http://blogs.zdnet.com/security/?p=280&tag=nl.e589

http://www.techspot.com/news/25647-antispam-sites-come-under-attack.html

_________________
Bill (AFE7Ret)
Freedom is NOT Free!

More references...

DDoS Knocks Antispam Sites Offline
- http://www.pcworld.com/printable/article/id,132780/printable.html
June 11, 2007 ~ "Several antispam organizations have been targeted by an attempt to knock them offline... SANS' Internet Storm Center (ISC) said* a "pretty big" distributed denial of service (DDOS) offensive had targeted several high-profile organizations, including Spamhaus, SURBL (Spam URI Realtime Blocklists) and URIBL (Realtime URI Blacklist). Rules Emporium, a site hosting rules for the open source SpamAssassin antispam program, was also offline, and may have been targeted as well... As of Monday, Rules Emporium and URIBL were still not reachable, while Spamhaus and SURBL appeared to have recovered... Denial of service attacks are a routine risk for antispam groups, but the current attack is similar to those carried out against Blue Security just over a year ago using botnets controlled by the Storm malware, according to SANS. The attacks caused Blue Security to exit the antispam business..."
* http://isc.sans.org/diary.html?storyid=2940
Last Updated: 2007-06-07 21:34:57 UTC


.

What I don't quite understand is how apparently it is clear that the traferreg.com domain is used to point to the victim domains / sites, which I would think presents a fantastic opportunity to take it down and hence shut down the attack in its origin, i.e. the pointer domain.

Am I missing something? Wouldn't it make sense to swiftly engage the registrars involved with traferreg.com and have it taken down ASAP?

Edited: doh... I was looking at the screenshot for the Storm attack in February here; that domain is probably not the pointer anymore. But the principle remains the same: if Storm works via redirection, shouldn't a rapid response team to take out those pointers be able to counter attack and shut them down within a fairly short span of time?

The problem is the original origin is likely spoofed and does not point to real origin. Also, the whole concept of botnets is that badguys compromise unprotected computers by various means (virus, spam, worms, spyware, intrusions, etc.) and very often, they target computers running pirated copies of Windows because the users (AKA: software thieves) are afraid to keep their systems patched and updated for fear of being caught. These unprotected computers (millions of them scattered around the world - including legitimate users who fail to practice safe computing) sit in hiding for days or even months, until some trigger, such as a specific data and time. So the attack comes from millions of sources simultaneously. This makes it very difficult, if not impossible, for the IT Security industry to be proactive.

[rant-on]
This is why it is necessary for us, and by us, I mean tax paying voters, to demand our elected representatives create tougher laws against the bad guys, and fund law enforcement so they can have the resources they need to enforce the laws, and to put in place judges that will levy strict sentences and very heavy fines against the offenders.

Much of the problem also is corrupt government officials in 3rd world countries, China, Russia, and elsewhere that turn a blind eye (while their pockets are being lined). And finally, there are many ISP operators that make no effort to keep malware from getting on the Internet in the first place. We need to get the corruption out of the UN too!

The big telecommunication giants, the backbone providers, need to do more to stop malware on their ends. Instead, all they do is build bigger and faster pipes to handle the small amount of legitimate data, PLUS the massive amounts of illegitimate malware, and charge us, the end-user consumers for those bigger pipes, while they sit back and get rich.

Finally, the anti-malware industry needs to do more. Sadly, there is absolutely no incentive whatsoever for Norton, McAfee, AVG, etc. to rid the world of malware - for if they did, they would go out of business.
[rant-off]

_________________
Bill (AFE7Ret)
Freedom is NOT Free!

I'm sorry - I wasn't clear. When I said "origin", I probably should have used the term "concentrator" instead. A bit like a concave dish used to catch and focus radiowave signals, those domains (such as in that example, traferreg.com) act as redirecting / concentrating domains, pointing to the victims' doimains.

That clarification aside, I completely agree with you: spammers should be vigorously pursued; to use US parlance, if not via RICO, the very USA PATRIOT ACT.

And yes also, in that piracy is an immensely complicating factor.

I suppose that is what they are doing when they point their domain's traffic to prolexic. But if the DDoS'ers can't send inquiries to the site, neither can the legitimate users.

Hi AC, do we know why the CarPCStore site is down..? (fearing the worst)

It is up now. No need to panic.

It was down, then up, now intermittent. I haven't seen any mention in the KS forum to explain it. I should think a DDoS would start with a sputter as bots with their clocks set wrong would jump the gun.

If I can see a "positive side" into this, the bot.net seems to be so busy with this current activity that I found my mailbox almost empty of spam this morning.

Meaning that if they want to go back to their "business as usual", they will have to stop the DDoS soon.

Killspammers forum looks down again:

Warning: mysql_connect() [.... then a bunch of code ...]
phpBB : Critical Error

Could not connect to the database

I miss my fix. Guess I'll have to spend the time I would have spent on that forum reporting more spam

hello. just checking in to say I'm here too.

also: