![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
gizahttp://www.bluesecurity.com/announcements/pm_attack_timeline.asp
It turns out that Bluesecurity did not change their DNS to point to their blog after the DDoS attack began. Rather, the spammer somehow managed to block all non-Isreali access to their website (presumably by messing with BGP or similar). At that point, Bluesecurity updated DNS to point to their blog and post updates.
40 minutes after updates began getting posted to the blog, the spammer launched their DDoS attack against TypePad, which included LiveJournal. Who cares that 10 million journals and communities were affected, that spammer has a right toscam people make a profit, dammit! Appproximately 16 hours after that, and seeing that TypePad wasn't going away, the spammer attacked Tucows, who provided DNS to bluesecurity.com. In an attempt to get the attacks to stop, Tucows terminated service to Bluesecurity and caused further disruption.
Here's the final score:
Cheers to SixApart to standing up the to attack and dealing with it.
Cheers to Bluesecurity for refusing to allow a criminal spammer to strongarm them into shutting up.
Jeers to Tucows for letting themselves be bullied into terminating Bluesecurity's DNS services.
I SO want this spammer's head on a stake.
It turns out that Bluesecurity did not change their DNS to point to their blog after the DDoS attack began. Rather, the spammer somehow managed to block all non-Isreali access to their website (presumably by messing with BGP or similar). At that point, Bluesecurity updated DNS to point to their blog and post updates.
40 minutes after updates began getting posted to the blog, the spammer launched their DDoS attack against TypePad, which included LiveJournal. Who cares that 10 million journals and communities were affected, that spammer has a right to
Here's the final score:
Cheers to SixApart to standing up the to attack and dealing with it.
Cheers to Bluesecurity for refusing to allow a criminal spammer to strongarm them into shutting up.
Jeers to Tucows for letting themselves be bullied into terminating Bluesecurity's DNS services.
I SO want this spammer's head on a stake.
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
(no subject)
Date: 2006-05-06 09:31 pm (UTC)(no subject)
Date: 2006-05-19 04:18 am (UTC)(no subject)
Date: 2006-05-06 09:44 pm (UTC)You really believe Bluesecurity?
Date: 2006-05-07 03:35 pm (UTC)Bluesecurity gets DDoS'd
Standard ddos mitigation kicks in
And meanwhile their pipe to the net gets maxed out - esp int'l bandwidth
Result? Surprise, surprise, their packets cant get anywhere outside Israel
So they do something incredibly stupid - shift the ddos onto typepad by repointing their dns so it'd point their website to a typepad blog.
Please dont believe all that bluesecurity tells you without a little research - you've been on the net too long for that, I hope (hell, I know).
Go read nanog threads like this one, a bit .. http://www.merit.edu/mail.archives/nanog/msg17212.html
----------relevant quotes from an article referenced there----------
Among other things, Reshef said that "pharmamaster" claimed to have a contact at UUNET who would do his bidding. Rather than launch a denial of service attack against BlueSecurity.com, the spammer instructed the contact to alter the routing tables so that traffic from outside Israel would not reach the company's servers. Technical staff at Blue Security saw traffic to the company's site drop precipitously shortly after 4:30 p.m. local time on Tuesday, Reshef said.
But experts expressed doubts about that story.
An analysis of Internet routing records for BlueSecurity.com don't reveal any changes to the way traffic was routed to the domain in recent days, said Todd Underwood, chief operations and security officer at Renesys Corp. of Manchester, N. H., which sells Internet monitoring and analysis technology.
Instead, Blue Security appears to be the victim of a larger-than-average, but run-of-the-mill distributed denial of service attack, which has gone on unabated for around three days, said Underwood.
That jives with reports in to the Internet Storm Center (ISC), also, said Johannes Ullrich, CTO at ISC.
That should be expected, given Blue Security's confrontational approach to stopping spam, Underwood said.
"Spammers get pissed off when anti-spammers attack them directly," he said.
Blue Security couldn't do anything to avoid the DDoS attack, but Underwood was critical of the company's reaction to the attack: moving their home page to a blog hosted at Six Apart's TypePad service shortly after midnight local time on Tuesday.
Re: You really believe Bluesecurity?
