we're trying to solve and there's lots of interest from Africa.

    2. Adam 52 Silver badge

      A certain amount of baby and bathwater going on there. You'll be blocking me (not that I expect you to care about that.)

  3. Rich 11 Silver badge

    Slightly flawed

    CyberRehab is preparing an EU research project with some universities, mainly in Spain and the UK.

    Better get a move on. The UK's footbullet is being loaded into the chamber in readiness for firing.

    1. oystein2

      Re: Slightly flawed

      Yeah... universities are still summer dormant, though....

  4. Christian Berger Silver badge

    That's a terrible idea

    Virtually everything is illegal somewhere, and laws typically aren't in step with what informed parts of the society think is fair.

    1. oystein2

      Re: That's a terrible idea

      We think we don't need it to be legal everywhere. We just need it to be legal where we establish.. And we don't think any government would chase us to the end of the world for doing what they always wanted to do themselves but can't do due to limited jurisdiction.

  5. Aodhhan Bronze badge

    Fine...

    Just don't ask us to pay for it.

    There are certain laws in math which hold true... and there are certain security engineering laws which hold true. One being, more security equals less flexibility and slower throughput. You can alleviate it somewhat by spending copious amount of money, but this is the big question; whose paying for it?

    Then there is the fact, you're doing the same thing as China and North Korea. Shutting down availability and only letting in what YOU want.

    Stop trying to save people from being stupid. It's everyone's civil right to do so.

    Just like all far left wingers... you think you're way will save the world, make everything better and safer.

    1. oystein2

      Re: Fine...

      You should check what we're planning to do before assuming too much. We're just planning to make it profitable for the ISP closest to the infected unit or hacker to clean up. We're not planning to block anything. The ISP closest to the threat should block us while cleaning up. And we're suggesting encapsulation and tagging as a better alternative than blocking. That way, there's time to map all the botnets while the target can redirect to honeypots and the hacker doesn't have a clue about what's going on. We're denying the hackers what they need to operate. If they fear that they're being compromised, they will just stay away. Either way it's far more efficient than hiding behing a firewall hoping for the best while the problem continues to grow.

    2. Throatwarbler Mangrove Silver badge
      Facepalm

      Re: Fine...

      Oh, do fuck off. It doesn't sound like they're "trying to save people from being stupid," rather trying to implement a model to deter people from being assholes and criminals, which I understand you may object to for personal reasons.

      "Just like all far left wingers" -- Yes, because fighting crime is a partisan issue, which is why "tough on crime" politicians tend so often to be of the leftist variety. The reality is that the Internet has become hostile territory, with a variety of threats both passive and active, and it would, in fact, save a lot of people money if the criminal actors could be cut off at the source. Maybe if you take off your ideological blinders and suppress your jerking knee for five seconds, you'll see that, although I won't hold my breath, to be sure.

      1. kellerr13

        Crime fighters

        What happens when those that fight crime, become the criminals, but pretend they are fighting crime. For example, when a Pol-pot comes to power and decides to kill all first born children.

  6. Chronos Silver badge
    Alert

    Again, this remains relevant.

    Your post advocates a

    (x) technical ( ) legislative ( ) market-based (x) vigilante

    approach to fighting cybercrime. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

    (x) Legitimate uses would be affected

    (x) Requires immediate total cooperation from everybody at once

    (x) Many users cannot afford to lose business or alienate potential employers

    (x) Anyone could anonymously destroy anyone else's career or business

    Specifically, your plan fails to account for

    (x) Lack of centrally controlling authority

    (x) VPNs and proxy servers

    (x) Asshats

    (x) Jurisdictional problems

    (x) Armies of worm riddled broadband-connected Windows boxes

    (x) Eternal arms race involved in all filtering approaches

    (x) Joe jobs and/or identity theft

    (x) Technically illiterate politicians

    (x) Extreme stupidity on the part of users

    and the following philosophical objections may also apply:

    (X) Ideas similar to yours are easy to come up with, yet none have ever

    been shown practical

    (x) Blacklists suck

    (x) Whitelists suck

    (x) Countermeasures should not involve sabotage of public networks

    (x) Why should we have to trust you?

