Forgot your password?
typodupeerror
Security Spam

Spamhaus Calls for Fining Operators of Insecure Servers 170

Posted by Unknown Lamer
from the banned-from-the-net dept.
Barence writes "Anti-spam outfit Spamhaus has called on the UK government to fine those who are running Internet infrastructure that could be exploited by criminals. Those who leave open Domain Name Server resolvers vulnerable to attack should be fined, if they have previously received a warning, said chief information officer of Spamhaus, Richard Cox. When Spamhaus was hit by a massive distributed DDoS possibly the biggest ever recorded at more than 300Gbits/sec — open DNS resolvers were used to amplify the hit, which was aimed at one of the organization's upstream partners. 'Once they know it can be used for attacks and fraud, that should be an offense,' Cox said. 'You should be subject to something like a parking ticket... where the fine is greater than the cost of fixing it."
This discussion has been archived. No new comments can be posted.

Spamhaus Calls for Fining Operators of Insecure Servers

Comments Filter:
  • by melonman (608440) on Wednesday November 27, 2013 @11:31AM (#45538537) Journal

    This sounds great in theory but, in practice, it's going to be almost impossible to enforce (eg whose definition of 'vulnerable'?) and it would promptly create several new Internet plagues, eg the "Your server has a vulnerability, pay us now to stop us reporting it" spam email.

    • I would have thought having an SMTP server which does unintended open relaying as everyone's definition of vulnerable..

    • by Anonymous Coward on Wednesday November 27, 2013 @11:44AM (#45538677)

      I disagree. This is a classic example of making [stupid|apathy] hurt. In this case, the hurt is financial, but the effect is there.

      If a company can't be arsed to protect their systems to prevent it, they need to pay for it. If a person (or small business) can't be arsed to have an IT person, either part-time or contracted out through an agency to secure their systems, then they need to pay the price. If that same SMB relies upon their vendor/provider for security, and they fail to deliver, it's time to find another vendor/provider.

      When that price becomes higher than the cost of compliance to prevent an actual, measurable problem then we will see a shift.

      Most people want to do the right thing. For some people, you need to provide the carrot & stick approach.

    • by poetmatt (793785) on Wednesday November 27, 2013 @11:45AM (#45538687) Journal

      I disagree 100% - It's not hard at all.

      Checklist of known vulnerabilities -> if your server is suspected of sending huge volumes of spam and fails -> fines after a 2nd or 3rd notice of these failures. It establishes a baseline of "don't be a fuckup with managing your servers".

    • by BringsApples (3418089) on Wednesday November 27, 2013 @11:52AM (#45538773)
      I agree. SPAM is so 2003. I run my own email server at home, and with absolutely no SPAM protection (I used to use spamassassin and mimedefang but once my server crashed, I never took the time to install it all again). I give my email address to all the basic sites in order to make purchases. I do receive SPAM, but very little. The SPAM fight seems to have erupted into craziness with no gains.
    • by raymorris (2726007) on Wednesday November 27, 2013 @12:18PM (#45539061)

      While it's certainly possible for Pelosi or her UK counterpart to pass a dumb law so that they can find out what's in it, I don't think that's what Spamhaus is suggesting. In context, they could be talking about either of two things:

      First, one could get a ticket for the specific issue that caused the problem in the article. The law doesn't say "your car must be safe", it explicitly says "your turn signals must work". Same here, you could specifically say that this particular common problem could result in a ticket.

      Alternatively, TFA made reference to "once you know that your server is participating in an attack". A law could be made that once you're notified that your server is being used in an attack, you then need to take reasonable measures to prevent that from continuing or recurring. Here again "vulnerable" is clearly defined - if your server is still participating in the attack 48 hours after being notified, you can get a ticket. You can defend that ticket if you show that you took reasonable measures to address the problem.

    • by MightyMartian (840721) on Wednesday November 27, 2013 @12:38PM (#45539293) Journal

      I'll agree to the fine, providing there is an equally onerous one for every RBL's that wrongfully put IPs on their lists.

      • by raymorris (2726007) on Wednesday November 27, 2013 @02:38PM (#45540709)

        Should you be fined if you put someone on your Slashdot "foes"list? It's pretty much the same thing. It's a list of IPs that Spamhaus is wary of because their system detected [criteria].

        As it happens, some of their lists also works pretty well as an element to feed Spamassassin to help determine the likelihood that a message is spam. How that's weighted and if it's considered at all is entirely up to the admin of the system you're sending mail to.

    • by Charliemopps (1157495) on Wednesday November 27, 2013 @12:44PM (#45539365)

      You enforce it after the breach. There was a DDOS attach, they investigate, find out you were running things years out of date or whatever, then the fines kick in. Much like how it's illegal to not use a seat-belt in the US. They can't really look in every car and be sure as it's driving down the road. But if you get pulled over for something else or you get into an accident that's when you usually get a ticket for it.

      Then the fine makes for good evidence in a legal case against the company by whomever was attacked.