Date: 2006-05-07 05:17 pm (UTC)I'm not nearly as "plugged in" to the anti-spam scene as I used to be and, at the time I read Bluesecurity's page, I had no reason not to believe them. Since you've pointed me to that, however, I'll go write another LJ entry about that.
Re: You really believe Bluesecurity?
Date: 2006-05-11 03:21 pm (UTC)I don't necessarily agree with BlueSecurity's approach to anti-Spam, and I am dead set against redirecting a DDOS attack. But I am intrigued by references to BlueSecurity raising the ire of Spammers. Can they really determine the source of Spam or are some unwitting zombie relays being hit by BlueSecurity's "tit for tat" message barrage? Has "pharmamaster" felt the wrath of BlueSecurity's revenge, or is the Spammer community just reacting to the possibility that BlueSecurity might SPAM them?
(IMHO, if BlueSecurity really can identify the Spammers, then they can also identify the insecure PCs being used to relay SPAM without their owners knowledge or consent. Since the anti-relaying fix is relatively cheap and easy for a telephone help desk, why can't the addresses of the be reported to responsible ISPs and then have the ISP help its customers. The ISP would be "repaid" by the useless traffic reduction.)
Finally, I can't resist adding my thoughts on the appropriate punishment for Spammers: sentence them to hand-write a letter of apology to each person they spammed. Hand-addressed envelopes; no self-stick envelopes or postage, etc. To ensure that they complied with the arduous manual procedure, they would be supervised ... by remaining in jail until they completed their punishment!
Re: You really believe Bluesecurity?
Date: 2006-05-11 04:06 pm (UTC)> Can they really determine the source of Spam or are some unwitting zombie
> relays being hit by BlueSecurity's "tit for tat" message barrage?
Sure. It all comes down to "follow the money". Spam is used for advertising, which means that someone is paying for the spam runs, and trying to drive traffic to their website. Often, finding the ultimate culprit is as simple is looking at the URLs in the spam.
> Has "pharmamaster" felt the wrath of BlueSecurity's revenge, or is the
> Spammer community just reacting to the possibility that BlueSecurity might
> SPAM them?
Unknown about Pharmamaster. The latter is certainly possible, though.
> (IMHO, if BlueSecurity really can identify the Spammers, then they can also
> identify the insecure PCs being used to relay SPAM without their owners
> knowledge or consent. Since the anti-relaying fix is relatively cheap and
> easy for a telephone help desk, why can't the addresses of the be reported
> to responsible ISPs and then have the ISP help its customers. The ISP would
> be "repaid" by the useless traffic reduction.)
Because that niche is already fileld by services like SpamCop (http://www.spamcop.net/). And Blue Security is going after an angle which has never been tried before, which is coordinating user complaints in bulk.
Re: You really believe Bluesecurity?
Date: 2006-05-11 06:25 pm (UTC)Re: You really believe Bluesecurity?
Date: 2006-05-11 06:41 pm (UTC)In the aspect of being judge/jury/executioner, RBLs have been doing this since the late 90s or so. :-)
Re: You really believe Bluesecurity?
Date: 2006-05-12 03:45 pm (UTC)Remember Juno.com? I had to give up my free account when half of my emails were being blocked because of the domain name. Hotmail, AOL, et. al. have gone through the same growing pains. But I still don't feel comfortable with RBLs.
Re: You really believe Bluesecurity?
Date: 2006-05-12 05:00 pm (UTC)Also, not all blacklists are equal. SpamCop only blacklists based on the number of complaints gotten from users, and entries are removed automatically after the spam stops. Other blacklists (the better run ones, at least) have delisting procedures that are run fairly by the admins. Of course, there are still the poorly run blacklists, such as SPEWS, which do not make contact information available and are quite difficult to get off of. I'd recommend avoiding those.
Re: You really believe Bluesecurity?
Date: 2006-05-19 04:21 am (UTC)Re: You really believe Bluesecurity?
Date: 2006-05-12 08:42 pm (UTC)I also said that they are part of the reason. The other parts have to do with configuration and other security implementations that significantly reduce the blocking capabilities of any RBL. (Yes, my inquiry was work related and I am a Security Administrator. You may say, "Boo, Hiss" now if you like ...)
BTW, for my home network I prefer individual SPAM solutions/blocks as they allow each person to filter more or less based upon their own preferences and amount of SPAM. And it saves me the cost of yet another server