There will always be some who can't stand the fire. Perhaps they should get out of the kitchen and leave the task of fighting UCE/SPAM to those with more stamina.

Pendanticist.

Thanks Blue for that, the article was well done.

Viruses out recruiting 10,000 computers into a zombie army massing to attack the forces of anti-spam.

Wow, I'd buy a ticket to that movie.

It is a serious matter though, this kind of e-violence is a worry.

*yawn*

Play with fire, get burned. It's about time some of these silly blacklists go bye-bye.

What's most disturbing about that article is that there appears to be little that can be done.

hughmungus,

other than some sort of class action lawsuit against the providers that are not doing anything to stop the attacks based on their own TOS, you are right...

simple studying of the tcp/ip packets will show enough that they should be able to be blocked at the border routers or even closer to home... referencing grc.com's ddos problems and what they did to determine what was going on...

other than some sort of class action lawsuit against the providers

Why would one do that? The providers are not originating the traffic - they're providing transit. That's like suing the TV companies for showing porn to your 3 year old kid. If you don't want it on the tele, turn it off!

The DDOS players are unilaterally denying service to a host they don't like based upon their policies.

Sound familiar? Of course it does - it's the same thing the anti-spam mavens do. Until these anti-spam guys wake up and realize that spam is an economic problem, not a technical one, this sort of behavior will continue.

And if you're blocking spam based on a proprietary blacklist, you need to revisit your anti-spam policy.

alright oilman, i'll tone it down now.. :)

bakedjake,

sorry, that's a bad analogy... a TV station cannot tell who is watching what it is transmitting... on the other hand, TCP/IP packets are very easy to snoop to see where they are from, where they are going, and what their payload is along with other info...

is there any reason for there to be 50000 64k ping packets all being sent to the same destination? that's a simple DOS... multiply that by 1000 machines on your network all going to the same place and you know that something untoward is happening...

the simple fact is that providers can do this and they don't... the postal services check packages for drugs and explosives and other dangerous material... why can't providers do this? they can and, in fact, there is even equipment and software available for just this purpose... the solution is simple... see the bad traffic, drop it in the bitbucket...

the solution is simple... see the bad traffic, drop it in the bitbucket

But wait! Why not do that for the anti-spam blacklists? After all, they're denying service too!

the postal services check packages for drugs and explosives and other dangerous material

Step back a minute. Drugs and explosives kill people. Denial of service attacks don't.

is there any reason for there to be 50000 64k ping packets all being sent to the same destination?

Yes, it's the same reason one might want to maintain a blacklist of 50,000 IP addresses - because you want to deny service to a host you don't agree policy-wise with.

Added: You're implying that providers have a social responsibilty to block denial of service attacks directed towards anti-spam blacklists. But, at the same time, you're ignoring that same social responsibility towards spammers.

I'm not siding with spammers. I'm merely saying the core network providers need to stay out of it. That's equal treatment for all. And that is why they refuse to stop this.

wkitty, great discussion! thanks!

The difference is that the black lists offer a tool for somebody else to use if they choose to do so (and yes ISPs using it without informing customers is dubious but that is an issue with the ISP not an issue with the BL provider)

A DDOS is the spammers saying we don't agree with this policy therefore we are going to stop *OTHER* people from using it.

The difference is that the black lists offer a tool for somebody else to use if they choose to do so (and yes ISPs using it without informing customers is dubious but that is an issue with the ISP not an issue with the BL provider)

it's not quite as innocent as that. there is one of the
lists, (spews.org i think), that blacklists entire
ip ranges of isp's who have hosted web sites that are
mentioned in spam mail. in other words, if you host
with isp A, who hosted a web site mentioned in
a spam from spammer B, hosted by isp C, then your
mail server located with isp A will be blacklisted
by virtue of it's ip address alone.

i would call this blackmail, not a blacklist.

anyone who has had this happen knows that the
process of getting off the list can be incredibly
frustrating. especially since you had nothing
to do with any spam transmission whatsover.

look at the abuse that is heaped upon hapless
admins who are trying to contact the various
blacklist admins at alt.email.abuse(or something like
that). what's worse, is that some of these lists
will only communicate via the newsgroup. at their
leisure.

+++++

Nearly 100% of "spam" are scams, cons or porn. And every single one of them has fordge headers to make it difficult to track down the source. So why should we care that crooks and smut peddlers get DOSed? I have a right to not have to put up with their crap.

And bakedjake, by your arguments, you are siding with the spammers.

>But wait! Why not do that for the anti-spam blacklists? After all, they're denying service >too!

Actually the anti-spam blocklists [google.com], in and of themselves, are not 'denying service'... they are just lists. Any 'denying of service' that is done with the blocklists, is done by those using the blocklists on their own networks, in defense of their own networks/users.

>>is there any reason for there to be 50000 64k ping packets all being sent to the same >>destination?

>Yes, it's the same reason one might want to maintain a blacklist of 50,000 IP >addresses - because you want to deny service to a host you don't agree >policy-wise with.

But the difference between someone using a blocklist to 'deny service to a host they don't agree policy-wise with', is that the ISP/network is using that blocklist on their own network to protect themselves and their users from a host that the ISP/network feels is, or has been, abusing them.

Whereas the one doing the denial of service against a host or network is doing so to attack a host/network which they do not own and they are most likely doing so using routes/networks which they also do not own. And, in my opinion, that makes those executing the DDos attacks no better than UCE/SPAMers, who also steal bandwidth/resources (occasionally thru open relays [google.com]) that do not belong to them.

As for the 'no deaths' comment. Well, not yet anyway.

Look, how can an attacker know just what machines/networks (of the medical nature say), are/are not hosted on the targeted server(s)? Who is to say? Eventually someone will die (or another peripheral catastrophic event will occur) as a direct result of an DDoS [google.com] attack. Of that, you can be sure.

The point wkitty42 makes merely exemplifies how a particular Governmental agency protects (while in their custody) something, which belongs to others and balances that against public safety. ISPs have just as much right in this regard as does the USPS.

Let us keep focused on the methodology of the attacks and whose success would have been marginal were all those Zombie [google.com] machines adequately patched [webmasterworld.com] and firewalled!

2 out of 3 people I've ever known (personally), who used the Internet never used a firewall [google.com], much less understood the concept.

So, what does that say about more complex issues? Easy: after they open them all and are infected, then, as they sleep someone else can use their machine in an attack.

In much the same way as one does not have unprotected sex anymore, one does not peruse the Internet without patches and firewall intact and functional.

I should point out that to the best of my knowledge Monkeys.com dealt more with formmail queries [google.com] blocklist than anything else.

Pendanticist

Now that a few hours have passed, perhaps BlueSky would like to share his/her thoughts?

Pendanticist.

Great post pedanticist!

IMHO, the whole zombie army spam ddos thing is based on a large scale failure and ignorance involving many different parties:

- the companies who "let spam"
- the spammers themself
- ISPs who just ignore the problem and let anything happen
- admins who don't close their open relay servers
- users who don't install firewalls or change os

However, the one who should pay for what happens is Bill Gates and his M$ corp since without so much infectable win machines (infectable by default) there wouldn't be that high scale abuse. I don't say this just because i prefer Macs but because i'm frustrated as hell that also non-win users have to swallow what gets sent from machines running the most distributed, most infectable os.

And now even black list services get burned by this trojan sh*t - what a great os world.

I don't accept the argument that spam is a economical problem. First IT IS a technical problem!