    (x) Feel-good measures do nothing to solve the problem

    Furthermore, this is what I think about you:

    (x) Sorry dude, but I don't think it would work.

    ( ) This is a stupid idea, and you're a stupid person for suggesting it.

    ( ) Nice try, assh0le! I'm going to find out where you live and burn your

    house down!

    Okay, I had to extend "spam" to "cybercrime" but the underlying message is the same.

    1. oystein2

      Re: Again, this remains relevant.

      Your post advocates a

      (x) technical ( ) legislative ( ) market-based (x) vigilante

      ---- WRONG – there’s nothing vigilant about protecting your own IP range

      approach to fighting cybercrime. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

      (x) Legitimate uses would be affected

      ---- WRONG – this is checked with Interpol, UK min of justice, Norwegian police

      (x) Requires immediate total cooperation from everybody at once

      ---- WRONG – not at all.

      (x) Many users cannot afford to lose business or alienate potential employers

      ---- WRONG - that’s why we should address the problem (infected units and neglecting ISPs and not just provide a firewall to hide behind while the problem continues to grow.

      (x) Anyone could anonymously destroy anyone else's career or business

      ---- WRONG – as long as botnets are not handled yes, that’s why this is a better solution

      Specifically, your plan fails to account for

      (x) Lack of centrally controlling authority

      ---- WRONG – there will be a central SOC

      (x) VPNs and proxy servers

      ---- WRONG – The closest ISP is in best position to know what’s VPN/Proxy

      (x) Asshats

      ---- WRONG – The closest ISP is in best position to know who’s asshat

      (x) Jurisdictional problems

      ---- WRONG – checked out

      (x) Armies of worm riddled broadband-connected Windows boxes

      ---- WRONG – closest ISP is in best position to know

      (x) Eternal arms race involved in all filtering approaches

      ---- WRONG – there’s no filtering except from what’s implemented by closest ISP while cleaning up

      (x) Joe jobs and/or identity theft

      ---- WRONG – closest ISP is in best position to know

      (x) Technically illiterate politicians

      ---- WRONG – CyberRehab certification provides what is required for the illiterate

      (x) Extreme stupidity on the part of users

      ---- WRONG

      and the following philosophical objections may also apply:

      (X) Ideas similar to yours are easy to come up with, yet none have ever

      been shown practical

      ---- WRONG – This is never tried before… pls provide proof

      (x) Blacklists suck

      ---- WRONG – There’s no blacklists

      (x) Whitelists suck

      ---- WRONG – There’s no whitelist

      (x) Countermeasures should not involve sabotage of public networks

      ---- WRONG – There’s no sabotage only proper handling of infected units and hackers

      (x) Why should we have to trust you?

      ---- Finally a good question… It took some time

      (x) Feel-good measures do nothing to solve the problem

      ---- WRONG – If they address the real problem (infected units) it feels good and helps

      ---- I’ll give you score 10 for the effort… Performance could have been better, though…

      1. Anonymous Coward
        Anonymous Coward

        Re: Again, this remains relevant.

        "(x) Legitimate uses would be affected

        ---- WRONG – this is checked with Interpol, UK min of justice, Norwegian police"

        Exactly how? Can you provide written endorsements from these authorities?

        1. oystein2

          Re: Again, this remains relevant.

          Actually, I misunderstood this point. Legitimate use will be less affected if the sending ISP is handling the problem than today, when the receiver of the traffic has to handle (often block) it. This because the sender is in much better position to know what units are infected and can block only those units (instead of blocking all traffic over that IP address). What I've checked with police is the legality of nagging ISPs that are addicted to cybercrime.

  7. Anonymous Coward
    Anonymous Coward

    Regarding the AS and country code based blocking mentioned by sitta_europa, this is very similar to what I do on end systems that I control and it works very effectively. Additionally I use honeypots, the whois services provided by the RIRs, a full BGP table and a geo-location database to make associations and automatically block associated prefixes once certain thresholds are reached.

