Forgot your password?
typodupeerror
Security Spam

Spamhaus Calls for Fining Operators of Insecure Servers 170

Posted by Unknown Lamer
from the banned-from-the-net dept.
Barence writes "Anti-spam outfit Spamhaus has called on the UK government to fine those who are running Internet infrastructure that could be exploited by criminals. Those who leave open Domain Name Server resolvers vulnerable to attack should be fined, if they have previously received a warning, said chief information officer of Spamhaus, Richard Cox. When Spamhaus was hit by a massive distributed DDoS possibly the biggest ever recorded at more than 300Gbits/sec — open DNS resolvers were used to amplify the hit, which was aimed at one of the organization's upstream partners. 'Once they know it can be used for attacks and fraud, that should be an offense,' Cox said. 'You should be subject to something like a parking ticket... where the fine is greater than the cost of fixing it."
This discussion has been archived. No new comments can be posted.

Spamhaus Calls for Fining Operators of Insecure Servers

Comments Filter:
  • by melonman (608440) on Wednesday November 27, 2013 @11:31AM (#45538537) Journal

    This sounds great in theory but, in practice, it's going to be almost impossible to enforce (eg whose definition of 'vulnerable'?) and it would promptly create several new Internet plagues, eg the "Your server has a vulnerability, pay us now to stop us reporting it" spam email.

    • I would have thought having an SMTP server which does unintended open relaying as everyone's definition of vulnerable..

      • by jythie (914043)
        I imagine if such legislation did exist it would be similar to 'negligence' no specific definition but if something goes wrong there is a legal tool to examine it.
      • by sumdumass (711423)

        Not if your intent is to offer access to dissidents in oppressed countries.

        I can see a lot of uninrended consequences.

        • There are lots of options for that which don't leave your server free for abuse. Besides, any sane email server is set to start blocking mail from such sources after they're blacklisted anyway..

          • by g0bshiTe (596213)
            How does this address a botted users box that has an SMTP server as part of the bot?
            • It doesn't. Not needing any credentials at all is quite different from duplicitously stealing existing user credentials or otherwise illegally gaining access to their servers.

    • Re: (Score:3, Interesting)

      by Anonymous Coward

      I disagree. This is a classic example of making [stupid|apathy] hurt. In this case, the hurt is financial, but the effect is there.

      If a company can't be arsed to protect their systems to prevent it, they need to pay for it. If a person (or small business) can't be arsed to have an IT person, either part-time or contracted out through an agency to secure their systems, then they need to pay the price. If that same SMB relies upon their vendor/provider for security, and they fail to deliver, it's time to find

    • by poetmatt (793785)

      I disagree 100% - It's not hard at all.

      Checklist of known vulnerabilities -> if your server is suspected of sending huge volumes of spam and fails -> fines after a 2nd or 3rd notice of these failures. It establishes a baseline of "don't be a fuckup with managing your servers".

      • by bws111 (1216812) on Wednesday November 27, 2013 @11:52AM (#45538775)

        If your server is sending huge volumes of spam then it is actually doing something, not just sitting there being vulnerable. Fining someone for being involved in sending spam is completely different than fining someone because they could potentially be used to send spam.

      • by sjames (1099)

        They're also talking about DNS servers or any other sort of server. Then there's the question of what to do about zero day problems.

        • by poetmatt (793785)

          I don't think you can reasonably hold people accountable for zero days, especially when the government is encouraging them to be so plentiful. So I agree, it needs more specificity and more definitions - but that doesn't make this simply impossible if technical people are involved.

          Given the government involved though, I would say it's impossible for *them* to understand, yes.

    • I agree. SPAM is so 2003. I run my own email server at home, and with absolutely no SPAM protection (I used to use spamassassin and mimedefang but once my server crashed, I never took the time to install it all again). I give my email address to all the basic sites in order to make purchases. I do receive SPAM, but very little. The SPAM fight seems to have erupted into craziness with no gains.
      • by mlts (1038732) *

        I run my own incoming E-mail server at home. However, the incoming and outgoing mechanisms are pretty separate.

        Incoming port 25 goes through the usual anti-spam measures.