      • You enforce it after the breach. There was a DDOS attach, they investigate, find out you were running things years out of date or whatever, then the fines kick in. Much like how it's illegal to not use a seat-belt in the US. They can't really look in every car and be sure as it's driving down the road. But if you get pulled over for something else or you get into an accident that's when you usually get a ticket for it.

        Then the fine makes for good evidence in a legal case against the company by whomever was attacked.

        Think about that for a moment... It's totally unenforceable because nobody is legally obligated to keep a full version-control of every setting, piece of software, or chunk of code they're running, so unless the law requires them to continue running with "vulnerabilities" in place until an investigator can record them for fine-tallying purpose then it is extremely unlikely that any fine will ever actually be assessed because in the end the sorts of shops that run open-relays and rootable DNS servers aren't likely to have good documentation practices, either.

    • Another cure that is worse than the disease

      Ha! I've used that to describe spamhaus and their minions... Years ago I had a client who ended up getting blocked randomly because (drumroll please) spamhaus added an entire /22 to their IP blocklist! The client's /29 was inside that block, so naturally they got blocked by anybody honoring spamhaus' block list... (And to the legion of assholes that troll anybody criticizing spamhaus' slipshod work and labels them a "spammer," Fuck you! They didn't send any spam, EVER. And blocking an entire /22 (covering some of a datacenter's customers, but not others) is arbitrary to the point of negligence.

      When it had all played out the /22 block was a result of (wait for it!) a disgruntled employee at the datacenter exploiting Spamhaus' notoriously weak quality-control to screw-over his former employer with an annoying, somewhat hard to identify problem... Annoying because spamhaus will keep blocking it in perpetuity until somebody figures out how to make them stop. Somewhat hard to identify because it wasn't every client having problems, and the ones having problems weren't having it with all recipients. Now, of course, we know that description of symptoms can easily be an RBL run amok... Of course then the question becomes "which one?"

      I don't like spam any more than the next guy, but dealing with the shrill assholes who have made it their life's work to fight spam (hint: When somebody tells this to you, FFS, don't laugh!) is just one step less-unpleasant than repeated, unneeded root canal... The high and mighty, pompous, and arrogant attitudes (anybody who disagrees with us is stupid or a spammer!) make the low-quality of the work produced that much more glaring. Honestly, haven't you people ever heard of IronPort, Barracuda, or MXLogic? Seriously: Get a life. Reporting each spam individually is the least efficient way to fight the problem. What makes it worse is when you tell these Don Quixote types that they're wasting their lives they accuse YOU of being a spammer!

    • by Zamphatta (1760346) on Wednesday November 27, 2013 @03:34PM (#45541487) Homepage

      Are you serious? This is entirely enforceable without unreasonable difficulty. It's easy to find out who owns an IP address and there's always contact info attached to that record. If the fine isn't paid or isn't paid on time, it's only a simple matter of shutting the company's site down 'til the fine is paid. We're not talkin' about individuals here, but companies, especially hosting services, etc. Notification would come through an official gov't somebody, not something like a spamish-lookin-email. Anybody who's setting up servers that falls for a spamish-looking-email about this, deserves whatever problems they get as a result of believing such an email. They really should know better.

      And while they're at it, they should fine everyone who's DB is stolen due to stupid insecure setups... SQL injections, plaintext passwords, etc. This stuff isn't excusable, and it's pretty shocking that it's still common in late 2013. Can you imagine how much money the gov't would've made off Adobe and SONY over the past few years? That'd probably help lower our taxes (in theory).

      • by WaffleMonster (969671) on Wednesday November 27, 2013 @04:18PM (#45542033)

        Are you serious? This is entirely enforceable without unreasonable difficulty. It's easy to find out who owns an IP address and there's always contact info attached to that record.

        LOL the MPAA wishes this were true.

        If the fine isn't paid or isn't paid on time, it's only a simple matter of shutting the company's site down 'til the fine is paid.

        I am beginning to loose my faith in humanity and Slashdot in particular. That there really are people here begging for legal intervention makes me sick. The technical basis for arguments being spewed here are not even factually accurate.

        We're not talkin' about individuals here,

        Who's we? There is plenty of consumer gear with broken DNS proxies and plenty of users who run their own servers something we should be encouraging not discouraging with our dreams of offloading liability from criminals to the users.

        but companies, especially hosting services, etc. Notification would come through an official gov't somebody, not something like a spamish-lookin-email.

        Hosting companies are the least of your problems.

        Anybody who's setting up servers that falls for a spamish-looking-email about this, deserves whatever problems they get as a result of believing such an email. They really should know better.

        Now this is the ticket. This is the kind of spirit the Internet needs to retain. If you act stupidly the Internet bitch slaps you for it.

