giza | Stupidity at Bluesecurity

Regarding my recent post about the DDoS on Bluesecurity, it turns out that they were being a little stupid after all. Take a look at this:

http://www.infoworld.com/article/06/05/04/78074_HNbluesecurityddos_1.html

Among other things, Reshef said that “pharmamaster” claimed to have a contact at UUNET who would do his bidding. Rather than launch a denial of service attack against BlueSecurity.com, the spammer instructed the contact to alter the routing tables so that traffic from outside Israel would not reach the company's servers. Technical staff at Blue Security saw traffic to the company's site drop precipitously shortly after 4:30 p.m. local time on Tuesday, Reshef said. But experts expressed doubts about that story. An analysis of Internet routing records for BlueSecurity.com don't reveal any changes to the way traffic was routed to the domain in recent days, said Todd Underwood, chief operations and security officer at Renesys Corp. of Manchester, N. H., which sells Internet monitoring and analysis technology. Instead, Blue Security appears to be the victim of a larger-than-average, but run-of-the-mill distributed denial of service attack, which has gone on unabated for around three days, said Underwood. That jives with reports in to the Internet Storm Center (ISC), also, said Johannes Ullrich, CTO at ISC. That should be expected, given Blue Security's confrontational approach to stopping spam, Underwood said. "Spammers get pissed off when anti-spammers attack them directly," he said. Blue Security couldn't do anything to avoid the DDoS attack, but Underwood was critical of the company's reaction to the attack: moving their home page to a blog hosted at Six Apart's TypePad service shortly after midnight local time on Tuesday.

So, Bluesecurity loses one point for actually believing the spammer's lies for not checking his claims out. I'd say that the spammer loses anohter point for lieing, but he has already hit rock bottom (and started to dig).

And SixApart got screwed over because Bluesecurity reacted to the attack in a clueless manner. :-(

Threaded | Top-Level Comments Only

From:

nidonocu.livejournal.com

Without wanting to be rude.. why are people still caring about this? <.<
To me, I never even noticed LJ go down. I slept through the hours the outage took place and didn't notice any problems. It was by no means a long one compared to past planned and unplanned shutdowns and outages of the system.

giza.livejournal.com

I've been involved in anti-spam (http://www.cauce.org/) stuff (http://www.claws-and-paws.com/spam-l/) to various degrees (http://spam.abuse.net/) since 1995, including professionally (http://www.turntide.com/).

I don't care so much about the LJ angle as I do about the Bluesecurity handling their DDoS attack in an irresponsible way angle.

darthgeek.livejournal.com

Don't forget These people too. You still involved with them at all? The webpage still has April 2004 as their latest news....

I stepped down from SpamCon many months ago, actually.

furahi.livejournal.com

I read that in the comments of your LJ

But it made me wonder, why beleive them instead of blue security?
Or the other way around?

I mean, both could be telling the truth, but either (or both) sources could be lieing or misinterpreting information...

So how do you choose who to beleive?

These people are repected professionals with many years of experience in the computer community. Furthermore, the nature of their work demands honesty.

Companies, on the other hand, don't necessarily need to be honest too turn a quick buck. (witness all of the scams out there)

Also, I think it's entirely possible that Bluesecurity may have just misunderstood the nature of the DoS attack. Additionally, they have not provided any proof that routes were altered. If they had given details about ASes that were changed and/or nullrouted, then I'd be taking their claim a little more seriously.

thefoxes.livejournal.com

So in retrospect, Blue Security launched a re-directed distributed denial of service attack at Six Apart? :p

I'd say they're at least partly responsible.

The real guilty part is the spammer, though. I want his balls.

Ahh. I figured as much. Bit of a sinking ship, that.

I cannot confirm or deny that.

...except over beer sometime.

Next time you're headed down to MD/DC, let me know and we'll get together. I'll buy you all the beer you want.

I don't think he has any =P

I think that's probably what happened, they misunderstood the DDoS

But really, flood the entire connection from/to Israel? Whoa o.o

I'll settle for one of his kidneys, then.

ionotter.livejournal.com

Go over the timeline again.

05021447: www.bluesecurity.com gets Blackhole Filtered, and cannot be seen from anywhere except inside Israel.