        Outgoing port 25 goes to either my ISP's SMTP server or a dedicated third party. Either way, Bog forbid and my server starts sending UCE, -outgoing- spam is corked, and I'm far more worried about spam coming from my domain than to it.

        • Yup, and if you're on AT&T, then that's how you have to do it, as all packets on port 25 outbound from AT&T's network are dropped.
      • I wonder if "open relays" are even that much of a problem these days when I can hire non-"p0wnd" servers in certain Eastern European countries for a pittance? Why bother with "open relays" when I can pay quite reasonable rates to have my SPAM enter the Tubes quite legitimately?

        Perhaps Spamhaus is looking for relevancy.

      • by UPi (137083) on Wednesday November 27, 2013 @01:20PM (#45539737) Homepage

        You are merely lucky. I run 3 small mail servers, all very similar in setup. 1 also receives no spam whatsoever, the other two are flooded by it. I need to use Spamhaus's XBL, SPF and graylisting to stem the tide. If I removed either of the three, SPAM volume would exceed regular mail volume about 20x. (This is not because of a lack of regular mail.)

        • 20X seems to be a fairly normal rate of spam based on what I've seen at the organizations I've worked for, with spikes up to about 40X.

      • by X0563511 (793323)

        Post your email right into the text here, and see how long that lasts...

    • While it's certainly possible for Pelosi or her UK counterpart to pass a dumb law so that they can find out what's in it, I don't think that's what Spamhaus is suggesting. In context, they could be talking about either of two things:

      First, one could get a ticket for the specific issue that caused the problem in the article. The law doesn't say "your car must be safe", it explicitly says "your turn signals must work". Same here, you could specifically say that this particular common problem could result i

      • by sjames (1099)

        If we let the legislature come up with the checklist, they'll tell us we must have a licensed plumber snake the tubes every 6 months.

    • I'll agree to the fine, providing there is an equally onerous one for every RBL's that wrongfully put IPs on their lists.

      • Should you be fined if you put someone on your Slashdot "foes"list? It's pretty much the same thing. It's a list of IPs that Spamhaus is wary of because their system detected [criteria].

        As it happens, some of their lists also works pretty well as an element to feed Spamassassin to help determine the likelihood that a message is spam. How that's weighted and if it's considered at all is entirely up to the admin of the system you're sending mail to.

    • You enforce it after the breach. There was a DDOS attach, they investigate, find out you were running things years out of date or whatever, then the fines kick in. Much like how it's illegal to not use a seat-belt in the US. They can't really look in every car and be sure as it's driving down the road. But if you get pulled over for something else or you get into an accident that's when you usually get a ticket for it.

      Then the fine makes for good evidence in a legal case against the company by whomever was

      • You enforce it after the breach. There was a DDOS attach, they investigate, find out you were running things years out of date or whatever, then the fines kick in. Much like how it's illegal to not use a seat-belt in the US. They can't really look in every car and be sure as it's driving down the road. But if you get pulled over for something else or you get into an accident that's when you usually get a ticket for it.

        Then the fine makes for good evidence in a legal case against the company by whomever was attacked.

        Think about that for a moment... It's totally unenforceable because nobody is legally obligated to keep a full version-control of every setting, piece of software, or chunk of code they're running, so unless the law requires them to continue running with "vulnerabilities" in place until an investigator can record them for fine-tallying purpose then it is extremely unlikely that any fine will ever actually be assessed because in the end the sorts of shops that run open-relays and rootable DNS servers aren't

    • Another cure that is worse than the disease

      Ha! I've used that to describe spamhaus and their minions... Years ago I had a client who ended up getting blocked randomly because (drumroll please) spamhaus added an entire /22 to their IP blocklist! The client's /29 was inside that block, so naturally they got blocked by anybody honoring spamhaus' block list... (And to the legion of assholes that troll anybody criticizing spamhaus' slipshod work and labels them a "spammer," Fuck you! They didn't send any spam, EVER. And blocking an entire /22 (covering s

    • Are you serious? This is entirely enforceable without unreasonable difficulty. It's easy to find out who owns an IP address and there's always contact info attached to that record. If the fine isn't paid or isn't paid on time, it's only a simple matter of shutting the company's site down 'til the fine is paid. We're not talkin' about individuals here, but companies, especially hosting services, etc. Notification would come through an official gov't somebody, not something like a spamish-lookin-email. Anybo

      • Are you serious? This is entirely enforceable without unreasonable difficulty. It's easy to find out who owns an IP address and there's always contact info attached to that record.

