Re: Avalanche botnet takedown

[Scott Weeks]

I did some snippage, but I believe I kept to the idea.


::  you seem to want various laws made to control it.  

> Yes.

It's a global network.  I want to say what country's 
laws, but see below.  Also, if you want something to
be broken beyond recognition get a government to
regulate it.  It'll be a major FAIL.



:: you seem to want the masses to uprise against the 
:: "tier 1" folks and force it there.

> Actually, I'm not 100% sure even that would do it.

One the masses of the world will not rise up together 
for anything, much less that this.




:: you seem to want various governments to band 
:: together to form a "law of cyber" coalition

> Yes.

This will never happen.  Even if some did band together
others will not and that would create a haven for the
bad people.



:: and for a "you must be this tall to ride the internet" 
:: measurement.

> No, I never said that.  I don't care how tall you are, 
> or how young or how old or how whatever you are.  You 
> should be able to use the Internet.

I should've been more clear.  You didn't understand what
I meant.



> But with privledges should come some accountability, 
> and that is entirely lacking at present.

How will you get a two year kid in Kaaawa, Oahu to obtain
accountability before 'riding' the internet.



:: no one can get a list of everyone on this planet that 
:: is allowed to 'play' on the internet.

> Correct.  And that is a major part of the problem.

indeed...

Re: Avalanche botnet takedown

[Ronald F. Guilmette]

In message <20161201201124.982f2...@m0086238.ppops.net>, 
sur...@mauigateway.com wrote:

>In message <20161201124527.9be45...@m0087798.ppops.net>, 
>sur...@mauigateway.com wrote:
>
>>What is your suggestion to keep the sky from falling?
>
>My full answer, if fully elaborated, would bore you and 
>everybody else to tears, so I'll try to give you an 
>abbreviated version.
>
>It seems to be that it comes down to three things... 
>acceptance, leadership, and new thinking.
>--
>
>In acceptance you seem to want various laws made to 
>control it.  

Yes.

>In leadership you seem to want the masses to uprise against 
>the "tier 1" folks and force it there.

Actually, I'm not 100% sure even that would do it.  Look at the banks,
who are now widley loathed, and yet they still continue to get away
with massive crimes and nobody is seriously punished.  But wider public
awarness of jsut what the problems are, and just who can and should be
working to correct them would be helpful.

>In new thinking you seem to want various governments to
>band together to form a "law of cyber" coalition

Yes.

>and for a "you must be this tall to ride the internet" measurement.

No, I never said that.  I don't care how tall you are, or how young or
how old or how whatever you are.  You should be able to use the Internet.
But with privledges should come some accountability, and that is entirely
lacking at present.

>You also mention "When is the industry going to start 
>admitting to itself that individual end-lusers can be
>dangerous, sometimes even to the tune of $tens of millions 
>of dollars?  In short, when is this industry going to start 
>vetting people..."
>
>I believe 'this industry' does recognize it and no one can 
>get a list of everyone on this planet that is allowed to 
>'play' on the internet.

Correct.  And that is a major part of the problem.

>Did I get the gist of your response correct?

Partially.  See above.


Regards,
rfg

Re: Avalanche botnet takedown

[Rich Kulawiec]

[ Reposted with proper Subject line.  My apologies.  Insufficient coffee. ]

On Thu, Dec 01, 2016 at 03:01:50PM -0800, Ronald F. Guilmette wrote:
> As you probably know Rich, that's not exactly a novel observation.  Vixie
> was already saying it a full six years ago, and things have only gotten
> worse since then.

Yep.  I remember reading that.  The only change I would make is that
Paul wrote:

Most new domain names are malicious.

and I think a more accurate/updated/refined statement in 2016 would be:

Almost all new domain names are malicious.

We are busy trying to support a domain name system that is two to
three orders of magnitude larger (as measured by domains) than it
should be or needs to be.  And nearly all of what we're supporting
is malicious.