    Unfortunately I can't do this for 3rd parties for who I carry traffic. In many cases I think I would be providing a useful service to them but it's not something I would ever want to do without their informed consent. If someone is paying for full, unfiltered transit then that is what I try and deliver.

    1. oystein2

      Better make the sender responsible for getting rid of infected units. We can if we stand together.

  8. c1ue

    A nice idea, but...

    It is a nice idea in theory - on par with "cyber threat intelligence".

    The problem is a scale and specificity one.

    At what point is the ISP responsible for finding out that its users have been compromised? Sure, stopping thousands or millions of spam email coming out of a compromised email account makes sense. What if there are only hundreds? Or dozens?

    Similarly, exfil or malware dropper sites: how can you realistically monitor such that you can identify the low-res outfits vs. the gigantic botnets?

    Then there's the "known good" danger: if you identify a range of IP addresses as good, then compromise anywhere in that range will avoid defenses erected against the "unknown good", much less "known bad".

    Why would any sane cyber security practitioner expose themselves in such a way?

    1. oystein2

      Re: A nice idea, but...

      Currently, it's the receiver (the target) that is responsible to figure out what's malicious. But the ISP closest to the sender (bot, VPN, TOR exit point, hacker) is in much better position to do so. They already receive notifications from all over the world about those units. But they disregard them because of the very small cost of handling it compared to the enormous cost in the other end for doing the same job. So the core of this idea is to make it profitable for all ISPs to do what's good for cyber security. One obvious way to do that is through the peering. We can demand that ISPs execute it, but that requires that many big customers buy from certified ISPs. Then we can implement what's required to "punish" the neglecting ISPs and favour those that choose to do what's good for cyber security. This way we deny the hacker what they need to build their botnets and carry out crimes.

      1. DJ Smiley

        Re: A nice idea, but...

        Ok

        What's to stop me claiming you did bad thing X, and Y to me? Now you've been disconnected. Good bye.

  9. John Smith 19 Gold badge
    Unhappy

    TBH this is what ISP's should have been doing for years.

    But this sort of carrot and stick approach might work.

    1. oystein2

      Re: TBH this is what ISP's should have been doing for years.

      Carrot and stick is all about expenses and income for the ISPs.. And why shouldn't it work? It always have.. It's just about leverage and staying on the right side of the relevant law. Net neutrality is our side: It means anybody can try to hack us. But it also means we can ask their ISP million times per second why they let them - if that suits our cause. But it's probably better to use the carrot: We'll be solving a hundreds of billion dollars a year problem. Some of that money should go to ISPs that choose to do what's good for cybercrime just because we can make it profitable. It requires that some big corporations support it, though.

  10. jake Silver badge

    "Hacker"?

    You keep using that word. I don't think it means what you think it means.

    In light of the above, why should I pay any attention to you with regard to technical matters?

    That, and it's pretty much a fact that anybody who uses the term "cyber" as a technical term is clueless tells me all I need to know.

    1. oystein2

      Re: "Hacker"?

      This concept is not much technical - at least not in the start. It's about making the ISPs do what they already have the tools to do to get rid of malicious traffic. It's just that they choose not to do it because it's not profitable. So by saving a few dollars expenses, they cause million dollars damage in the other end. It's a much better deal for Internet users to pay the ISPs to get rid of the problem instead of hiding behind a very expensive firewall hoping for the best while the problem grows more and more out of control. If I use the terms "cyber" or "hacker" doesn't change the situation. Please tell me how to explain this so that people understand...

  11. oystein2

    "Cybercrime can't and never will be eradicated, just like crime can't and never will be eradicated," said Brian Honan, founder and head of Ireland's CSIRT and special advisor on internet security to Europol.

