CyberRehab wants to prove that it can establish an IP range that hackers choose to stay away from.
I'm sorry, but most hackers will see this as a challenge, rather than a deterrent.
A new project aims to mitigate cybercrime by making it in the economic and business interests of ISPs and telcos to clean up the internet. CyberRehab wants to prove that it can establish an IP range that hackers choose to stay away from. If miscreants try to attack, they will lose their infrastructure. The IP range will be …
We already drop everything from Africa, so this won't help us at all. More helpful would be if everybody else drops everything from Africa until the collectively clean up their act.
Here are a couple of our drop lists (ISO country codes and ASNs). '1' means we inspect the packets in case they might be interesting for forensic purposes, but drop them anyway. '2' means we don't even inspect them, just drop them. Our ASN list is currently in its infancy but performing very acceptably.
AE => 1, AF => 2, AL => 2, AM => 1, AO => 2, AP => 1, AR => 2, AT => 1, AU => 1, AZ => 2,
BA => 1, BD => 2, BE => 1, BG => 2, BH => 1, BJ => 1, BO => 2, BR => 2, BW => 1, BY => 1,
CG => 2, CI => 2, CL => 2, CM => 1, CN => 2, CO => 2, CR => 2, CV => 1, CZ => 1,
DK => 1, DO => 2, DZ => 1,
EC => 2, EE => 1, EG => 2, ES => 1, ET => 1,
FI => 1,
GA => 1, GE => 1, GH => 2, GR => 2, GT => 2,
HN => 2, HR => 1, HT => 1, HR => 2, HU => 1,
ID => 2, IL => 1, IN => 2, IQ => 2, IR => 2, IS => 1, IT => 1,
JM => 1, JO => 2, JP => 2,
KE => 2, KG => 2, KH => 2, KN => 2, KR => 2, KW => 2, KZ => 2,
LA => 1, LB => 2, LK => 1, LS => 2, LT => 2, LV => 2, LY => 2,
MA => 1, MD => 1, ME => 1, MK => 2, ML => 1, MN => 2, MQ => 1, MR => 1, MU => 1, MV => 1, MX => 2, MY => 2, MZ => 1,
NG => 2, NO => 1,
PA => 2, PE => 2, PH => 2, PK => 2, PL => 2, PR => 1, PS => 1, PY => 2,
QA => 2,
RO => 2, RS => 2, RU => 2, RW => 2,
SA => 2, SC => 2, SD => 1, SE => 1, SG => 1, SI => 1, SK => 1, SL => 1, SN => 2, SV => 2, SY => 2,
TG => 1, TH => 2, TJ => 1, TL => 1, TN => 1, TR => 2, TT => 1, TW => 2, TZ => 2,
UA => 2, UY => 2, UZ => 2,
VE => 1, VN => 2,
ZA => 2, ZM => 1,
AS4837 => 2 # CNCGROUP CHINA169 BACKBONE
AS7922 => 2 # COMCAST CABLE COMMUNICATIONS, LLC
AS10796 => 2 # TIME WARNER CABLE INTERNET LLC
AS11377 => 2 # SENDGRID (http://mainsleaze.spambouncer.org/category/esp-problem/)
AS12876 => 2 # ONLINE S.A.S.
AS14782 => 2 # THE ROCKET SCIENCE GROUP, LLC
AS15083 => 2 # INFOLINK GLOBAL CORPORATION
AS16276 => 2 # OVH
AS20150 => 2 # CUBEMOTION LLC
AS22773 => 2 # COX COMMUNICATIONS INC.
AS33588 => 2 # CHARTER COMMUNICATIONS
AS43013 => 2 # YORK DATA SERVICES LIMITED
AS45102 => 2 # ALIBABA (CHINA) TECHNOLOGY CO., LTD.
AS46475 => 2 # LIMESTONE NETWORKS, INC.
AS47625 => 2 # PAUL DAVID HUGHES TRADING AS HOSTING SYSTEMS
AS53824 => 2 # LIQUID WEB, L.L.C
AS55163 => 2 # LINKEDIN CORPORATION
AS200484 => 2 # SENDINBLUE SAS
AS201536 => 2 # SANDYX SYSTEMS LIMITED
Please feel free to help us extend these lists.