        LOL the MPAA wishes this were true.

        If the fine isn't paid or isn't paid on time, it's only a simple matter of shutting the company's site down 'til the fine is paid.

        I am beginning to loose my faith in humanity and Slashdot in particular. That there really are people here begging for legal intervention makes me sick. The technical basis for arguments being spewed here are not even factually accurate.

        We're not talkin' about individuals here,

        Who's we? There is plenty of consumer gear with broken DNS proxies and plenty of users who run their own servers something we should be encouraging not discouraging with our dreams of offloading liability from criminals to the users.

        but companies, especially hosting services, etc. Notification would come through an official gov't somebody, not something like a spamish-lookin-email.

        Host

  • by LordKaT (619540) on Wednesday November 27, 2013 @11:33AM (#45538555) Homepage Journal

    Honestly, I used to love Spamhaus, but as the years wore on, I got into the IT world, and I had to interact with them I've come to really loathe them. A decent service, I guess, but every single person that is involved with them comes across like a whining child, and I hate ever having to interact with them.

    • by sumdumass (711423)

      At least you got to talk to someone. My experience consisted of automated forms and links to other sites with absolutely no confirmation that something moved forward or not.

      There is no better feeling than telling your boss that the rootkit found on his kids laptop that he uses to babysit the kid when he brings her in was behind the problem and you think maybe the problem might be getting fixed. Its kind of like poking a sleeping bear with a bee hive taped to a stick and wondering if the stick is long enough

      • by Krojack (575051) on Wednesday November 27, 2013 @01:28PM (#45539821)

        This is exactly what I ran into. My company got a new block of IP's and several IP's within that was on their block list. I could never get through to them thus never got the IP's removed.

        I stopped using their blacklist years ago because their service is unreliable. They seem to have this "We're better than you" mentality.

        • Re: (Score:2, Informative)

          by Anonymous Coward

          Dealing with them is like dealing with Eric Cartman when he was deputized. "Respect my authoritai!"

          If they decided you weren't kissing their asses with sufficient deference they would happily violate their stated policies and expand and entrench the black listing in spite of no spam coming from any of the IPs listed.

    • Fine Spamhaus! (Score:2, Insightful)

      by Anonymous Coward

      Agreed. I feel exactly the same way. Once you find out how Spamhaus is operated, you realize the Internet would be better off without them. They're a disgrace.

      Perhaps they should be fined for inattentive and reckless operation of an internet service, KNOWING it's being used to block mail, and KNOWING that their data is crap, full of spite listings and sources from which no abuse comes.

    • by smartr (1035324)
      Just think of all the government funding though! The NSA could just whip up another batch of attacks and after laying the groundwork to break the previously up to date servers, they can collect moneys on their hacking work... kind of like if a cop pulled you over and took a baseball bat to your taillight because they think they're immune to oversight.
  • As long... (Score:5, Insightful)

    by Anonymous Coward on Wednesday November 27, 2013 @11:37AM (#45538601)

    ...as server operators can fine Spamhaus for false positives.

    • by poetmatt (793785)

      That depends on how much you're letting spamhaus validate actual positives. It has to go both ways.

      • Re:As long... (Score:4, Informative)

        by FireFury03 (653718) <slashdot@@@nexusuk...org> on Wednesday November 27, 2013 @12:18PM (#45539051) Homepage

        That depends on how much you're letting spamhaus validate actual positives. It has to go both ways.

        We've been having significant problems with the CBL's ill-thought-out policies (and Spamhaus imports data from the CBL)...
        http://blog.nexusuk.org/2013/09/problems-with-cbl.html [nexusuk.org]

        • by whoever57 (658626)

          We've been having significant problems with the CBL's ill-thought-out policies

          I am not sure what is ill-thought-out about their policies. In both scenarios, IP address is sending SPAM. IP address gets blocked. The author (you?) ask for a list of honeypot addresses, but you could be a spammer, who could use that list to delay blocking of the SPAM.

