Profile of the Russian Business Network 180
The Washington Post has an article detailing what is known of the workings of the Russian Business Network, a shadowy entity based in St. Petersburg that hosts a good fraction of the world's spammers, identity thieves, bot herders, and phishers. RBN is not incorporated anywhere and may not technically even be violating Russian law. It provides "bulletproof hosting" for about $600 a month to a wide range of bad guys.The author of the Post story, Brian Krebs, supplements it with two blog posts. One provides more detail and back story including a look at one ISP's security admin who decided last summer to ban all RBN traffic from his network, with outstanding results. The other post maps some of the RBN's upstream suppliers and details the extent of the RBN's involvement in recent cyber-attacks: "Nearly every major advancement in computer viruses or worms over the past two years has emanated from or sent stolen consumer data back to servers" in the RBN.
This article is useless without IP addresses (Score:5, Informative)
I wonder if anyone has every found a remote exploit that will get past iptables -j DROP recently.
Re:This article is useless without IP addresses (Score:2, Informative)
Re:Post some ranges (Score:3, Informative)
Re:Just block Russia (Score:5, Informative)
Spamhaus DROP list FTW! (Score:4, Informative)
Re:This article is useless without IP addresses (Score:5, Informative)
Re:Could we just block Russia? (Score:2, Informative)
Most spammers are still from the USA though (Score:3, Informative)
Although the RBN are certainly bad guys, Slashdotters should pls resist the tendency to assume that all the bad guys are nasty, foreign types. Most of the bad guys - for example spammers - as usual, are home-grown.
Of the 133 worst spammers on the Spamhaus ROKSO list, the vast majority of the worlds worst spammers are from the USA, followed after a big gap by nasty foreigners from Israel, Ukraine, China and yes Russia too:
See: http://www.spamhaus.org/rokso/index.lasso [spamhaus.org]
RBN's Netblocks (Score:3, Informative)
Re:This article is useless without IP addresses (Score:5, Informative)
Networks - 81.95.144.0/22, 81.95.148.0/22, 81.95.154.0/24, 81.95.155.0/24.
First upstream ISP - 41173 which is a provider in the Seichelles (so they either run a VPN tunnel to there or have a SAT link). So the article may be actually full of shit. I somehow suspect that they are not hopping back to Russia and the servers are outside Russian jurisdiction in the first place.
Primary upstream transit ISP is 3257 which is Tiscali. Now this does not surprise me in the slightest. No further comment.
Other transit ISPs are : 25577 - C4L (???), 8928 Interoute (again, this one is no surprise).
1. It does not look like Russian hosting to me. The Russians are laughing their arse off at the inept article (and other similar musings). The servers may actually be in Europe (or on an the Seyshelles where you can do diddly squat about them).
2. The hosting is truly bulletproof. Applause. They have most likely bought wholesale all relevant officials in a small nation telecoms operator. So all requests regarding their business activities will go straight to
Re:RBL-XBL (Score:2, Informative)
Re: AS#s: 40989, 41173, 28866 and 25577 (Score:5, Informative)
If you look at the RIPE and whois records for all the parties involved, this is an ISP that popped up in June of last year, apparently dedicated to hosting malware sites. Look closely at addresses and dates. Fictitious Panamanian and UK addresses with an American phone number, claims of being in the Seychelles (English spelling), again with other American phone numbers.
Some nmap fingerprinting of their routing equipment shows this operation tends towards low budget. I've seen ISPs that were nothing more than a couple of university students who obtained an AS#, a prefix, found a BGP feed, and filled a rented a rack in a colo with some servers and a linux box running quagga. Seen from a looking glass, no difference from the big players. A good looking website regularly updated, proper whois and RIPE records, and it's very difficult for a potential client to know the ISP may go down during exams week.
This operation seems not much more than what a couple of kids with a little knowledge could put together. The prefixes fill various spamhaus and RBL lists. Doubtful that there are any legitimate clients on those networks. This operation is the malware gangs getting a little more hi-tech, running their own ISP by buying IP transit from companies known for never turning down business. They use C4L/NetSumo, a known no-questions-asked ISP who resell an MPLS service between London and Eastern Europe, probably Interoute's.
As for location, looking at various internal looking glasses, the prefixes seem to be hitting the internet in London then through a leased line with 70 mSec of delay, and in Prague with a sudden 20 mSec of delay. This certainly is not going through the Seychelles. My best guess would be a data centre in Russia, where bribes to local authorities gives them a certain level of immunity to lawful pursuits.
Any reasonable ISP hoping to protect their clients from this criminal malware gang would just filter those four AS#s from their main routing tables, and save themselves a world of hurt. Better yet would be to actively blackhole those prefixes. Sure, it might fly in the face of one perfect internet, but since there is no legal remedy, internet providers need to protect themselves. Good ISPs and hosting services already filter all kinds of bogus routing information, adding a known spam and malware operation to the list is just good practice.
the AC