---rsk

Re: [nanog] Re: Avalanche botnet takedown

[Hugo Salgado-Hernández]

According to a 2015 paper, 85% of new gTLDs domains was some form
of parking, defensive redirect, unused, etc:


Hugo

On 15:02 01/12, J. Hellenthal wrote:
> 99% ? That's a pretty high figure there.
> 
> -- 
>  Onward!, 
>  Jason Hellenthal, 
>  Systems & Network Admin, 
>  Mobile: 0x9CA0BD58, 
>  JJH48-ARIN
> 
> On Dec 1, 2016, at 14:56, Rich Kulawiec  wrote:
> 
> > On Thu, Dec 01, 2016 at 05:34:26PM -, John Levine wrote:
> > [...] 800,000 domain names used to control it.
> 
> 1. Which is why abusers are registrars' best customers and why
> (some) registrars work so very hard to support and shield them.
> 
> 2. As an aside, I've been doing a little research project for a
> few years, focused on domains.  I've become convinced that *at least*
> 99% of domains belong to abusers: spammers, phishers, typosquatters,
> malware distributors, domaineers, combinations of these, etc. 
> 
> In the last year, I've begun thinking that 99% is a serious underestimate.
> (And it most certainly is in some of the new gTLDs.)
> 
> ---rsk
> 


signature.asc
Description: PGP signature

Re: Avalanche botnet takedown

[Tony Finch]

Ronald F. Guilmette  wrote:
>
> P.P.S.  I love this part of the press release, because it is so telling:
>
>  "The successful takedown of this server infrastructure was supported
>  by ... Registrar of Last Resort, ICANN..."

Note that these are the names of two different organizations - the part
before the comma is not a description of the role played by ICANN.

http://tldcon.ru/docs/02-Addis.pdf
http://www.rolr.org/goals.en.html

Tony.
-- 
f.anthony.n.finch    http://dotat.at/  -  I xn--zr8h punycode
Humber, Thames: Northwest 4 or 5, veering northeast 3 or 4. Moderate, becoming
slight later in Thames. Showers. Good.

Re: Avalanche botnet takedown

[Scott Weeks]

--- r...@tristatelogic.com wrote:
From: "Ronald F. Guilmette" 

In message <20161201124527.9be45...@m0087798.ppops.net>, 
sur...@mauigateway.com wrote:

>What is your suggestion to keep the sky from falling?

My full answer, if fully elaborated, would bore you and 
everybody else to tears, so I'll try to give you an 
abbreviated version.

It seems to be that it comes down to three things... 
acceptance, leadership, and new thinking.
--

In acceptance you seem to want various laws made to 
control it.  

In leadership you seem to want the masses to uprise against 
the "tier 1" folks and force it there.

In new thinking you seem to want various governments to
band together to form a "law of cyber" coalition and for
a "you must be this tall to ride the internet" measurement.

You also mention "When is the industry going to start 
admitting to itself that individual end-lusers can be
dangerous, sometimes even to the tune of $tens of millions 
of dollars?  In short, when is this industry going to start 
vetting people..."

I believe 'this industry' does recognize it and no one can 
get a list of everyone on this planet that is allowed to 
'play' on the internet.

Did I get the gist of your response correct?

scott

Re: Avalanche botnet takedown

[Robert McKay]

I'm just assuming this because it doesn't say anywhere,
but given the context it seems likely to me that almost
none of the 90 domains were actually registered.

It sounds more likely that they figured out how the domain generation
algorithm works and instructed the registries to block out all the
possible domains it could generate (preventing them from being 
registered
in the future).. along with also going after the registrars to disable a 
much smaller

number of domains that were actually currently registered.

Could be the 0.01% were the ones that were actually registered.

Rob

On 2016-12-01 21:06, Justin Paine via NANOG wrote:

straight from the horse's mouth -- they said  "99.99% of the 900,000
domains" have been sinkholed.


Justin Paine
Head of Trust & Safety
Cloudflare Inc.
PGP: BBAA 6BCE 3305 7FD6 6452 7115 57B6 0114 DE0B 314D


On Thu, Dec 1, 2016 at 1:02 PM, J. Hellenthal  
wrote:

99% ? That's a pretty high figure there.

--
 Onward!,
 Jason Hellenthal,
 Systems & Network Admin,
 Mobile: 0x9CA0BD58,
 JJH48-ARIN

On Dec 1, 2016, at 14:56, Rich Kulawiec  wrote:


On Thu, Dec 01, 2016 at 05:34:26PM -, John Levine wrote:
[...] 800,000 domain names used to control it.