        And while they're at it, they should fine everyone who's DB is stolen due to stupid insecure setups... SQL injections, plaintext passwords, etc. This stuff isn't excusable

        Who determines what is stupid? And how would anyone but the lawyers benefit from that arrangement? It is not like there is not already massive legal and financial disincentive against getting p0wn3d. I can think of a few inexcusable security transgressions that remain standard industry practice to this day. Do I get to write the law?

        Can you imagine how much money the gov't would've made off Adobe and SONY over the past few years? That'd probably help lower our taxes (in theory).

        And your buying power (in fact).

  • by LordKaT (619540) on Wednesday November 27, 2013 @11:33AM (#45538555) Homepage Journal

    Honestly, I used to love Spamhaus, but as the years wore on, I got into the IT world, and I had to interact with them I've come to really loathe them. A decent service, I guess, but every single person that is involved with them comes across like a whining child, and I hate ever having to interact with them.

    • by sumdumass (711423) on Wednesday November 27, 2013 @12:37PM (#45539277) Journal

      At least you got to talk to someone. My experience consisted of automated forms and links to other sites with absolutely no confirmation that something moved forward or not.

      There is no better feeling than telling your boss that the rootkit found on his kids laptop that he uses to babysit the kid when he brings her in was behind the problem and you think maybe the problem might be getting fixed. Its kind of like poking a sleeping bear with a bee hive taped to a stick and wondering if the stick is long enough.

      • by Krojack (575051) on Wednesday November 27, 2013 @01:28PM (#45539821)

        This is exactly what I ran into. My company got a new block of IP's and several IP's within that was on their block list. I could never get through to them thus never got the IP's removed.

        I stopped using their blacklist years ago because their service is unreliable. They seem to have this "We're better than you" mentality.

        • by Anonymous Coward on Wednesday November 27, 2013 @02:57PM (#45540939)

          Dealing with them is like dealing with Eric Cartman when he was deputized. "Respect my authoritai!"

          If they decided you weren't kissing their asses with sufficient deference they would happily violate their stated policies and expand and entrench the black listing in spite of no spam coming from any of the IPs listed.

    • Fine Spamhaus! (Score:2, Insightful)

      by Anonymous Coward on Wednesday November 27, 2013 @01:09PM (#45539623)

      Agreed. I feel exactly the same way. Once you find out how Spamhaus is operated, you realize the Internet would be better off without them. They're a disgrace.

      Perhaps they should be fined for inattentive and reckless operation of an internet service, KNOWING it's being used to block mail, and KNOWING that their data is crap, full of spite listings and sources from which no abuse comes.

    • by smartr (1035324) on Wednesday November 27, 2013 @01:27PM (#45539809)
      Just think of all the government funding though! The NSA could just whip up another batch of attacks and after laying the groundwork to break the previously up to date servers, they can collect moneys on their hacking work... kind of like if a cop pulled you over and took a baseball bat to your taillight because they think they're immune to oversight.
  • As long... (Score:5, Insightful)

    by Anonymous Coward on Wednesday November 27, 2013 @11:37AM (#45538601)

    ...as server operators can fine Spamhaus for false positives.

    • by poetmatt (793785) on Wednesday November 27, 2013 @11:54AM (#45538801) Journal

      That depends on how much you're letting spamhaus validate actual positives. It has to go both ways.

      • Re:As long... (Score:4, Informative)

        by FireFury03 (653718) <slashdot@nMOSCOWexusuk.org minus city> on Wednesday November 27, 2013 @12:18PM (#45539051) Homepage

        That depends on how much you're letting spamhaus validate actual positives. It has to go both ways.

        We've been having significant problems with the CBL's ill-thought-out policies (and Spamhaus imports data from the CBL)...
        http://blog.nexusuk.org/2013/09/problems-with-cbl.html [nexusuk.org]

        • by whoever57 (658626) on Wednesday November 27, 2013 @01:03PM (#45539569) Journal

          We've been having significant problems with the CBL's ill-thought-out policies

          I am not sure what is ill-thought-out about their policies. In both scenarios, IP address is sending SPAM. IP address gets blocked. The author (you?) ask for a list of honeypot addresses, but you could be a spammer, who could use that list to delay blocking of the SPAM.

          Also, I have not seen a SPAM bot that uses the smarthost. This doesn't mean that they don't exist, but I think that they are rare. Hence blocking direct access to port 25 through the firewall stops most spambots from actually sending spam.

          If the spams are relayed through your own smarthosts, then how about some kind of rate-limiting mechanism with alerts to the administrator? Quick action by the admin would prevent listing.

          • by FireFury03 (653718) <slashdot@nMOSCOWexusuk.org minus city> on Wednesday November 27, 2013 @01:44PM (#45540015) Homepage

            We've been having significant problems with the CBL's ill-thought-out policies

            I am not sure what is ill-thought-out about their policies. In both scenarios, IP address is sending SPAM. IP address gets blocked.

            The ill-thought-out bit is that the CBL is an *spam email* blocklist, but their heuristics cause networks that aren't sending spam email to get listed and therefore blocked. Whilst there is no arguement that the networks were infected with malware, listing them on the CBL serves no useful purpose since they were of no threat to the systems that would be using the CBL (mail servers).

