Category Archives: Distributed Participation

Route Hijacking: Identity Theft of Internet Infrastructure

Peter Svensson gives an old and quite serious problem some mainstream press in this AP story from 8 May 2010:
On April 25, 1997, millions of people in North America lost access to all of the Internet for about an hour. The hijacking was caused by an employee misprogramming a router, a computer that directs data traffic, at a small Internet service provider.

A similar incident happened elsewhere the next year, and the one after that. Routing errors also blocked Internet access in different parts of the world, often for millions of people, in 2001, 2004, 2005, 2006, 2008 and 2009. Last month a Chinese Internet service provider halted access from around the world to a vast number of sites, including Dell.com and CNN.com, for about 20 minutes.

In 2008, Pakistan Telecom tried to comply with a government order to prevent access to YouTube from the country and intentionally “black-holed” requests for YouTube videos from Pakistani Internet users. But it also accidentally told the international carrier upstream from it that “I’m the best route to YouTube, so send all YouTube traffic to me.” The upstream carrier accepted the routing message, and passed it along to other carriers across the world, which started sending all requests for YouTube videos to Pakistan Telecom. Soon, even Internet users in the U.S. were deprived of videos of singing cats and skateboarding dogs for a few hours.

In 2004, the flaw was put to malicious use when someone got a computer in Malaysia to tell Internet service providers that it was part of Yahoo Inc. A flood of spam was sent out, appearing to come from Yahoo.

The Pakistani incident is illustrated in the accompanying story and video by RIPE.

This problem has been known for a long time. Why hasn’t it been fixed? Continue reading

FireEye’s Ozdok Botnet Takedown Observed

FireEye coordinated a takedown of botnet Ozdok or MegaD, on 5-6 Nov 2009, with cooperation by many ISPs and DNS registrars.

Good show! What effects did it have on spam? Not just spam from this botnet; spam in general.

Botnets and spam volume

This graph was presented at NANOG 48, Austin, TX, 24 Feb 2010, in FireEye’s Ozdok Botnet Takedown In Spam Blocklists and Volume Observed by IIAR Project, CREC, UT Austin. John S. Quarterman, Quarterman Creations, Prof. Andrew Whinston, PI CREC, UT Austin. That was a snapshot of an ongoing project, Incentives, Insurance and Audited Reputation: An Economic Approach to Controlling Spam (IIAR).

That presentation was enough to demonstrate the main point: takedowns are good, but we need a lot more of them and a lot more coordinated if we are to make a real dent in spam.

The IIAR project will keep drilling down in the data and building up models. One goal is to build a reputation system to show how effective takedowns and other anti-spam measures are, on which ASNs.

Thanks especially to CBL and to Team Cymru for very useful data, and to FireEye for a successful takedown.

We’re all ears for further takedowns to examine.

-jsq

Community Flow-spec Project

A lightning talk at NANOG 48, Austin, Texas, 22 Feb 2010, by John Kristoff, Team Cymru. See RFC 5575.

Update: PDF of presentation slides here. 

+--------+--------------------+--------------------------+
| type   | extended community | encoding                 |
+--------+--------------------+--------------------------+
| 0x8006 | traffic-rate       | 2-byte as#, 4-byte float |
| 0x8007 | traffic-action     | bitmask                  |
| 0x8008 | redirect           | 6-byte Route Target      |
| 0x8009 | traffic-marking    | DSCP value               |
+--------+--------------------+--------------------------+

A few selected points:

  • Dissemination of Flow Specification Rules
  • Think of filters(ACLs) distributed via BGP
  • BGP possibly not the right mechanism
  • Multi-hop real-time black hole on steroids
  • Abuse Handler + Peering Coordinator
    = Abeering Coordinator?
  • Traditional bogon feed as source prefix flow routes
  • A la carte feeds (troublesome IP multicast groups, etc.)
  • AS path prepend++
  • Feed-specific community + no-export
He showed some examples of specs for flows (I can’t type fast enough to transcribe those).

Trust issues for routes defined by victim networks.

Research prototype is set up. For questions, comments, setup, contact: http://www.cymru.com/jtk/

I like it as an example of collective action against the bad guys. How to deal with the trust issues seems the biggest item to me.

Hm, at least to the participating community, this is a reputation system.

Solving for the Commons

So simple!

BN > BE + C

Aldo Cortesi channels Elinor Ostrom and summarizes what we need to fix Internet security by enticing the providers and users of the Internet to manage it as a commons. But first, some background.