          Also, I have not seen a SPAM bot that uses the smarthost. This doesn't mean that they don't exist, but I think that they are rare. Hence blocking direct acces

          • We've been having significant problems with the CBL's ill-thought-out policies

            I am not sure what is ill-thought-out about their policies. In both scenarios, IP address is sending SPAM. IP address gets blocked.

            The ill-thought-out bit is that the CBL is an *spam email* blocklist, but their heuristics cause networks that aren't sending spam email to get listed and therefore blocked. Whilst there is no arguement that the networks were infected with malware, listing them on the CBL serves no useful purpose since they were of no threat to the systems that would be using the CBL (mail servers).

            Previously, sharing an IP address between multiple services was a reasonable idea - there was never a reason not to do this an

            • by whoever57 (658626)

              The issue is purely that the smarthost shares the same IP address as the web proxy and the CBL honeypot looks for *HTTP* traffic (which was leaving the network) rather than *SMTP* traffic.

              It wasn't clear to me from the article that this was the problem. However, It's still not clear to me that this is the case. You assert that fetching some "spammy" URLs causes the listing, but the folks at CBL don't say what their listing criteria is, so I assume you have some hard evidence and not just suspicions that

              • The issue is purely that the smarthost shares the same IP address as the web proxy and the CBL honeypot looks for *HTTP* traffic (which was leaving the network) rather than *SMTP* traffic.

                It wasn't clear to me from the article that this was the problem. However, It's still not clear to me that this is the case. You assert that fetching some "spammy" URLs causes the listing, but the folks at CBL don't say what their listing criteria is, so I assume you have some hard evidence and not just suspicions that the fetching of honeypot URLs causes a listing?

                When you get listed, you can look up the reason why and it tells you.

                From my reading about Zbot, the only URLs it fetches are from C&C servers, so the CBL operators would have to have taken over a Zbot C&C server (or have access to the logs from a someone who has gained control of a C&C server).

                I believe (and I'm not altogether clear whether this is accurate) that Zbot uses C&C domains that are generated programmatically based on the time of day, so CBL have managed to register some of those domains before the real bot owners and therefore set up a honeypot of C&C servers.

                • by whoever57 (658626)

                  I believe (and I'm not altogether clear whether this is accurate) that Zbot uses C&C domains that are generated programmatically based on the time of day, so CBL have managed to register some of those domains before the real bot owners and therefore set up a honeypot of C&C servers.

                  Some more googling suggests that the CBL tells you the honeypot IP after listing. If this is true, could you not look in your proxy logs to see what the URLs to the C&C servers look like and block them based on a pa

                  • Some more googling suggests that the CBL tells you the honeypot IP after listing. If this is true, could you not look in your proxy logs to see what the URLs to the C&C servers look like and block them based on a pattern that matches the part after the domain name?

                    There wasn't an especially obvious fingerprint I could derive from the requests when I looked (i.e. each time I've seen this, the request has been considerably different)

                • by whoever57 (658626)
                  Even more.... the ZeuS Tracker web pages include information on how to use the C&C server lists in Squid.
    • by goldaryn (834427)

      ...as server operators can fine Spamhaus for false positives.

      All these fines should go towards counselling for the servers to help resolve their insecurities

      WON'T SOMEONE PLEASE THINK OF THE SERVERS?

  • Free Speech (Score:4, Interesting)

    by CanHasDIY (1672858) on Wednesday November 27, 2013 @11:41AM (#45538627) Homepage Journal

    If things like public defecation, nudity, and pan-handling can be successfully argued as free speech (which they all have, at some point, somewhere), I think it would be a pretty simple affair to claim that running open, unsecured internet infrastructure is also a form of free expression.

    "The trouble with fighting for human freedom is that one spends most of one's time defending scoundrels."

    • by spacepimp (664856)

      Sadly that is a repercussion of having liberties. Free speech means the right for people to say things you don't agree with. If free speech was easy, then everyone would have it.

      • Sadly that is a repercussion of having liberties. Free speech means the right for people to say things you don't agree with.

        That's not sad, it's what makes life interesting.

        I think living in an echo chamber would be unbelievably boring.