            Previously, sharing an IP address between multiple services was a reasonable idea - there was never a reason not to do this and it conserves IP addresses. However, with the advent of the CBL using an HTTP honeypot to populate an SMTP blocklist, there simply isn't any sensible way to run a network in this configuration - it just takes one person to connect an infected laptop to the network for a short period of time, and all the email starts getting blocked.

            Because of this, we are now having to standardise on running mail servers on a separate IP address - this does nothing to decrease the incidence of malware, it simply stops an infected network being listed on the CBL.

            The author (you?) ask for a list of honeypot addresses, but you could be a spammer, who could use that list to delay blocking of the SPAM.

            I could be a spammer, but I'm not.

            The idea was that as the malware was always connecting through the transparent proxy servers, having a list of honeypot addresses or some other way of fingerprinting the request we could (1) automatically isolate the affected system, and (2) automatically inform the sysadmin so (s)he could clean up the mess. This would be a Good Thing for everyone.

            As it turns out, the CBL maintainers were not cooperative (for whatever reason), so we're stuck with the aforementioned interrim measure of separating services onto different IPs rather than actually resolving the root problem.

            People in the business of securing networks really do need to trust each other to some extent - if they refuse to cooperate out of paranoia then the spammers have basically won already since there's no way anyone can effectively defend against spam and malware in isolation.

            Also, I have not seen a SPAM bot that uses the smarthost. This doesn't mean that they don't exist, but I think that they are rare.

            Indeed. That was the point I was making: the only way to send email out of the affected networks was via authenticated smarthosts. Yes its posible that some malware could extract the authentication credentials out of a user's mail client (if they have one configured) and use those to send spam, but that's a lot of effort to go to and I've never seen any malware do that (and if malware does do that then *everyone*'s screwed because it'll start sending spam through corporate email servers, gmail, etc.). So the networks in question were essentially immune to sending spam email, yet were still being blocked by the CBL from sending email because they had a client making spammy web requests - this makes no sense.

            Hence blocking direct access to port 25 through the firewall stops most spambots from actually sending spam.

            And this is exactly how the networks in question are set up, yet this does nothing to prevent the network from being listed on the CBL since the CBL's honeypot is checking for suspicious HTTP connections rather than SMTP traffic.

            If the spams are relayed through your own smarthosts, then how about some kind of rate-limiting mechanism with alerts to the administrator? Quick action by the admin would prevent listing.

            To reiterate, in case it wasn't clear from the blog article, there was no spam email leaving the network - port 25 is blocked, the only way

            • by whoever57 (658626) on Wednesday November 27, 2013 @02:48PM (#45540841) Journal

              The issue is purely that the smarthost shares the same IP address as the web proxy and the CBL honeypot looks for *HTTP* traffic (which was leaving the network) rather than *SMTP* traffic.

              It wasn't clear to me from the article that this was the problem. However, It's still not clear to me that this is the case. You assert that fetching some "spammy" URLs causes the listing, but the folks at CBL don't say what their listing criteria is, so I assume you have some hard evidence and not just suspicions that the fetching of honeypot URLs causes a listing?

              From my reading about Zbot, the only URLs it fetches are from C&C servers, so the CBL operators would have to have taken over a Zbot C&C server (or have access to the logs from a someone who has gained control of a C&C server).

              • by FireFury03 (653718) <slashdot@nMOSCOWexusuk.org minus city> on Wednesday November 27, 2013 @04:11PM (#45541947) Homepage

                The issue is purely that the smarthost shares the same IP address as the web proxy and the CBL honeypot looks for *HTTP* traffic (which was leaving the network) rather than *SMTP* traffic.

                It wasn't clear to me from the article that this was the problem. However, It's still not clear to me that this is the case. You assert that fetching some "spammy" URLs causes the listing, but the folks at CBL don't say what their listing criteria is, so I assume you have some hard evidence and not just suspicions that the fetching of honeypot URLs causes a listing?

                When you get listed, you can look up the reason why and it tells you.

                From my reading about Zbot, the only URLs it fetches are from C&C servers, so the CBL operators would have to have taken over a Zbot C&C server (or have access to the logs from a someone who has gained control of a C&C server).

                I believe (and I'm not altogether clear whether this is accurate) that Zbot uses C&C domains that are generated programmatically based on the time of day, so CBL have managed to register some of those domains before the real bot owners and therefore set up a honeypot of C&C servers.

                • by whoever57 (658626) on Wednesday November 27, 2013 @04:49PM (#45542473) Journal

                  I believe (and I'm not altogether clear whether this is accurate) that Zbot uses C&C domains that are generated programmatically based on the time of day, so CBL have managed to register some of those domains before the real bot owners and therefore set up a honeypot of C&C servers.

