Daniel Karrenberg shows an animation related to RIPE Atlas,
RIPE’s new active measurement project using USB-powered dongles scattered around the Internet.
Video by jsq at RIPE 61 in Rome, Italy, 15 Nov 2010. His slides, the RIPE Atlas home page, and the conference will put up video of all the talks within about a day.
-jsq
PS: My talk is 11AM Rome time tomorrow, Tuesday 16 Nov.
Which matters most: history, topology, business headquarters location, or some other criterion?
These are some questions that come up in designing experiments in rolling out a reputation system for outbound spam. More on this in the RIPE Labs article (8 Nov 2010), Internet Reputation Experiments for Better Security.
Such experiments can draw on fifty years of social science research
and literature, first crystalized as Social Comparison Theory
by Leon Festinger in 1954,
that indicate that making personal reputation transparent changes personal behavior.
More recent research indicates that the same applies to organizations.
Using anti-spam blocklist data, it is possible to make E-Mail Service Provider
(ESP) behavior (banks, stores, universities, etc., not just ISPs)
in preventing or stopping outbound spam transparent,
and this paper is about experiments to see how the resulting reputation
actually changes ESP behavior.
-jsq
In RIPE Labs, here’s a paper on
Internet Cloud Layers for Economic Incentives for Internet Security
by the IIAR Project (I’m the lead author).
Anti-spam blocklists and law enforcement are some Internet organizational
layers attempting to deal with the plague of spam, so far reaching
a standoff where most users don’t see most spam, yet service providers
spend large amounts of computing and people resources blocking it.
The root of the ecrime problem is not technology: it is money.Continue reading
Per Hansen of Ciena at
NANOG 50
talked about
growing capacity not by adding more
data cables under the sea, rather by increasing spectral density.
Eventually new cables will be needed, but meanwhile he thinks
we can get up from about 2 bits to to 5 or 6 bits per Hertz.
It does require more power: same energy per bit, but more bits.
Plus mesh networks for rerouting, even if it means rerouting
backwards around the world, he notes.
We’ve observed that sort of emergency backwards routing
as long ago as January 2008, in the
U.A.E. Cable Cut.
-jsq
Here at
NANOG 50
Craig Labovitz just gave
an interesting talk
about botnet data derived from Arbor Network customers
enabling anonymous data (37 ISPs over last 12 months),
of 5,000 events classified by operators.
60% of DDoS attacks are by flooding. Yet most attacks involve few IP addresses; indicates address spoofing.
Slight problem: only 1/4 of customers have enabled anonymous data. “Real goal of this talk is to encourage participation.”
Well-received talk.
-jsq
Peter Svensson gives an old and quite serious problem some mainstream press
in this AP story from 8 May 2010:
On April 25, 1997, millions of people in North America lost access to all of the Internet for about an hour. The hijacking was caused by an employee misprogramming a router, a computer that directs data traffic, at a small Internet service provider.The Pakistani incident is illustrated in the accompanying story and video by RIPE.A similar incident happened elsewhere the next year, and the one after that. Routing errors also blocked Internet access in different parts of the world, often for millions of people, in 2001, 2004, 2005, 2006, 2008 and 2009. Last month a Chinese Internet service provider halted access from around the world to a vast number of sites, including Dell.com and CNN.com, for about 20 minutes.
In 2008, Pakistan Telecom tried to comply with a government order to prevent access to YouTube from the country and intentionally “black-holed” requests for YouTube videos from Pakistani Internet users. But it also accidentally told the international carrier upstream from it that “I’m the best route to YouTube, so send all YouTube traffic to me.” The upstream carrier accepted the routing message, and passed it along to other carriers across the world, which started sending all requests for YouTube videos to Pakistan Telecom. Soon, even Internet users in the U.S. were deprived of videos of singing cats and skateboarding dogs for a few hours.
In 2004, the flaw was put to malicious use when someone got a computer in Malaysia to tell Internet service providers that it was part of Yahoo Inc. A flood of spam was sent out, appearing to come from Yahoo.
This problem has been known for a long time. Why hasn’t it been fixed? Continue reading
On Tuesday 2 June 2009, the U.S. Federal Trade Commission (FTC) took legal steps that shut down the web hosting provider Triple Fiber network (3FN.net).
Looking at Autonomous Systems (ASNs) listed in the spam blocklist CBL, Continue reading
Back in February, Verizon announced it would start requiring outbound mail go through port 587 instead of port 25 during the next few months. It seemed like a good idea to squelch spam. Most other major ISPs did it. People applauded Verizon for doing it.
Unfortunately, it seems that if it had any effect it was short-lived. Looking at anti-spam blocklists on a daily basis, a couple of Verizon Autonomous Systems (ASes), AS-19262 and AS-701, do show dips in blocklist listings on the blocklist PSBL in March. But they don’t last.
Spammers are very adaptable, partly because the botnets they use are adaptable. Good try, Verizon.
This information is from an NSF-funded academic research project at the University of Texas at Austin business school. Thanks to PSBL for the blocklist data.
-jsq
The subject is my interpretation of a sixteen page paper
by a joint Chinese-German project to examine botnets in China.
Botnets have become the first-choice attack platform for network-based attacks during the last few years. These networks pose a severe threat to normal operations of the public Internet and affect many Internet users. With the help of a distributed and fully-automated botnet measurement system, we were able to discover and track 3,290 botnets during a period of almost twelve months.The paper provides many interesting statistics, such as only a small percent of botnets are detected by the usual Internet security companies. But the main point is exactly that a distributed and adaptive honeypot botnet detection network was able to detect and observe botnets in action and to get data for all those statistics. Trying to deal with an international adaptive botnet threat via static software or occasional centralized patches isn’t going to work.— Characterizing the IRC-based Botnet Phenomenon, Jianwei Zhuge1 , Thorsten Holz2 , Xinhui Han1 , Jinpeng Guo1 , and Wei Zou1 Peking University Institute of Computer Science and Technology Beijing, China, University of Mannheim Laboratory for Dependable Distributed Systems Mannheim, Germany, Reihe Informatik. TR-2007-010
Some readers conclude that this paper shows that reputation services don’t work,because they don’t show most botnets. I conclude that current reputation services don’t work because they aren’t using an adaptive distributed honeypot network to get their information, and because their published reputation information isn’t tied to economic incentives for the affected ISPs and software vendors, such as higher insurance rates.
-jsq