Since at least 1997 (“Is the Internet a Commons?” Matrix News, November 1997) I’ve been going on about how Garrett Hardin’s idea of the tragedy of the commons doesn’t have to apply to the Internet, because: Continue reading

Rip van Security

Ripvanwinkle.jpg Gunnar Peterson asks a question:
…how do you primarily rely on network security as we have done for the Web’s life, when the Cloud abstracts the network away?
Gunnar points out IT security has been using firewalls and SSL as primary security for every network acccess software change since 1995.
In 1999 when SOAP emerged as a firewall-friendly protocol designed for the explicit reason to go through the firewall, that should have been a wake up call to Information Security that the “firewall + SSL” security architecture was past its prime, but here 10 years later we are still hitting the snooze button.
Here many years after we lost email for everybody but aging geeks and banks, IT security continues to snooze like Rip van Winkle. While the world changes around it: Continue reading

Iranian Internet Disturbances

iran20090615.gif Here’s an example of some Internet routing in Iran, in this case on the way to the Ministry of Foreign Affairs on Monday 15 June 2009. Normally, routing and latency don’t change much. Starting Saturday 13 June, the day after the election, routing and latency have become increasingly disturbed. More here.

Twitter Reschedules

whereistheirvote.jpg Twitter recognizes that a network upgrade is important, but the role twitter is playing in Iran is more important, and reschedules for 1:30 AM Iranian time. Now that’s risk management!

Would that U.S. states had all rescheduled Diebold and the like to the junk heap after the 2000 U.S. election.

Also notice who twitter’s hosting service is: NTT America. I’ve been predicting for years that the U.S. duopoly’s intransigence would lead to NTT and other competent international ISPs eating their lunch, and I see it’s beginning to happen.

-jsq

Pirate Party Legitimized by Winning EU Parliament Seat

Support for Prohibition began to diminish as enforcement became increasingly expensive and it was becoming apparent that the ban was doing little to curb crime and drunkenness. There’s lots of academic and commercial effort put into stopping software and other intellectual property piracy, especially for videos. A form of risk management, I suppose, but one that ignores the much bigger risk to traditional intellectual property of causing political blowback such as what just happened in Sweden:
“Together, we have today changed the landscape of European politics. No matter how this night ends, we have changed it,” Falkvinge said. “This feels wonderful. The citizens have understood it’s time to make a difference. The older politicians have taken apart young peoples’ lifestyle, bit by bit. We do not accept that the authorities’ mass-surveillance,” he added.
Funny thing about what happens when the majority of the population participates in an illegal activity: eventually it’s not illegal anymore.
At least partially, The Pirate Party puts its increased popularity down to harsh copyright laws and the recent conviction of the people behind The Pirate Bay. After the Pirate Bay verdict, Pirate Party membership more than tripled and they now have over 48,000 registered members, more than the total number of votes they received in 2006.

With their presence in Brussels, the Pirate Party hopes to reduce the abuses of power and copyright at the hands of the entertainment industries, and make those activities illegal instead. On the other hand they hope to legalize file-sharing for personal use.

Many of those abuses of power probably already are illegal; the appropriate laws just aren’t being enforced. We saw this during alcohol prohibition in the U.S., and we see it now with marijuana prohibition in the U.S. The first prohibition ended, the second probably will, and meanwhile, online “piracy” is on its way to being redefined.

-jsq

MySpace Anti-Phishing

Shing Yin Khor of Fox Interactive Media, which owns MySpace, gave an entertaining talk at APWG in which she gave a good case that MySpace has mostly eliminated phishing ads on MySpace and is busily suppressing other phishing.
Throwing money at the issue of phishing actually works.
MySpace’s anti-phishing forces include former law enforcement people, including a former federal and state prosecutor, a former L.A. D.A., and a former FBI agent. They have successfully sued spam king Scott “ringtones” Richter and his CPA empire.

MySpace does have an advantage in actually hosting all displays and messages. It’s good to be a many-hundred-million shopping mall. She didn’t say that; I did. She did say they use MySpace specific measures such as education via Tom’s profile. Tom was one of the founders of MySpace. Every new user gets Tom as a friend, so his online persona (pictured) has 240 million friends, so that’s a channel that reaches most of their users. She did say:

Education is just as important as technical measures.
What works on MySpace will work on other social network sites.

But Shing’s theme of pro-active measures against phishing and spam is one other organizations could take to heart. Don’t think you can do nothing: you can.

Of course, if you have fewer than 200 million users, you may want to band together with other organizations, for example by joining APWG. Even MySpace does.