    What's his point? We shouldn't look for better ways to fight cybercrime because it can't be eradicated? Hope he's giving better advice to Europol - otherwise cybercrime may be an escalating problem. Why not rather stick to the topic? Is it better to get the ISPs involved in mitigating cybercrime instead of just hiding behind a firewall hoping for the best? And if so: How can we get the ISPs involved? Law enforcement? That's not working. What about changing peering contracts? Nothing the governments can do about that? Of course, there is... They can implement a high speed net with sponsored access for anybody who complies with some good policies - unless the ISPs handle the problem themselves. That would change the picture. Another thing they could do is demand that all government organizations require CyberRehab certification (includes good peering practices to discriminate non-compliant ISPs) from Internet providers and when peering with such. Then they should advice all corporations to join the same net – unless the ISPs cooperate. Or they could choose the easier way: Join the CyberRehab concept.

    1. jake Silver badge

      You are getting strident.

      That's never a good sign.

      (Hint: There are a lot of folks participating here on ElReg who have been running Internet connected machines for three or more decades. Over the years, we've seen proposed cures for network bogosity come and go. None of them work. Not because we don't want them to work, but rather because the perpetrators of the bogosity will always find a way around any obstacle, with the help of their marks (who refuse to understand that they are, in fact, marks). You see, it's not the problem that you think it is. The actual problem is one of hunter and prey, both of which are human conditions and outside the scope of the network. Thus any proposed solution that relies heavily on changing how the network is run is doomed to failure. You have to fix the people first. And that ain't going to happen until society fixes itself.)

      1. oystein2

        Re: You are getting strident.

        That's often the case, but not always. People had been trying to fly for hundreds of years before some figured out how. And now it's pretty easy. Boarding a plane is probably the easiest. To mitigate cybercrime we also need to know some basic rules about how Internet works:

        - We need to know what hackers need in other to be able to operate

        - We need to know why the ISPs don't interfere as they obviously can

        - We need to know who profit from the problem not being solved and make sure they don't determine the rules.

        - We need to know who benefit the most from the problem being solved and make sure they cooperate to solve it.

        Failing in one of these, then we'll say cybercrime can't be eradicated, ISPs will never interfere, firewalls/IDS/IPS/UTM is the solution or nobody will ever be able to change Internet.

  12. Wardy01

    Correct me if i'm wrong but ...

    So, citing an example, lets say something like a DDOS attack using a botnet is the problem ...

    Lets say I'm a hacker and have at my fingertips access to said botnet.

    I give said botnet a command.

    All bots in my net follow that command.

    ...

    No 1 single ISP can solve the problem as my bots can be anywhere on the internet and the net is something I created, and you (as the "victim" of my attack) are the only one that really sees the full scope of what actually went on.

    Am I missing something here or is putting pressure on ISP's to solve the unsolvable just forcing our own bills up as consumers with no actual results (given that the problem is not a solvable one)?

    So how would this work?

    Your ISP reports all the various machines involved in my attack to "something" that holds a blacklist type thing?

    Over time MY ISP remains in complete good standing, all the ISP's that host my many bots are affected by this "ranking system ?!?!?!".

    The reality is the source of the attack was my home machine, but from your point of view the source of the attack was the many machines that took part.

    From the point of the many ISP's involved in attacking you it's normal reasonable traffic.

    So who points the finger at me (the real cause!)?

    It seems to me that all cyber security related efforts are working on the effects not the cause, but tracking the cause is an extensive and complex task that would require a large data center and packet tracing information from the complete set of ISP's involved in this attack + some insane AI that could trawl this data.

    Or did I miss something?

    1. oystein2

      Re: Correct me if i'm wrong but ...

      The core problem is your botnet and the fact that you've been let alone to build it over long time. So the plan is that whenever there's any attack, then contact the owner of all the IP addresses involved and demand they (the ISPs) clean up. That includes finding the C&C machine(s) and hacker that built the network (you). This may require keeping it monitored for a while without interfering. Many ISPs will be happy about this and already are eager to clean up their own net. Over the others, we need some leverage, which can be various kind of nagging or influencing their peering partners.

  13. Anonymous Coward
    Anonymous Coward

    Response

    Any ISP that implements any type of controls or goes along with this nonsense on any level will find their domain and entire address block completely blocked from my sites.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019