    • by jythie (914043)
      True, but free speech has always had limitations when it comes to the speech having specific impacts, esp when that speech is part of a crime.
      • True, but free speech has always had limitations when it comes to the speech having specific impacts, esp when that speech is part of a crime.

        You'll have to be more specific.

        I know that speech which directly causes harm (like yelling 'fire' in a crowded, not-on-fire place) is patently illegal; I also know that knowingly providing information or services to individuals in the commission of a crime is not protected speech.

        But this isn't one of those situations; nobody's handing the car keys to the bank robber, they've just left the keys in the ignition with the doors unlocked. Pretty sure that's not illegal.

    • What's accepted as fair arguments in court is a separate issue that depends on context. From a quick google search, it seems like the context for at least one case of public defecation as free speech was homelessness. Didn't do a lot of reading on it, but it sounds like in Santa Cruz, they decided to get rid of unsightly homeless people by getting rid of public toilets and declaring public defecation illegal. That seems to be a common approach. And frankly, that's bullshit. In that specific context, I
    • by UPi (137083)

      This is just a guess, because it has never happened to me before. However, I imagine that after being on a receiving end of a massive DDOS I would no longer think of not patching your servers as a form of free speech. Instead, I would think of it as negligence.

      • This is just a guess, because it has never happened to me before. However, I imagine that after being on a receiving end of a massive DDOS I would no longer think of not patching your servers as a form of free speech. Instead, I would think of it as negligence.

        So... if you left the keys in your car, and some sociopath took said car and ran over a few people with it, you think you should be charged with negligence?

        I think if it did happen to you, you might feel differently. People are funny that way.

        • by UPi (137083)

          I would prefer a non-car analogy please. It's been a while since the last good one.

          In any case, if the event you described did happen, I would feel VERY bad about it, and would be very careful not to leave the keys in the car again. If one of my servers was hijacked to do bad things, be it DDOS or spamming, I would feel bad about that also.

          • by Fnord666 (889225)

            I would prefer a non-car analogy please. It's been a while since the last good one.

            Ok, if you were Peter Parker then ...

          • by sjames (1099)

            And because you would feel bad about it, you would fix it. Fining you on top of that would just be rubbing salt in your wounds.

          • I would prefer a non-car analogy please. It's been a while since the last good one.

            In any case, if the event you described did happen, I would feel VERY bad about it, and would be very careful not to leave the keys in the car again. If one of my servers was hijacked to do bad things, be it DDOS or spamming, I would feel bad about that also.

            As far as car analogies go, I'd say this is one of the rare ones that actually makes sense and is in context to the general point.

            Feeling bad is good - showing remorse is a sign that you're not a sociopath. But feeling guilty doesn't make a person legally culpable for another person's actions, which is my position on the matter.

            • by UPi (137083)

              OK, let's go with the car analogy.

              You step out of your car, leaving your keys in the ignition. Someone comes up to you and tells you that the area is crawling with pychotic people, and there is a likelihood that one of them will be taking your car and hitting someone with it. You say it's not your problem and you leave the keys anyway. It is my understanding that Spamhaus is suggesting that you should be fined for that. We can argue that makes sense or not, but can we please agree that this is not about fre

  • It's fairly accepted that just because a car is left unlocked doesn't mean anyone's allowed to go in and take what's inside it. Even when you do lock it, there are ways to get in. The fault isn't the owner's for not locking it, it's the attacker's fault. I don't see why online services are any different. The interruption of service and potential loss of data is enough incentive to keep them from leaving it insecure in the first place. If not, they'll sure be taking a look at security after.
    • Re: (Score:2, Insightful)

      by msauve (701917)
      Welcome to the new world. It's not the attacker's fault, either. He was abused as a child and bullied in school. Society made him steal from that car, it wasn't free will.
    • by dcw3 (649211)

      Let's try another analogy...

      Suppose you have a pool in your backyard, and some kids use it w/o your permission. When one of them drowns, who's liable?

      Now, I'm not taking Spamhaus' side on this, but analogies are just that, and often apples vs. oranges.

    • The fault isn't the owner's for not locking it, it's the attacker's fault.

      Not from the insurance company's point of view.

