ietf-asrg
[Top] [All Lists]

Re: [Asrg] Solving spam == Solving zombies/botnets

2008-12-02 20:29:21
On Tue, Dec 02, 2008 at 12:25:37AM -0500, Walter Dnes wrote:
  What it boils down to is that to majorly reduce spam, we have to
majorly reduce botnets/zombies.

We can't; we can only mitigate the consequences.  I realize that's
kind of a grim statement, but attackers are way ahead of defenders
on this front and have at least one serious bit of leverage: the
unwillingness of hundreds of millions to abandon their OS of choice,
no matter how pitifully insecure it has proven itself to be.

However: "they", for some values of "they", can majorly reduce the
*access* of botnets/zombies, should they have sufficient reason to do so.
And that's where I think economic motivation comes in -- not via
construction of an epostage system, but by their desire to continue
enjoying the privilege of access to others' networks and services.

To put this another way: any anti-spam measure which a priori assumes
that it's "our" problem is unlikely to sway "them" that it's theirs.
ISPs and others whose networks are emitting torrents (sorry!) of spam
have no reason to care because there are no consequences -- and every
reason not to care, since caring costs money.

The trick, I think, is to turn "our" problem into "their" problem,
thus (a) mitigating the consequences for us and (b) providing them
with motivation sufficient to get them to address it.

It's called a "blacklist", and we've all seen various models of those
in operation.  What it amounts to really, though, is "selective revocation
of privileges". (i.e. nobody out there has any "right" to use example.com's
mail or web server and example.com may grant/revoke privileges at its whim.)

I point to the recent cases of Atrivo and McColo as examples of what
*could* be done quite effectively.

This goes beyond just spam, by the way: the same approach can/could be
used to deal with attempted HTTP exploits, SSH dictionary attacks, etc.
If one observes a host engaged in any of these abusive behaviors, then
either:
        a) it really belongs to the enemy, e.g. it's a box they bought
                and paid for and connected somewhere
        b) it (at least temporarily) belongs to enemy, because it's
                been wrested away from its putative owner
        c) it's been subverted by enemy in order to launch or redirect
                an attack (e.g., open SMTP relay)
        d) it's broken

In any of these cases a suitable response is "stop letting it access the
service in question" (or possibly "stop letting it access anything").
This solves "our" problem by denying privileges to an attacker and
potentially makes it "their" problem, if there's actually a responsible
"they" in charge somewhere.  (And clearly on some rogue networks, there
isn't.  But rogue networks have upstreams, see examples above.)

Of course we'd all be better off if network operators detected these
forms of abuse outbound from their operations, rather than waiting for
us to detect them inbound to ours.  And they could -- not all of them,
granted, not all the time, but certainly more than enough to make a
sizable impact on the problem.

But, mostly, they haven't.  They won't.  They have no reason to.  The
days when people would try to solve problems they perceived as "someone
else's" ended here about two decades ago, and it now seems necessary to
ensure that problems land squarely on the desks of those responsible --
in order to get their attention and provide them with some motivation.

I don't like this situation much.  But clearly, asking "them" nicely
"would you please do something about the 51,000 zombies on your network?"
isn't going to accomplish anything.  I think asking them nicely while
refusing all SMTP traffic from their /18 is likely to be more persuasive,
particular if that refusal is widespread.  (Which is of course the trick.)

---Rsk
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
https://www.irtf.org/mailman/listinfo/asrg