                  Some more googling suggests that the CBL tells you the honeypot IP after listing. If this is true, could you not look in your proxy logs to see what the URLs to the C&C servers look like and block them based on a pattern that matches the part after the domain name?

                  Also there seems to be something called "ZeuS Tracker" which provides the necessary IP addresses to block.

                  • by FireFury03 (653718) <slashdot@nMOSCOWexusuk.org minus city> on Wednesday November 27, 2013 @05:56PM (#45543217) Homepage

                    Some more googling suggests that the CBL tells you the honeypot IP after listing. If this is true, could you not look in your proxy logs to see what the URLs to the C&C servers look like and block them based on a pattern that matches the part after the domain name?

                    There wasn't an especially obvious fingerprint I could derive from the requests when I looked (i.e. each time I've seen this, the request has been considerably different)

                • by whoever57 (658626) on Wednesday November 27, 2013 @04:56PM (#45542583) Journal
                  Even more.... the ZeuS Tracker web pages include information on how to use the C&C server lists in Squid.
    • by goldaryn (834427) on Wednesday November 27, 2013 @11:58AM (#45538853) Homepage

      ...as server operators can fine Spamhaus for false positives.

      All these fines should go towards counselling for the servers to help resolve their insecurities

      WON'T SOMEONE PLEASE THINK OF THE SERVERS?

  • Free Speech (Score:4, Interesting)

    by CanHasDIY (1672858) on Wednesday November 27, 2013 @11:41AM (#45538627) Homepage Journal

    If things like public defecation, nudity, and pan-handling can be successfully argued as free speech (which they all have, at some point, somewhere), I think it would be a pretty simple affair to claim that running open, unsecured internet infrastructure is also a form of free expression.

    "The trouble with fighting for human freedom is that one spends most of one's time defending scoundrels."

    • by spacepimp (664856) on Wednesday November 27, 2013 @11:50AM (#45538745) Homepage

      Sadly that is a repercussion of having liberties. Free speech means the right for people to say things you don't agree with. If free speech was easy, then everyone would have it.

    • by jythie (914043) on Wednesday November 27, 2013 @12:13PM (#45538989)
      True, but free speech has always had limitations when it comes to the speech having specific impacts, esp when that speech is part of a crime.
      • by CanHasDIY (1672858) on Wednesday November 27, 2013 @12:48PM (#45539393) Homepage Journal

        True, but free speech has always had limitations when it comes to the speech having specific impacts, esp when that speech is part of a crime.

        You'll have to be more specific.

        I know that speech which directly causes harm (like yelling 'fire' in a crowded, not-on-fire place) is patently illegal; I also know that knowingly providing information or services to individuals in the commission of a crime is not protected speech.

        But this isn't one of those situations; nobody's handing the car keys to the bank robber, they've just left the keys in the ignition with the doors unlocked. Pretty sure that's not illegal.

    • by interkin3tic (1469267) on Wednesday November 27, 2013 @01:06PM (#45539601)
      What's accepted as fair arguments in court is a separate issue that depends on context. From a quick google search, it seems like the context for at least one case of public defecation as free speech was homelessness. Didn't do a lot of reading on it, but it sounds like in Santa Cruz, they decided to get rid of unsightly homeless people by getting rid of public toilets and declaring public defecation illegal. That seems to be a common approach. And frankly, that's bullshit. In that specific context, I think declaring pooping on a city that is trying to boot you out is fair.
    • by UPi (137083) on Wednesday November 27, 2013 @01:31PM (#45539849) Homepage

      This is just a guess, because it has never happened to me before. However, I imagine that after being on a receiving end of a massive DDOS I would no longer think of not patching your servers as a form of free speech. Instead, I would think of it as negligence.

      • by CanHasDIY (1672858) on Wednesday November 27, 2013 @01:45PM (#45540017) Homepage Journal

        This is just a guess, because it has never happened to me before. However, I imagine that after being on a receiving end of a massive DDOS I would no longer think of not patching your servers as a form of free speech. Instead, I would think of it as negligence.

        So... if you left the keys in your car, and some sociopath took said car and ran over a few people with it, you think you should be charged with negligence?

        I think if it did happen to you, you might feel differently. People are funny that way.

        • by UPi (137083) on Wednesday November 27, 2013 @01:51PM (#45540105) Homepage

          I would prefer a non-car analogy please. It's been a while since the last good one.

          In any case, if the event you described did happen, I would feel VERY bad about it, and would be very careful not to leave the keys in the car again. If one of my servers was hijacked to do bad things, be it DDOS or spamming, I would feel bad about that also.

          • by Fnord666 (889225) on Wednesday November 27, 2013 @03:01PM (#45541009) Journal

            I would prefer a non-car analogy please. It's been a while since the last good one.

            Ok, if you were Peter Parker then ...

          • by sjames (1099) on Wednesday November 27, 2013 @03:34PM (#45541483) Homepage

            And because you would feel bad about it, you would fix it. Fining you on top of that would just be rubbing salt in your wounds.