We think we don't need it to be legal everywhere. We just need it to be legal where we establish.. And we don't think any government would chase us to the end of the world for doing what they always wanted to do themselves but can't do due to limited jurisdiction.
Just don't ask us to pay for it.
There are certain laws in math which hold true... and there are certain security engineering laws which hold true. One being, more security equals less flexibility and slower throughput. You can alleviate it somewhat by spending copious amount of money, but this is the big question; whose paying for it?
Then there is the fact, you're doing the same thing as China and North Korea. Shutting down availability and only letting in what YOU want.
Stop trying to save people from being stupid. It's everyone's civil right to do so.
Just like all far left wingers... you think you're way will save the world, make everything better and safer.
You should check what we're planning to do before assuming too much. We're just planning to make it profitable for the ISP closest to the infected unit or hacker to clean up. We're not planning to block anything. The ISP closest to the threat should block us while cleaning up. And we're suggesting encapsulation and tagging as a better alternative than blocking. That way, there's time to map all the botnets while the target can redirect to honeypots and the hacker doesn't have a clue about what's going on. We're denying the hackers what they need to operate. If they fear that they're being compromised, they will just stay away. Either way it's far more efficient than hiding behing a firewall hoping for the best while the problem continues to grow.
Oh, do fuck off. It doesn't sound like they're "trying to save people from being stupid," rather trying to implement a model to deter people from being assholes and criminals, which I understand you may object to for personal reasons.
"Just like all far left wingers" -- Yes, because fighting crime is a partisan issue, which is why "tough on crime" politicians tend so often to be of the leftist variety. The reality is that the Internet has become hostile territory, with a variety of threats both passive and active, and it would, in fact, save a lot of people money if the criminal actors could be cut off at the source. Maybe if you take off your ideological blinders and suppress your jerking knee for five seconds, you'll see that, although I won't hold my breath, to be sure.
Your post advocates a
(x) technical ( ) legislative ( ) market-based (x) vigilante
approach to fighting cybercrime. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
(x) Legitimate uses would be affected
(x) Requires immediate total cooperation from everybody at once
(x) Many users cannot afford to lose business or alienate potential employers
(x) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
(x) Lack of centrally controlling authority
(x) VPNs and proxy servers
(x) Asshats
(x) Jurisdictional problems
(x) Armies of worm riddled broadband-connected Windows boxes
(x) Eternal arms race involved in all filtering approaches
(x) Joe jobs and/or identity theft
(x) Technically illiterate politicians
(x) Extreme stupidity on the part of users
and the following philosophical objections may also apply:
(X) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
(x) Blacklists suck
(x) Whitelists suck
(x) Countermeasures should not involve sabotage of public networks
(x) Why should we have to trust you?
(x) Feel-good measures do nothing to solve the problem
Furthermore, this is what I think about you:
(x) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!
Okay, I had to extend "spam" to "cybercrime" but the underlying message is the same.
Your post advocates a
(x) technical ( ) legislative ( ) market-based (x) vigilante
---- WRONG – there’s nothing vigilant about protecting your own IP range
approach to fighting cybercrime. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
(x) Legitimate uses would be affected
---- WRONG – this is checked with Interpol, UK min of justice, Norwegian police
(x) Requires immediate total cooperation from everybody at once
---- WRONG – not at all.
(x) Many users cannot afford to lose business or alienate potential employers
---- WRONG - that’s why we should address the problem (infected units and neglecting ISPs and not just provide a firewall to hide behind while the problem continues to grow.