1. Which is why abusers are registrars' best customers and why
(some) registrars work so very hard to support and shield them.

2. As an aside, I've been doing a little research project for a
few years, focused on domains.  I've become convinced that *at least*
99% of domains belong to abusers: spammers, phishers, typosquatters,
malware distributors, domaineers, combinations of these, etc.

In the last year, I've begun thinking that 99% is a serious 
underestimate.

(And it most certainly is in some of the new gTLDs.)

---rsk

Re: Avalanche botnet takedown

[Ronald F. Guilmette]

In message <20161201205647.ga8...@gsp.org>, 
Rich Kulawiec  wrote:

>2. As an aside, I've been doing a little research project for a
>few years, focused on domains.  I've become convinced that *at least*
>99% of domains belong to abusers: spammers, phishers, typosquatters,
>malware distributors, domaineers, combinations of these, etc. 

As you probably know Rich, that's not exactly a novel observation.  Vixie
was already saying it a full six years ago, and things have only gotten
worse since then.

http://www.circleid.com/posts/20100728_taking_back_the_dns/

Regards,
rfg

Re: Avalanche botnet takedown

[Ronald F. Guilmette]

In message <20161201124527.9be45...@m0087798.ppops.net>, 
sur...@mauigateway.com wrote:

>What is your suggestion to keep the sky from falling?

My full answer, if fully elaborated, would bore you and everybody else
to tears, so I'll try to give you an abbreviated version.

It seems to be that it comes down to three things... acceptance, leadership,
and new thinking.

Acceptance
We, the people of this planet, including end users, small ISPs,
big ISPs, Tier-1 providers, ICANN, and all of the dangling tentacles
that derive their authority and power therefrom, law enforcement
globally, and judicial systems globally, have to begin by accepting
the undeniable reality that traditional law enforcement and judicial
processes have already been utterly overwhelmed by the new phenomenon
of international cybercrime, *and*, more importantly, that they always
will be.  If a teenager can hack your bank account in ten minutes,
but it takes three years to bring him to trial, after which he
gets a slap on the write and probation... well... any idiot can
see that this is an ongoing recipie for disaster on a grand scale.
(And in a way, announcements like the one today about a small
handful of Internet criminals being busted are actually a bad
thing, becase they only serve to perpetuate this comforting but
incredibly incorrect mass delusion that traditional law enforcement
has the new world of cyberspace well in hand.  They don't, and never
will.  And in fact they are just falling further and further behind
with each passing year.)

Leadership
This has to come from the folks at the top of the food chain, the
Tier-1 providers, and sadly, they have become like the banks...
everybody hates them, but we all know that we can't live without
them, and they are free to make money hand over fist while showing
no signs of accountability whatsoever.  (And don't kid yourself
that there is anything even remotely like independence in any of
the bits and pieces, starting from ICANN on down, that currently
pass for what is laughingly called "Internet Governance".  All of
these structures take their cue, and their marching orders, from
the Internet industry, and the industry, such as it is, can't change
a damn thing without buy-in from the Tier-1 providers.)

Unfortunately, in this just-past election, one party's Presidential
candidate was criticized for being "too close to the banks", in
particular, Goldman Sachs, and the other one has just selected a
former Goldman Sachs banker pal of his to run the treasury
department in the new administration.  This shows that without a
massive sea change in the level of anger among the general populace,
nothing will change, ever.  And so it is also with the Internet
industry.  End users and consumers need to wake up and start actively
demanding that the industry grow up, grow a pair, and stop just
sitting idly by while the current ongoing hacking free-for-all
claims new victims every goddamn day.  When and if that ever happens,
perhaps one or more CEOs of Tier-1 providers will finally wake up,
smell the coffee, and understand that over a time horizon longer than
this coming quarter, they need to start showing some leadership,
and help guide the whole industry towards a better and safer future.

New Thinking
Even miltary men have, for some time now, been calling cyberspace
"a new domain of battle, like air, land, sea, and space".  Why then
do our law enforcement and judicial systems, worldwide, fail to
also and likewise accept and begin to deal with this new reality?

Everywhere on earth, law enforcement, judicial systems, and
governments are, by and large, still trying to pretend that
cybercrime is a strictly a local matter.  It isn't, and hasn't
been, for about 30 years now.

