[anti-abuse-wg] New Abuse Information on RIPE NCC Website

On Wed, Jun 26, 2013 at 05:19:11PM +0200, Frank Gadegast wrote:
> Suresh Ramasubramanian wrote:
> >Consider, if you will, a domain that has absolutely no "content", but is
> >the command and control for a fast flux botnet.  Which has been the case
> >with both the latvian as well as austrian cctld cases.
> 
> Same thing.
> The controllers must run on a server with an IP address,
> destroy these servers.
> 
> The domainname is just a name, its the hostnames in the domains
> nameserver pointing to an IP and a server with whatever service
> running under that IP.
> Its likely that the botnet owner uses another domainname,
> if you remove it.

A domain is just a domain, an IP address is just an IP address,
a botted PC is just a botted PC.  Abuse comes from a combination of
resources, some of them are just a sequence of bytes that gets
associated with some actual hardware at some point.  Some of these
resources are more important than others.  For instance, a botted PC
is arguably more important than the dynamic IP on which it is observed
in a particular day.

A C&C domain is an extremely important resource, as it is hardwired
in the bot code and indicates how to reach the master to get 
instructions.  It is a "pure" criminal-owned resource, and taking it
down has often a very large positive impact on spam flows as it
makes inoperative a large number of botted PCs all at once.
It is one level up in the hierarchy with respect to the botted PCs level.

The NS or the A DNS records for the C&C domain are of secondary
importance, because the criminal can easily walk around terminations,
usually in a fully automated way.  Not to mention the fastflux setups
where these records are also rotated among machines running malware
(for instance DNS proxies redirecting traffic to a hidden location),
or setup where criminals host their domains on hijacked nameservers
that can not really be "destroyed".

Therefore the responsibility for terminating C&C domains lies on the 
registries, not on the DNS providers (that may not even exist).

The .AT and .LV cases have been two rather dramatic cases where the
registries were sitting there doing nothing for a very long time, while 
the word spread among criminals that they were a 'safe haven'.  
Similar problems have then occurred in .PL and .RU as well.

Luckily, the times have changed and country CERTs are nowadays 
much more aware of the C&C problem and of the need to take down those
domains swiftly.  As it often happens with large organizations,
'learning' may be very slow and may need to be stimulated by external
forces - not because of lack of capacity of the individuals working
in the organizations to understand the issue, but because of the fear 
of those individuals to break a complex set of rules, and the possible
need to have those rules changed to avoid breaking them.

I believe that all the external forces working on this problem -
Spamhaus, Cymru, Shadowserver, SURBL, GTSC, ISC, Trend Micro and 
others - have played and are playing a very important role in
interacting with registries and CERTs regarding cybercrime domains,
even more so when those interactions have to be a little 'rough'
to get some traction.  Nobody likes friction i think, but sometimes
it is needed to shake things and see some action.

furio ercolessi



> >On Jun 26, 2013 7:52 PM, "Frank Gadegast" <ripe-anti-spam-wg at powerweb.de
> ><mailto:ripe-anti-spam-wg at powerweb.de>> wrote:
> >
> >    Suresh Ramasubramanian wrote:
> >
> >    Just want to note, that domainnames themself cant be
> >    dangerous (of course using a similar name could cos
> >    problems with trademarks and the like).
> >
> >    Its only the content thats dangerous, eMail or webpage.
> >    So its more a problem of the people running the services
> >    and these are either hacked sites or ISPs tolerating
> >    or deliberatly hosting this content.
> >
> >    Asking a TLD registry to remove domainnames because
> >    of pishing its then somehow to wrong place to start,
> >    specially for Spamhaus, they should know better and
> >    simply place all those IPs on their lists ...
> >
> >
> >    BTW:
> >    just found the service "Google Safe Browsing Alerts
> >    for Network Administrators" where every AS owner can
> >    register under
> >    http://www.google.com/__safebrowsing/alerts/
> >    <http://www.google.com/safebrowsing/alerts/>
> >    to receive notification about doubtful content
> >    Google might find, when spidering your network.
> >
> >    This could be pretty usefull to remove pishing
> >    and hacked sites for pretty quick.
> >
> >
> >
> >    Kind regards, Frank
> >
> >        There are of course multiple sides to that story as well.
> >
> >        Like a massive infestation of rock phish domains which, too, were
> >        knowingly disregarding local law, and were present in rather 
> >        massive
> >        quantities on the .at ccTLD at that time.
> >
> >        http://www.spamhaus.org/__organization/statement/7/
> >        <http://www.spamhaus.org/organization/statement/7/>
> >
> >        --srs
> >
> >        On Wednesday, June 26, 2013, Wilfried Woeber wrote:
> >
> >             Erik Bais wrote:
> >             [...]
> >              > For those that want to read up on what actually happened
> >        on that
> >             specific
> >              > incident in Latvia (July/August 2010), have a read on the
> >             following open
> >              > letter from CERT.lv
> >              >
> >              > https://cert.lv/uploads/__uploads/OpenLetter.pdf
> >        <https://cert.lv/uploads/uploads/OpenLetter.pdf>
> >
> >             And this actually wasn't the only or the first "incident"
> >        with Spamhaus.
> >             They also tried similer *piep*^Wbullying against NIC.at 
> >             before.
> >
> >             Which actually has discredited Spamhaus in my personal
> >        opinion for sure,
> >             for knowingly disregarding local law, but that's slightly
> >        OT here - but
> >             maybe not...
> >
> >              > Erik Bais
> >
> >             Wilfried.
> >
> >
> >
> >        --
> >        --srs (iPad)
> >
> >
> >
> 
>