(x) Anyone could anonymously destroy anyone else's career or business
---- WRONG – as long as botnets are not handled yes, that’s why this is a better solution
Specifically, your plan fails to account for
(x) Lack of centrally controlling authority
---- WRONG – there will be a central SOC
(x) VPNs and proxy servers
---- WRONG – The closest ISP is in best position to know what’s VPN/Proxy
(x) Asshats
---- WRONG – The closest ISP is in best position to know who’s asshat
(x) Jurisdictional problems
---- WRONG – checked out
(x) Armies of worm riddled broadband-connected Windows boxes
---- WRONG – closest ISP is in best position to know
(x) Eternal arms race involved in all filtering approaches
---- WRONG – there’s no filtering except from what’s implemented by closest ISP while cleaning up
(x) Joe jobs and/or identity theft
---- WRONG – closest ISP is in best position to know
(x) Technically illiterate politicians
---- WRONG – CyberRehab certification provides what is required for the illiterate
(x) Extreme stupidity on the part of users
---- WRONG
and the following philosophical objections may also apply:
(X) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
---- WRONG – This is never tried before… pls provide proof
(x) Blacklists suck
---- WRONG – There’s no blacklists
(x) Whitelists suck
---- WRONG – There’s no whitelist
(x) Countermeasures should not involve sabotage of public networks
---- WRONG – There’s no sabotage only proper handling of infected units and hackers
(x) Why should we have to trust you?
---- Finally a good question… It took some time
(x) Feel-good measures do nothing to solve the problem
---- WRONG – If they address the real problem (infected units) it feels good and helps
---- I’ll give you score 10 for the effort… Performance could have been better, though…
Actually, I misunderstood this point. Legitimate use will be less affected if the sending ISP is handling the problem than today, when the receiver of the traffic has to handle (often block) it. This because the sender is in much better position to know what units are infected and can block only those units (instead of blocking all traffic over that IP address). What I've checked with police is the legality of nagging ISPs that are addicted to cybercrime.
Regarding the AS and country code based blocking mentioned by sitta_europa, this is very similar to what I do on end systems that I control and it works very effectively. Additionally I use honeypots, the whois services provided by the RIRs, a full BGP table and a geo-location database to make associations and automatically block associated prefixes once certain thresholds are reached.
Unfortunately I can't do this for 3rd parties for who I carry traffic. In many cases I think I would be providing a useful service to them but it's not something I would ever want to do without their informed consent. If someone is paying for full, unfiltered transit then that is what I try and deliver.
It is a nice idea in theory - on par with "cyber threat intelligence".
The problem is a scale and specificity one.
At what point is the ISP responsible for finding out that its users have been compromised? Sure, stopping thousands or millions of spam email coming out of a compromised email account makes sense. What if there are only hundreds? Or dozens?
Similarly, exfil or malware dropper sites: how can you realistically monitor such that you can identify the low-res outfits vs. the gigantic botnets?
Then there's the "known good" danger: if you identify a range of IP addresses as good, then compromise anywhere in that range will avoid defenses erected against the "unknown good", much less "known bad".
Why would any sane cyber security practitioner expose themselves in such a way?
Currently, it's the receiver (the target) that is responsible to figure out what's malicious. But the ISP closest to the sender (bot, VPN, TOR exit point, hacker) is in much better position to do so. They already receive notifications from all over the world about those units. But they disregard them because of the very small cost of handling it compared to the enormous cost in the other end for doing the same job. So the core of this idea is to make it profitable for all ISPs to do what's good for cyber security. One obvious way to do that is through the peering. We can demand that ISPs execute it, but that requires that many big customers buy from certified ISPs. Then we can implement what's required to "punish" the neglecting ISPs and favour those that choose to do what's good for cyber security. This way we deny the hacker what they need to build their botnets and carry out crimes.
Carrot and stick is all about expenses and income for the ISPs.. And why shouldn't it work? It always have.. It's just about leverage and staying on the right side of the relevant law. Net neutrality is our side: It means anybody can try to hack us. But it also means we can ask their ISP million times per second why they let them - if that suits our cause. But it's probably better to use the carrot: We'll be solving a hundreds of billion dollars a year problem. Some of that money should go to ISPs that choose to do what's good for cybercrime just because we can make it profitable. It requires that some big corporations support it, though.
You keep using that word. I don't think it means what you think it means.
In light of the above, why should I pay any attention to you with regard to technical matters?
That, and it's pretty much a fact that anybody who uses the term "cyber" as a technical term is clueless tells me all I need to know.
This concept is not much technical - at least not in the start. It's about making the ISPs do what they already have the tools to do to get rid of malicious traffic. It's just that they choose not to do it because it's not profitable. So by saving a few dollars expenses, they cause million dollars damage in the other end. It's a much better deal for Internet users to pay the ISPs to get rid of the problem instead of hiding behind a very expensive firewall hoping for the best while the problem grows more and more out of control. If I use the terms "cyber" or "hacker" doesn't change the situation. Please tell me how to explain this so that people understand...