          • by CanHasDIY (1672858) on Wednesday November 27, 2013 @03:42PM (#45541589) Homepage Journal

            I would prefer a non-car analogy please. It's been a while since the last good one.

            In any case, if the event you described did happen, I would feel VERY bad about it, and would be very careful not to leave the keys in the car again. If one of my servers was hijacked to do bad things, be it DDOS or spamming, I would feel bad about that also.

            As far as car analogies go, I'd say this is one of the rare ones that actually makes sense and is in context to the general point.

            Feeling bad is good - showing remorse is a sign that you're not a sociopath. But feeling guilty doesn't make a person legally culpable for another person's actions, which is my position on the matter.

            • by UPi (137083) on Wednesday November 27, 2013 @05:02PM (#45542657) Homepage

              OK, let's go with the car analogy.

              You step out of your car, leaving your keys in the ignition. Someone comes up to you and tells you that the area is crawling with pychotic people, and there is a likelihood that one of them will be taking your car and hitting someone with it. You say it's not your problem and you leave the keys anyway. It is my understanding that Spamhaus is suggesting that you should be fined for that. We can argue that makes sense or not, but can we please agree that this is not about free speech?

  • by tech.kyle (2800087) on Wednesday November 27, 2013 @11:41AM (#45538637)
    It's fairly accepted that just because a car is left unlocked doesn't mean anyone's allowed to go in and take what's inside it. Even when you do lock it, there are ways to get in. The fault isn't the owner's for not locking it, it's the attacker's fault. I don't see why online services are any different. The interruption of service and potential loss of data is enough incentive to keep them from leaving it insecure in the first place. If not, they'll sure be taking a look at security after.
    • Re:A similar case (Score:2, Insightful)

      by msauve (701917) on Wednesday November 27, 2013 @11:46AM (#45538693)
      Welcome to the new world. It's not the attacker's fault, either. He was abused as a child and bullied in school. Society made him steal from that car, it wasn't free will.
    • by dcw3 (649211) on Wednesday November 27, 2013 @12:16PM (#45539019) Journal

      Let's try another analogy...

      Suppose you have a pool in your backyard, and some kids use it w/o your permission. When one of them drowns, who's liable?

      Now, I'm not taking Spamhaus' side on this, but analogies are just that, and often apples vs. oranges.

    • by wonkey_monkey (2592601) on Wednesday November 27, 2013 @12:16PM (#45539021) Homepage

      The fault isn't the owner's for not locking it, it's the attacker's fault.

      Not from the insurance company's point of view.

    • by future assassin (639396) on Wednesday November 27, 2013 @01:08PM (#45539617) Homepage

      that say if your car is left unlocked and someone steal it/does something with it you can be charged with leaving it unlocked or get fined by the city

    • by Cajun Hell (725246) on Wednesday November 27, 2013 @02:24PM (#45540525) Homepage Journal

      It's fairly accepted that just because a car is left unlocked doesn't mean anyone's allowed to go in and take what's inside it.

      Unfortunately, it's also fairly accepted that there are such things as "attractive nuisances."

      Classic example is the swimming pool on your private property, where you ruthlessly shoot and kill all trespassers whenever you see them climbing the electrified barbed wire fence around your pool. As long as you successfully kill each one of them before they get to the pool, you're safe. But if one of them makes it to the pool, jumps in and drowns, his family is the new owner of your house. Then you have to spend one of your family member's lives in order to get it back (tip: have cement trucks idling out in front of the house before your family member's counter-suicide-sacrifice, waiting and ready to fill in the pool, the instant that you re-acquire ownership).

      It gets worse.

      Suppose you're on patrol in your car, driving around the perimeter of your property, looking for pool-suiciders before they get too close to your pool. Suddenly you see a mob of them pushing against the fence on the east side. You take the M16 from your car's gun rack, go stand by the fence, and shoot them all. Now you've got this stinking pile of rotting corpses over by the fence, and you know you have only 10 minutes at the most, before Municipal Zoning Enforcement comes over and condemns your property. So you put the M16 back onto your gun rack, take the shovel out of the trunk, and start digging a mass grave.

      Little do you know, that the mob you just massacred was TEAM A. That's the decoy team. Meanwhile, upon hearing the sound of the gunfire, TEAM B and TEAM C put on the bypass clips to reroute the current on the north fence, cut through the wires, and advance onto your property.

      TEAM C immediately heads toward the pool area at maximum speed, while TEAM B stealthily sneaks toward your car, parked over by the east fence. They peek around from behind your car, and see you digging the mass grave. Now is their chance! They break into the car, and take the M16 off your gunrack. Just then, you hear an alert siren and your radio crackles to life. "MAYDAY! MAYDAY!" your wife in the tower yells, in a panic, over the radio, "People are jumping into the pool!" You hear the distant sound of rifle fire (she is now shooting at TEAM C).