Internationalized legal structures are hard to assemble, but they
are not hardly without precedent.  Why should there not be an
international Internet equivalent of the "Law of the Sea"?

It is quite common for cybercrimes to cross national borders, and yet
I personally have so far never heard of a single instance in which
any cybercriminal has been brought before the International Criminal
Court in the Hague to stand trial.  Why not?  Russia and China may
(and indeed do) seem to have more than a little reluctance to allow
extradition of their cybercriminals to the U.S. to stand trial.  OK
then.  What will be their excuse if we instead say that such defendants
should be rendered unto, and be brought before the bar in The Hague?

Re: Avalanche botnet takedown

[Rich Kulawiec]

On Thu, Dec 01, 2016 at 03:02:30PM -0600, J. Hellenthal wrote:
> 99% ? That's a pretty high figure there.

Yeah.  I thought so too.  For the first ten years.  Now I think it's
not nearly high enough.  Let me give you three examples -- the three
that happen to be occupying my attention at the moment.  I've got more
if you've got the time.  A *lot* more.

1) http://www.firemountain.net/~rsk/loan.txt
2) http://www.firemountain.net/~rsk/space.txt
3) http://www.firemountain.net/~rsk/online.txt

1553, 3794, and 602 domains respectively.  For brevity, I'll spare
you (4) which is a list of 97,657 domains (all in .info) using
variations of the same words, all registered by the same "company".

Note that my collection methods are lossy, so all of these are
drastically UNDERinclusive.

---rsk

RE: Avalanche botnet takedown

[Steve Mikulasik]

We need a cost effective and performant way of blocking botnet traffic in SP 
networks. Fact is the only way to enforce network policy is from within the 
network. Laws, putting the onous on users, notifying infected users, etc will 
never work. We can't expect to solve them all, but at least make it more 
diffcult by a large margin to run these things. For example blacklisting 
domains where spam is coming from doesn't stop the problem, but it does help in 
a big way.

Over 800k domains, but I bet they were not using nearly that many IPs. It would 
be nice to take info from various honeypots about CNC servers and just 
blackhole those IPs in one way or another very quickly. I don't want to suggest 
a method of doing this, just as a idea to play around with.


-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Scott Weeks
Sent: Thursday, December 1, 2016 1:45 PM
To: nanog@nanog.org
Subject: Re: Avalanche botnet takedown




--- r...@tristatelogic.com wrote:
From: "Ronald F. Guilmette" <r...@tristatelogic.com>

The Internet, viewed as an organism, quite clearly has, at present, numerous 
autoimmune diseases.  It is attacking itself.  And its immune system, such as 
it is, clearly ain't working.  There's going to come a day of reckoning when it 
will no longer be possible to paper over this sad and self-evident fact.  (And 
no, I'm *not* talking about the fabled "Digital Pearl Harbor".  I'm talking 
instead about the Internet equivalent of the meteor that wiped out the 
dinosaurs.)
---


What is your suggestion to keep the sky from falling?

scott

Re: Avalanche botnet takedown

[Justin Paine via NANOG]

straight from the horse's mouth -- they said  "99.99% of the 900,000
domains" have been sinkholed.


Justin Paine
Head of Trust & Safety
Cloudflare Inc.
PGP: BBAA 6BCE 3305 7FD6 6452 7115 57B6 0114 DE0B 314D


On Thu, Dec 1, 2016 at 1:02 PM, J. Hellenthal  wrote:
> 99% ? That's a pretty high figure there.
>
> --
>  Onward!,
>  Jason Hellenthal,
>  Systems & Network Admin,
>  Mobile: 0x9CA0BD58,
>  JJH48-ARIN
>
> On Dec 1, 2016, at 14:56, Rich Kulawiec  wrote:
>
>> On Thu, Dec 01, 2016 at 05:34:26PM -, John Levine wrote:
>> [...] 800,000 domain names used to control it.
>
> 1. Which is why abusers are registrars' best customers and why
> (some) registrars work so very hard to support and shield them.
>
> 2. As an aside, I've been doing a little research project for a
> few years, focused on domains.  I've become convinced that *at least*
> 99% of domains belong to abusers: spammers, phishers, typosquatters,
> malware distributors, domaineers, combinations of these, etc.
>
> In the last year, I've begun thinking that 99% is a serious underestimate.
> (And it most certainly is in some of the new gTLDs.)
>
> ---rsk
>

Re: Avalanche botnet takedown

[J. Hellenthal]

99% ? That's a pretty high figure there.

