RE: Article on spammers and their infrastructure

[Alex Lanstein <ALanstein () FireEye com>]

I might as well reply to this here.  The folks from threatpost had me talk at length about the various issues with 
doing cybercrime enforcement and how things have changed, and they picked that section for their post.

My key point I wanted to hammer home was that most of the modern botnets (and/or malware that has phone home 
capability) have a much more stable infrastructure, as more and more of the hosting pieces are controlled by the bad 
guys.

In the old days you'd see C&C servers running from popped boxes, but now you're seeing the criminals renting their own 
servers from xyz datacenter, or worse, buying their own racks/cages and going to an LIR or RIR to get direct IP 
allocations.  They then rent out those allocations to other shell companies (or possibly to other criminals) and handle 
the abuse notifications on the frontend.  Since these data centers have many transit options, nullrouting an ip block 
at a single ISP hasn't been very effective.  And of course, getting an RIR to revoke IP space only happens if you don't 
pay the bills.  A year after allocation the blocks are pretty much burned anyways, so that's not a real barrier.  There 
doesn't even seem to be any policies against intentional fraudulent SWIPing of IP space, or at least, not one that's 
enforced.  The Knujon guys have had some success in the domain space, maybe this could happen in the ip world as well?

The only technical statement in there that I think was misinterpreted was the "owning your own ip space makes you an 
isp" which I clearly didn't mean.  It's a quote so I must have said it but it must I think I had some qualifiers in 
there in that I was talking about the abuse desks at an ISP.  If they are the ISP they claim it was a downstream 
customer and that they've fixed the issue, when really it's their own stuff that they shuffle around.

Regards,

Alex Lanstein
________________________________________
From: Jon Lewis [jlewis () lewis org]
Sent: Tuesday, December 22, 2009 4:24 PM
To: Phil Regnauld
Cc: nanog () nanog org
Subject: Re: Article on spammers and their infrastructure

On Tue, 22 Dec 2009, Phil Regnauld wrote:

> http://threatpost.com/en_us/blogs/attackers-buying-own-data-centers-botnets-spam-122109
>
> It this something new ?  The article seems to mix various issues together.
> And this would seem highly inefficient to me compared to traditional
> botnets (renting your own rack for a botnet doesn't really make sense :)

I don't see how going to jump.ro, getting a bunch of IP assignments, and
then setting those IPs up on a server or few servers in the US =
"attackers buying own data centers".

I am curious how both jump.ro and the other RIPE region LIRs involved in
assigning the space and the US based networks that have been involved
routing it justify assigning/routing "Assigned PA" space to "customers"
who only use that space in their US operations (which in the cases I've
seen have primarily been high volume email deployment).

According to http://www.ripe.net/ripe/docs/ipv4-policies.html

  ASSIGNED PA: This address space has been assigned to an End User for use
  with services provided by the issuing LIR. It cannot be kept when
  terminating services provided by the LIR.

Should US based networks be willing to route RIPE "ASSIGNED PA" space
customers provide?

----------------------------------------------------------------------
  Jon Lewis                   |  I route
  Senior Network Engineer     |  therefore you are
  Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.