      The body burying can wait. You need to get to the pool area now, to help your wife kill pool-jumpers and then try to pump the pool water out of the lungs of anyone who has already drowned. You throw down your shovel and run toward the car, and that's where you see .. oh fuck, who is that? There's four dudes milling around your car. One of them sees you and and yells "he's coming! Now! Give it to me! Here!" and grabs the M16 out of one of the other thieves' hands. He quickly shoots the other members of his team, and then puts the end of the barrel into his mouth. You're running right at him, and in just a few more seco--pop. He falls to the ground.

      You're fucked. That M16 was an attractive nuisance. You are responsible for all four of the deaths around the car, and who knows how many people have already made it into the pool by now. You grab the M16, throw it onto the passenger seat, jump into the car, and hit the gas. One of the members of TEAM B, as he died, fell such that he was partly under your car, and so now your rear Firestone tire drives over his head, crushing it, spilling jellied brains onto the dirt. Bump. The M16 slips down the passenger seat and .. what happened? Did it? You're in shock. It takes a few seconds to register. "Hey, my leg," you say, stunned.

      "Oh fuck, my leg." Just when things were at their darkest,this happened! Un-fucking-believable. You don't hear your wife firing in the distance any more. She's probably worried. Totally demoralized and surrendered, mayb

  • Open != Open (Score:3, Informative)

    by Anonymous Coward on Wednesday November 27, 2013 @11:43AM (#45538653)

    Ambiguity warning! Open DNS servers are perfectly fine, they can be used against censorship or for speed. They should even be encouraged. I use the Caesidean root, for example. What they mean by "open" are drastically misconfigured DNS servers.

    Anyway, Spamhaus are a bunch of whining vigilante pussies and bad losers, so fuck them.

  • by rabbit994 (686936) on Wednesday November 27, 2013 @11:45AM (#45538689)

    For ISPs to simply drop UDP packets that are outbound where source address is not inside their network. Is there some legit use for sending forged UDP packets?

  • Punishment (Score:5, Insightful)

    by Anonymous Coward on Wednesday November 27, 2013 @11:46AM (#45538695)

    Funny how an organisation as Spamhouse, who is guilty of systematic depriving random and quite innocent internet users of connectivity -- and proud of it too -- , suddenly thinks that whomever interferes with their connectivity should be punished by law. Hypocrisy.

    Although I think their service does have its good points, their attitude makes me want to hurl.

  • by Shakrai (717556) * on Wednesday November 27, 2013 @11:51AM (#45538761) Journal

    That seems like misplaced blame to me. Any connectionless protocol that responds with larger packets than the inbound query can be used for a reflection attack, it's one of the items that comes up from time to time on the NTP Pool server admin's mailing list. We've seen a few attempts at using some of our servers in such attacks, there was a host that went around a few months ago that was sending about 60kbit/s worth of queries to several dozen servers in the pool, mine included. There are a few best practices you can use to mitigate this issue -- noquery with ntpd, firewall rate-limits for both NTP and DNS -- but you'll never actually solve the problem at the application level.

    The proper way to address reflection attacks is for network operators to set up rules that preclude forged packets from leaving their network. There's no reason the router solely responsible for 192.168.1.0/24 should be passing along outbound traffic with a source address of 172.25.1.15. A handful of progressive networks have made this change, but they're the exception, not the rule.

    • by Warbothong (905464) on Wednesday November 27, 2013 @12:33PM (#45539235) Homepage

      The proper way to address reflection attacks is for network operators to set up rules that preclude forged packets from leaving their network. There's no reason the router solely responsible for 192.168.1.0/24 should be passing along outbound traffic with a source address of 172.25.1.15. A handful of progressive networks have made this change, but they're the exception, not the rule.

      I don't forsee this working for IPv6, where one of the benefits of having so many addresses is that we can tie a load of them to individual devices and not have to suffer NAT. As a side-effect, the leaves on a network won't necessarily have correlated addresses.

  • by benjfowler (239527) on Wednesday November 27, 2013 @11:58AM (#45538855)

    Who issues the tickets? Under whose authority? Lazy/cheap businesses will just shop around for juristdictions where it's cheaper to operate, no matter what.

    Why not just do a name-and-shame, naming businesses and vulnerable services -- but only after the postmaster of the opening domain, or WHOIS domain owner gets notified first. I'm sure that such a list would concentrate minds wonderfully...

  • by larry bagina (561269) on Wednesday November 27, 2013 @12:11PM (#45538971) Journal
    Would they also fine rape victims for wearing sexy clothes?
  • by goldaryn (834427) on Wednesday November 27, 2013 @12:18PM (#45539049) Homepage
    This is long overdue, and you know who else should be brought to bear? Organisations like Slashdot with their Slashdot effect! I, for one, thNO CARRIER
  • by grumbel (592662) <grumbel@gmx.de> on Wednesday November 27, 2013 @12:19PM (#45539077) Homepage

    This seems like a great underhanded way to make it illegal to run Tor exit nodes, free VPNs, proxies or similar services that give anonymous people ways to interact with the net.