-- 
 Onward!, 
 Jason Hellenthal, 
 Systems & Network Admin, 
 Mobile: 0x9CA0BD58, 
 JJH48-ARIN

On Dec 1, 2016, at 14:56, Rich Kulawiec  wrote:

> On Thu, Dec 01, 2016 at 05:34:26PM -, John Levine wrote:
> [...] 800,000 domain names used to control it.

1. Which is why abusers are registrars' best customers and why
(some) registrars work so very hard to support and shield them.

2. As an aside, I've been doing a little research project for a
few years, focused on domains.  I've become convinced that *at least*
99% of domains belong to abusers: spammers, phishers, typosquatters,
malware distributors, domaineers, combinations of these, etc. 

In the last year, I've begun thinking that 99% is a serious underestimate.
(And it most certainly is in some of the new gTLDs.)

---rsk

Re: Avalanche botnet takedown

[Rich Kulawiec]

On Thu, Dec 01, 2016 at 05:34:26PM -, John Levine wrote:
> [...] 800,000 domain names used to control it.

1. Which is why abusers are registrars' best customers and why
(some) registrars work so very hard to support and shield them.

2. As an aside, I've been doing a little research project for a
few years, focused on domains.  I've become convinced that *at least*
99% of domains belong to abusers: spammers, phishers, typosquatters,
malware distributors, domaineers, combinations of these, etc. 

In the last year, I've begun thinking that 99% is a serious underestimate.
(And it most certainly is in some of the new gTLDs.)

---rsk

Re: Avalanche botnet takedown

[Scott Weeks]

--- r...@tristatelogic.com wrote:
From: "Ronald F. Guilmette" 

The Internet, viewed as an organism, quite clearly has, at present,
numerous autoimmune diseases.  It is attacking itself.  And its immune
system, such as it is, clearly ain't working.  There's going to come
a day of reckoning when it will no longer be possible to paper over
this sad and self-evident fact.  (And no, I'm *not* talking about
the fabled "Digital Pearl Harbor".  I'm talking instead about the
Internet equivalent of the meteor that wiped out the dinosaurs.)
---


What is your suggestion to keep the sky from falling?

scott

Re: Avalanche botnet takedown

[Paul Ferguson]

> P.S.  WTF is "double fast flux[tm]”?

Double fast-flux is when not only the TTL is set very low on the A record(s), 
bit also on the NS:

https://en.wikipedia.org/wiki/Fast_flux

- ferg



> On Dec 1, 2016, at 12:38 PM, Ronald F. Guilmette  
> wrote:
> 
> 
> In message <20161201173426.2861.qm...@ary.lan>,
> "John Levine"  wrote:
> 
>> More info here:
>> 
>> https://www.europol.europa.eu/newsroom/news/%E2%80%98avalanche%E2%80%99-network-dismantled-in-international-cyber-operation
> 
> I'm always happy when even a small handful of miscreants are captured
> and taken off the Internet, but...
> 
> The press release itself says that this botnet had been running since
> 2009.  So, you know, are we supposed to break out the champaign and
> start celebrating because it "only" took LE *seven years* to take down
> this one botnet and capture a grand total of five cybercriminals?
> 
> Like I say, I'm happy that this one botnet was killed, but to my way
> of thinking, the fact that it took seven years to do so is a testament
> *not* to the spectacular 21st century capabilities of modern law
> enforcement, but rather to the ever widening gap between the time
> scales of law enforcment processes, typically measured in months or
> years, and the time scales of malicious packets flying around the
> Internet, usually measured in miliseconds.
> 
> The Internet, viewed as an organism, quite clearly has, at present,
> numerous autoimmune diseases.  It is attacking itself.  And its immune
> system, such as it is, clearly ain't working.  There's going to come
> a day of reckoning when it will no longer be possible to paper over
> this sad and self-evident fact.  (And no, I'm *not* talking about
> the fabled "Digital Pearl Harbor".  I'm talking instead about the
> Internet equivalent of the meteor that wiped out the dinosaurs.)
> 
> 
> Regards,
> rfg
> 
> 
> P.S.  WTF is "double fast flux[tm]"?  Is that anything like "double secret
> probation" from Animal House?
> 
> P.P.S.  I love this part of the press release, because it is so telling:
> 
> "The successful takedown of this server infrastructure was supported
> by ... Registrar of Last Resort, ICANN..."
> 
> Hahahahaha!  Yea.  Translation, for those of you who do not speak
> diplomacy-speak:  "It isn't hardly just you unofficial anti-spammers and
> anti-cybercrime volunteers and private security companies that can't
> manage to get many domain registrars and somtimes even domain registries
> to lift a finger to help.  Even some of us international law enforcement
> guys, who have badges and everything, were also told to go pound sand by
> several of the world's worst and most unhelpful registrars and registries.
> In fact, they were s colossally unhelpful that in the end, we
> finally had to go and plead our case all the way up to ICANN, just in
> order to get anything done."