    • that say if your car is left unlocked and someone steal it/does something with it you can be charged with leaving it unlocked or get fined by the city

    • Re: (Score:2, Troll)

      by Cajun Hell (725246)

      It's fairly accepted that just because a car is left unlocked doesn't mean anyone's allowed to go in and take what's inside it.

      Unfortunately, it's also fairly accepted that there are such things as "attractive nuisances."

      Classic example is the swimming pool on your private property, where you ruthlessly shoot and kill all trespassers whenever you see them climbing the electrified barbed wire fence around your pool. As long as you successfully kill each one of them before they get to the pool, you're saf

  • Open != Open (Score:3, Informative)

    by Anonymous Coward on Wednesday November 27, 2013 @11:43AM (#45538653)

    Ambiguity warning! Open DNS servers are perfectly fine, they can be used against censorship or for speed. They should even be encouraged. I use the Caesidean root, for example. What they mean by "open" are drastically misconfigured DNS servers.

    Anyway, Spamhaus are a bunch of whining vigilante pussies and bad losers, so fuck them.

    • to be exact

      a DNS that is open to being "read" ie Who is 234.45.42.103 is fine

      a DNS that is open to being WRITTEN ie 234.45.42.103 is HappyPlaytoy.uy (without somebody up the chain proving it) is BAD

      a DNS that can redirect traffic going to HappyPlaytoy.uy to say IBM.com (or wespeakforthetrees.org) as part of a DDOS is EVIL BAD and WRONG

  • by rabbit994 (686936) on Wednesday November 27, 2013 @11:45AM (#45538689)

    For ISPs to simply drop UDP packets that are outbound where source address is not inside their network. Is there some legit use for sending forged UDP packets?

    • Not really. But that wouldn't stop DNS amplification attacks. Just make it harder to avoid tracing - and any half-competent attacker is going to be using compromised hosts as the launching point anyway.

  • Punishment (Score:5, Insightful)

    by Anonymous Coward on Wednesday November 27, 2013 @11:46AM (#45538695)

    Funny how an organisation as Spamhouse, who is guilty of systematic depriving random and quite innocent internet users of connectivity -- and proud of it too -- , suddenly thinks that whomever interferes with their connectivity should be punished by law. Hypocrisy.

    Although I think their service does have its good points, their attitude makes me want to hurl.

  • by Shakrai (717556) * on Wednesday November 27, 2013 @11:51AM (#45538761) Journal

    That seems like misplaced blame to me. Any connectionless protocol that responds with larger packets than the inbound query can be used for a reflection attack, it's one of the items that comes up from time to time on the NTP Pool server admin's mailing list. We've seen a few attempts at using some of our servers in such attacks, there was a host that went around a few months ago that was sending about 60kbit/s worth of queries to several dozen servers in the pool, mine included. There are a few best practices you can use to mitigate this issue -- noquery with ntpd, firewall rate-limits for both NTP and DNS -- but you'll never actually solve the problem at the application level.

    The proper way to address reflection attacks is for network operators to set up rules that preclude forged packets from leaving their network. There's no reason the router solely responsible for 192.168.1.0/24 should be passing along outbound traffic with a source address of 172.25.1.15. A handful of progressive networks have made this change, but they're the exception, not the rule.

    • The proper way to address reflection attacks is for network operators to set up rules that preclude forged packets from leaving their network. There's no reason the router solely responsible for 192.168.1.0/24 should be passing along outbound traffic with a source address of 172.25.1.15. A handful of progressive networks have made this change, but they're the exception, not the rule.

      I don't forsee this working for IPv6, where one of the benefits of having so many addresses is that we can tie a load of them to individual devices and not have to suffer NAT. As a side-effect, the leaves on a network won't necessarily have correlated addresses.

      • by suutar (1860506)
        The addresses which you are supposed to be using as source addresses on outgoing internet-routed packets have a common prefix, assigned by your provider. Addresses not in that block that you are likely to use are private blocks (not to be routed on the internet), link-local addresses (not generally meant to be routed at all), and multicast addresses (to be used as destination addrs, not source).
      • by sjames (1099)

        Sure they will. IPv6 still has prefixes. There is no good reason to send out a UDP packet that has the wrong prefix in the source address.