  • by pla (258480) on Wednesday November 27, 2013 @12:21PM (#45539097) Journal
    No doubt, the UK government fining all those spam relays in Russia, China, and India will put a stop to spam ASAP - Good thinking, Spamhaus!
  • by future assassin (639396) on Wednesday November 27, 2013 @01:10PM (#45539639) Homepage

    wants more power to direct peoples lives for their own gain.

  • Have to agree (Score:4, Informative)

    by Todd Knarr (15451) on Wednesday November 27, 2013 @01:39PM (#45539943) Homepage

    I have to agree with penalizing operators of open recursive DNS responders. DNS servers fall into roughly 4 categories:

    1. Internal nameservers within a network, including caching nameservers. These should never be getting legitimate queries from outside the local network, so they never have any reason to respond to those queries.
    2. Authoritative nameservers for a domain. These should never be doing recursive name resolution, and they should be responding only to queries for domains they're authoritative for. Queries for domains the server isn't authoritative for should get a short, to-the-point NXDOMAIN response not signed with DNSSEC.
    3. External private nameservers, ie. ones that live outside the the network they server but are only supposed to serve that network. As with internal nameservers they shouldn't be responding to queries from any networks but the one they're supposed to be serving, they just need more configuration than purely internal ones. They should have a default-deny configuration with the networks they serve listed specifically. Anyone who doesn't know how to do this shouldn't be operating one of these.
    4. Deliberately public nameservers. These are ones that are set up intentionally to be resolvers for anyone who wants to use them. They have to respond to all requests and do recursive resolution. They're the problematic open nameservers. They require configuration to control traffic rates to minimize the impact when they're used for DNS-based attacks. If you don't know how to configure that or you aren't prepared to oversee a public server and respond to abuse 24x7, you shouldn't be running one of these. If you go ahead anyway, the results should be painful for you.

    My guess would be 99+% of all nameservers fall into the first three categories, 95+% fall into the first two, and 90+% of authoritative servers (category 2) are operated by a DNS hosting company rather than directly by the domain owner. If you're in the (relatively) small number needing to run a category 3 server you just need to take a few minutes to read the configuration docs and set it up for "don't respond to queries unless they're from a network I've listed", and if you can't or won't you deserve smacked with the newspaper. If you're in the even smaller number who want to run a category 4 server you need to know what you're doing, if you don't and go ahead anyway you deserve whatever you get (up to and including losing your Internet access).

  • by WaffleMonster (969671) on Wednesday November 27, 2013 @02:12PM (#45540365)

    Each time someone makes the claim misconfiguration of DNS enables amplification they are contributing to the problem by refusing to address the root cause.

    DNS is flawed by design. You can still extract perfectly useful amplification factors out of non-recursive servers or servers with DNSSEC enabled. All turning off recursion does is cut out ultra low hanging fruit while leaving the problem unaddressed.

    There are several ways to actually solve this problem.

    1. Use TCP for DNS

    2. Implement DNS cookies

    3. Globally apply ingress filtering with sufficient granularity to prevent source address spoofing.

    I think #1 coupled with TCP fast open extension is the best of the three options. With fast open the setup delay is mostly gone, TCP support is already widely deployed and fast open extensions to TCP can be deployed later as available to optimize RTT delay. With IPv6, DNSSEC and the shitty state of IP layer fragmentation support TCP is necessary regardless.

    #2 in the form of http://tools.ietf.org/html/draft-eastlake-dnsext-cookies-03 [ietf.org] requires more work to push out to DNS infrastructure yet after a few years I can see it following the same trajectory as SYN cookies.

    #3 Ingress filtering... am not an operator I don't pretend to know how viable this is to roll out globally, from what comments I have read it is non-viable. This is the only option that would concurrently address all broken UDP protocols susceptible to amplification from a spoofed source address. The downside is spoofing source address can sometimes be a feature. For example it can be used to enable communication without revealing the speakers source address.

  • by dskoll (99328) on Wednesday November 27, 2013 @02:33PM (#45540631)

    Is it the server operator? Or is the OS provider liable for producing a defective product? And if the OS is open-source, who do you go after?

    I understand where Spamhaus is coming from... I'd also love to penalize idiots who make the Internet a worse place. But I don't think it's a practical option and trying to implement it opens up a huge can of worms.

  • by fuzzel (18438) on Wednesday November 27, 2013 @04:14PM (#45541985) Homepage

    Can we change that at first to just start with the very simple:

    Organisations transferring IP packets should be kicked off the Internet if they do not implement BCP38.

    That would make al kind of spoofed attacks already impossible, that being the DNS, NTP, Quake-alike and many many others...

    But, as there is no money to be earned with this, ISPs do not enforce it.

    (and yes, it does cost some cash to implement as not all routers support it unfortunately..... )

Stellar rays prove fibbing never pays. Embezzlement is another matter.

Working...