05021530: Corporate servers come under attack. These do not use the IP address for www, they are totally different. You'll see it sometimes with big sites? Instead of www.example.com, you'll see ds1.example.com, ds2.example.com. These are the servers used to handle traffic from the BlueFrog program and are never seen by the general public, nor do they carry anything meant to be seen by the general public.

05022245: BlueSecurity posts an update to their blog, bluesecurity.blogs.com, explaining what's going on and what's being done to fix it.

05022320: DNS for www.bluesecurity.com is re-routed to their blog. Bear in mind, www.bluesecurity.com was not under DDoS attack. This is crucial to the whole argument!

05030000: PharmaMaster initiates DDoS against TypePad.

There is one thing I'm curious about, though...

Did PharmaMaster initiate an attack against www.typepad.com and it's servers? Or did they attack www.bluesecurity.com, and it got re-routed to typepad? The article isn't clear on this particular detail, but it's a critical one and needs to be addressed before any blame can be assigned.

I'm going to say that BlueSecurity needs to answer that question, and it needs to be backed up with info from TypePad.com

> 05021447: www.bluesecurity.com gets Blackhole Filtered, and cannot be seen
> from anywhere except inside Israel.

Right now, there is zero evidence that this happened. Read the article I linked to. Nobody has found any proof that routing tables were altered.

> 05022320: DNS for www.bluesecurity.com is re-routed to their blog. Bear in
> mind, www.bluesecurity.com was not under DDoS attack. This is crucial to the
> whole argument!

At this point, I'm gonna need some additional corroboration before I can believe Bluesecurity's take on this. I mean, these people couldn't even tell the difference between a DoS attack and null routing!? It's not that hard; just look at the MRTG graphs. If you've been blackholed, your inbound Internet traffic will be near zero. If you are under a DDoS, the graphs will instead be lit up like a Christmas Tree.

> Did PharmaMaster initiate an attack against www.typepad.com and it's
> servers? Or did they attack www.bluesecurity.com, and it got re-routed to
> typepad? The article isn't clear on this particular detail, but it's a
> critical one and needs to be addressed before any blame can be assigned.
>
> I'm going to say that BlueSecurity needs to answer that question, and it
> needs to be backed up with info from TypePad.com

Chances are, Bluesecurity is in no position to answer this question, since I'm guessing that they did not have shell access on any Typepad machines, which means they they could not examine logfiles. And any sort of network stuff (running tcpdump, etc.) is right out.

Assuming that everyone was being stupid, I get the following: Bluesecurity stupidly pointed their DNS A and/or CNAME records over to typepad's machine, and the spammer stupidly kept hitting www.bluesecurity.com without bothering to see that the IP had changed. If that's the case, there's plenty of blame to go around to all parties, and the only truely innocent party here would be Typepad/Sixapart.

zeeth_kyrah

That should get rid of him, then, since if he likes money that much, he probably sold the other one to buy something frivolous.

jdtrue66.livejournal.com

Interesting comments!

But I think a big point is getting missed in all talk about who is the blame for the other sites going down. That point is that the blue frog idea was an idea that may have hit the spammers in a way that would stop them.

Could blue frog do a DOS on a spammers site? Sure it could but if they had sent one e-mail they would get 1 opt out. If they sent 1000 e-mails they got 1000 opt outs. If they don’t want 1000s of opt outs then just don’t send the spam…..

Can spam is a joke and many of the spammers are not in the US for laws like can spam to even go after. Blue frog went after the people that pay the spammers bills. If spamming is not profitable then it won’t be done.

The fact that the spammers went as far as they did is all the proof I need to see that this is the answer! They may have won the battle but the war is far from over. I hope the P2P project gets going under the same concept!

S	M	T	W	T	F	S
1	2	3	4	5	6	7
8	9	10	11	12	13	14
15	16	17	18	19	20	21
22	23	24	25	26	27	28
29	30

Giza aka Douglas Muth's LiveJournal

Stupidity at Bluesecurity

(no subject)

(no subject)

(no subject)

(no subject)

(no subject)

(no subject)

(no subject)

(no subject)

(no subject)

(no subject)

(no subject)

(no subject)

(no subject)

(no subject)

No stupidity at BlueSecurity...

Re: No stupidity at BlueSecurity...

(no subject)

My take

Profile

April 2012

Most Popular Tags

Page Summary

Style Credit

Expand Cut Tags