  • Who issues the tickets? Under whose authority? Lazy/cheap businesses will just shop around for juristdictions where it's cheaper to operate, no matter what.

    Why not just do a name-and-shame, naming businesses and vulnerable services -- but only after the postmaster of the opening domain, or WHOIS domain owner gets notified first. I'm sure that such a list would concentrate minds wonderfully...

  • Would they also fine rape victims for wearing sexy clothes?
  • This is long overdue, and you know who else should be brought to bear? Organisations like Slashdot with their Slashdot effect! I, for one, thNO CARRIER
  • This seems like a great underhanded way to make it illegal to run Tor exit nodes, free VPNs, proxies or similar services that give anonymous people ways to interact with the net.

  • No doubt, the UK government fining all those spam relays in Russia, China, and India will put a stop to spam ASAP - Good thinking, Spamhaus!
  • wants more power to direct peoples lives for their own gain.

  • Have to agree (Score:4, Informative)

    by Todd Knarr (15451) on Wednesday November 27, 2013 @01:39PM (#45539943) Homepage

    I have to agree with penalizing operators of open recursive DNS responders. DNS servers fall into roughly 4 categories:

    1. Internal nameservers within a network, including caching nameservers. These should never be getting legitimate queries from outside the local network, so they never have any reason to respond to those queries.
    2. Authoritative nameservers for a domain. These should never be doing recursive name resolution, and they should be responding only to queries for domains they're authoritative for. Queries for domains the server isn't authoritative for should get a short, to-the-point NXDOMAIN response not signed with DNSSEC.
    3. External private nameservers, ie. ones that live outside the the network they server but are only supposed to serve that network. As with internal nameservers they shouldn't be responding to queries from any networks but the one they're supposed to be serving, they just need more configuration than purely internal ones. They should have a default-deny configuration with the networks they serve listed specifically. Anyone who doesn't know how to do this shouldn't be operating one of these.
    4. Deliberately public nameservers. These are ones that are set up intentionally to be resolvers for anyone who wants to use them. They have to respond to all requests and do recursive resolution. They're the problematic open nameservers. They require configuration to control traffic rates to minimize the impact when they're used for DNS-based attacks. If you don't know how to configure that or you aren't prepared to oversee a public server and respond to abuse 24x7, you shouldn't be running one of these. If you go ahead anyway, the results should be painful for you.

    My guess would be 99+% of all nameservers fall into the first three categories, 95+% fall into the first two, and 90+% of authoritative servers (category 2) are operated by a DNS hosting company rather than directly by the domain owner. If you're in the (relatively) small number needing to run a category 3 server you just need to take a few minutes to read the configuration docs and set it up for "don't respond to queries unless they're from a network I've listed", and if you can't or won't you deserve smacked with the newspaper. If you're in the even smaller number who want to run a category 4 server you need to know what you're doing, if you don't and go ahead anyway you deserve whatever you get (up to and including losing your Internet access).

  • Each time someone makes the claim misconfiguration of DNS enables amplification they are contributing to the problem by refusing to address the root cause.

    DNS is flawed by design. You can still extract perfectly useful amplification factors out of non-recursive servers or servers with DNSSEC enabled. All turning off recursion does is cut out ultra low hanging fruit while leaving the problem unaddressed.

    There are several ways to actually solve this problem.

    1. Use TCP for DNS

    2. Implement DNS cookies

    3. Globa

  • Is it the server operator? Or is the OS provider liable for producing a defective product? And if the OS is open-source, who do you go after?

    I understand where Spamhaus is coming from... I'd also love to penalize idiots who make the Internet a worse place. But I don't think it's a practical option and trying to implement it opens up a huge can of worms.

  • by fuzzel (18438)

    Can we change that at first to just start with the very simple:

    Organisations transferring IP packets should be kicked off the Internet if they do not implement BCP38.

    That would make al kind of spoofed attacks already impossible, that being the DNS, NTP, Quake-alike and many many others...

    But, as there is no money to be earned with this, ISPs do not enforce it.

    (and yes, it does cost some cash to implement as not all routers support it unfortunately..... )

Take care of the luxuries and the necessities will take care of themselves. -- Lazarus Long

Working...