—
Paul Ferguson
ICEBRG.io
Seattle, Washington, USA





signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: Avalanche botnet takedown

[Ronald F. Guilmette]

In message <20161201173426.2861.qm...@ary.lan>, 
"John Levine"  wrote:

>More info here:
>
>https://www.europol.europa.eu/newsroom/news/%E2%80%98avalanche%E2%80%99-network-dismantled-in-international-cyber-operation

I'm always happy when even a small handful of miscreants are captured
and taken off the Internet, but...

The press release itself says that this botnet had been running since
2009.  So, you know, are we supposed to break out the champaign and
start celebrating because it "only" took LE *seven years* to take down
this one botnet and capture a grand total of five cybercriminals?

Like I say, I'm happy that this one botnet was killed, but to my way
of thinking, the fact that it took seven years to do so is a testament
*not* to the spectacular 21st century capabilities of modern law
enforcement, but rather to the ever widening gap between the time
scales of law enforcment processes, typically measured in months or
years, and the time scales of malicious packets flying around the
Internet, usually measured in miliseconds.

The Internet, viewed as an organism, quite clearly has, at present,
numerous autoimmune diseases.  It is attacking itself.  And its immune
system, such as it is, clearly ain't working.  There's going to come
a day of reckoning when it will no longer be possible to paper over
this sad and self-evident fact.  (And no, I'm *not* talking about
the fabled "Digital Pearl Harbor".  I'm talking instead about the
Internet equivalent of the meteor that wiped out the dinosaurs.)


Regards,
rfg


P.S.  WTF is "double fast flux[tm]"?  Is that anything like "double secret
probation" from Animal House?

P.P.S.  I love this part of the press release, because it is so telling:

 "The successful takedown of this server infrastructure was supported
 by ... Registrar of Last Resort, ICANN..."

Hahahahaha!  Yea.  Translation, for those of you who do not speak
diplomacy-speak:  "It isn't hardly just you unofficial anti-spammers and
anti-cybercrime volunteers and private security companies that can't
manage to get many domain registrars and somtimes even domain registries
to lift a finger to help.  Even some of us international law enforcement
guys, who have badges and everything, were also told to go pound sand by
several of the world's worst and most unhelpful registrars and registries.
In fact, they were s colossally unhelpful that in the end, we
finally had to go and plead our case all the way up to ICANN, just in
order to get anything done."

Re: Avalanche botnet takedown

[anthony kasza]

>From my understanding Avalanche wasn't a single botnet but was high
availability infrastructure used by multiple different families/operators.

-AK

On Dec 1, 2016 10:37 AM, "John Levine"  wrote:

> Avalanche is a large nasty botnet, which was just disabled by a large
> coordinated action by industry and law enforcement in multiple
> countries.  It was a lot of work, involving among other things
> disabling or sinkholing 800,000 domain names used to control it.
>
> More info here:
>
> https://www.europol.europa.eu/newsroom/news/%E2%80%
> 98avalanche%E2%80%99-network-dismantled-in-international-cyber-operation
>
> http://blog.shadowserver.org/2016/12/01/avalanche/
>
> As both items point out, if your users are infected with Avalance,
> they're still infected, but now if you disinfect them, they won't get
> reinfected.  At least not with that particular flavor of malware.
>
> R's,
> John
>
>
>