"Cybercrime can't and never will be eradicated, just like crime can't and never will be eradicated," said Brian Honan, founder and head of Ireland's CSIRT and special advisor on internet security to Europol.
What's his point? We shouldn't look for better ways to fight cybercrime because it can't be eradicated? Hope he's giving better advice to Europol - otherwise cybercrime may be an escalating problem. Why not rather stick to the topic? Is it better to get the ISPs involved in mitigating cybercrime instead of just hiding behind a firewall hoping for the best? And if so: How can we get the ISPs involved? Law enforcement? That's not working. What about changing peering contracts? Nothing the governments can do about that? Of course, there is... They can implement a high speed net with sponsored access for anybody who complies with some good policies - unless the ISPs handle the problem themselves. That would change the picture. Another thing they could do is demand that all government organizations require CyberRehab certification (includes good peering practices to discriminate non-compliant ISPs) from Internet providers and when peering with such. Then they should advice all corporations to join the same net – unless the ISPs cooperate. Or they could choose the easier way: Join the CyberRehab concept.
That's never a good sign.
(Hint: There are a lot of folks participating here on ElReg who have been running Internet connected machines for three or more decades. Over the years, we've seen proposed cures for network bogosity come and go. None of them work. Not because we don't want them to work, but rather because the perpetrators of the bogosity will always find a way around any obstacle, with the help of their marks (who refuse to understand that they are, in fact, marks). You see, it's not the problem that you think it is. The actual problem is one of hunter and prey, both of which are human conditions and outside the scope of the network. Thus any proposed solution that relies heavily on changing how the network is run is doomed to failure. You have to fix the people first. And that ain't going to happen until society fixes itself.)
That's often the case, but not always. People had been trying to fly for hundreds of years before some figured out how. And now it's pretty easy. Boarding a plane is probably the easiest. To mitigate cybercrime we also need to know some basic rules about how Internet works:
- We need to know what hackers need in other to be able to operate
- We need to know why the ISPs don't interfere as they obviously can
- We need to know who profit from the problem not being solved and make sure they don't determine the rules.
- We need to know who benefit the most from the problem being solved and make sure they cooperate to solve it.
Failing in one of these, then we'll say cybercrime can't be eradicated, ISPs will never interfere, firewalls/IDS/IPS/UTM is the solution or nobody will ever be able to change Internet.
So, citing an example, lets say something like a DDOS attack using a botnet is the problem ...
Lets say I'm a hacker and have at my fingertips access to said botnet.
I give said botnet a command.
All bots in my net follow that command.
...
No 1 single ISP can solve the problem as my bots can be anywhere on the internet and the net is something I created, and you (as the "victim" of my attack) are the only one that really sees the full scope of what actually went on.
Am I missing something here or is putting pressure on ISP's to solve the unsolvable just forcing our own bills up as consumers with no actual results (given that the problem is not a solvable one)?
So how would this work?
Your ISP reports all the various machines involved in my attack to "something" that holds a blacklist type thing?
Over time MY ISP remains in complete good standing, all the ISP's that host my many bots are affected by this "ranking system ?!?!?!".
The reality is the source of the attack was my home machine, but from your point of view the source of the attack was the many machines that took part.
From the point of the many ISP's involved in attacking you it's normal reasonable traffic.
So who points the finger at me (the real cause!)?
It seems to me that all cyber security related efforts are working on the effects not the cause, but tracking the cause is an extensive and complex task that would require a large data center and packet tracing information from the complete set of ISP's involved in this attack + some insane AI that could trawl this data.
Or did I miss something?
The core problem is your botnet and the fact that you've been let alone to build it over long time. So the plan is that whenever there's any attack, then contact the owner of all the IP addresses involved and demand they (the ISPs) clean up. That includes finding the C&C machine(s) and hacker that built the network (you). This may require keeping it monitored for a while without interfering. Many ISPs will be happy about this and already are eager to clean up their own net. Over the others, we need some leverage, which can be various kind of nagging or influencing their peering partners.