Botnet runners start their own ISPs

Botnet and malware creeps are setting up their own ISPs, with their own IP blocks, so that spamfighters don't have anyone to complain to when they run them to ground:
"It's gotten completely out of hand. The bad guys are going to some local registries in Europe and getting massive amounts of IP space and then they just go to a hosting provider and set up their own data centers," said Alex Lanstein, senior security researcher at FireEye, an antimalware and anti-botnet vendor. "It takes one more level out of it: You own your own IP space and you're your own ISP at that point.

"If there's a problem, who are you going to talk to? It's a different ball game now. These guys are buying their own data centers. These LIRs and RIRs aren't going to push back if you say you need a /24 or /16. They're not the Internet police," Lanstein said...

"This is part of the problem that's causing the IPv4 shortage," Lanstein said, referring to the imminent exhaustion of the IPv4 address space, forecasted to occur in less than two years. "They stop paying the bills, the space gets null-routed and then it's a mess. There's clear fraud going on, but who can do something about it?"

Attackers Buying Own Data Centers for Botnets, Spam (via /.)


  1. This doesn’t make any sense. Maleware and Botnets are two different species, neither of which needs an ISP.

    Botnets are ad-hoc networks of infected machines that have been owned. Even the Command and Control networks of botnets are generally layered through cutouts of other infected machines. That way when a botnet Command and Control node is discovered, either through traffic analysis or an autopsy of the botnet-maleware only a small part of the whole is affected. You would want the servers you directly control to be very far away from your army. Hosting botnets on your own servers is like keeping an ant farm in your bed

    Maleware is software and only lives on machines that have been taken over through some vulnerability. It has nothing to do with IP address’ or data centers. The Maleware may communicate information back through channel that the owner of the infected machine is not aware of but it often works in a manor similar to Botnet CnC.

    Involving any kind of static resource into an attack will only lead to it being mitigated more quickly.

    There are central locations that act as trading posts and clearing houses for people to sell time on a botnet or purchase bulk stolen identities. Those servers are usually quite small and a different beast all together.

  2. This almost sounds like good news to me. The botnets have circled their wagons and have given up mobility. All we have to do is block thier range of IP addresses and we’re done.

    This compared to botnets being run on random peoples compromised computers where banning ranges of IP addresses block lots of legitimate traffic. (Though in fighting spam last month I very nearly blocked all Comcast traffic. Comcast users apparently have the worst ‘net hygiene.)

    1. I think you misapprehend — AFAICT, these ISPs are for command-and-control, the motherships that the botnets phone home to. The infections are still out there in the wild.

      1. But if the DNS know to block those IPs, then traffic will be rerouted around them altogether, preventing malware from dialing home.

  3. “If there’s a problem, who are you going to talk to?”

    The same person you always talked to in the past: whomever is providing connectivity to the rest of the internet. Just because the badguys have entire IP Blocks and datacenters, ultimately, they still have to be dealing with other companies to be able to talk to the rest of the world. One merely has to look at the peering disputes of major backbone providers to see that size is not an issue in getting cut off.

  4. Doesn’t this activity expose the bad guys physically? You need money to buy the addresses, data centers and whatnot and money is traceable(at least to some extent). Moreover you cannot transfer equipment with few lines of code when the bloodhounds get too close.

  5. “These LIRs and RIRs aren’t going to push back if you say you need a /24 or /16.”

    This is so insanely incorrect that I know this guy has to be shilling some bullshit “solution”. Even if RIRs were handing out that kind of IP space — which they absolutely are not — it wouldn’t help the spammers/hackers. A /8 can be blacklisted wholesale with one line in an ACL. Mobility is their strength.

    As others have stated, ISPs are more than willing to literally pull the plug on clients that are hosting malicious content. They have no desire to be the targets of law enforcement or consumer vitriol.

    “I think you misapprehend — AFAICT, these ISPs are for command-and-control, the motherships that the botnets phone home to. The infections are still out there in the wild.”

    Nope. “Botnet” implies a level amateurism that really doesn’t exist in this realm anymore. While zombified PCs were fun DDOS toys for early hackers, they simply lack the bandwidth to do any real harm anymore. I have a 1GB link in my small office, which costs pittance compared to bandwidth prices 5 years ago. It would take, literally, tens of thousands of broad-band connected PCs to saturate such a link.

    Phishing is the game these days. And the folks who run the botnets that support such rackets are mostly used for (surprisingly) sophisticated DNS hacks or relaying spam. The servers sitting in racks just host the content that said networks redirect victims to.

    The real players in hosting the serious hardware required for these highly lucrative scams are typically in countries that are willing to turn a blind eye in order to capitalize on the still-growing Internet sector. However, there are some that fleetingly survive in the US. For instance, Bulletproof (I think that was their name). They’d host anything from spam to kiddie porn and adjusted their hosting rate based on how many cease and desist notices a particular client received, which they’d ignore and then plead ignorance.

    Malicious content providers are several steps ahead of law. Not so much due to the incompetence of the cops, but because of the lack of enforcement mechanisms. This stuff is big mafia business. If they wanted to own ISPs, they’d have done so long ago and, in doing so, painted even larger targets on their backs.

    1. “I have a 1GB link in my small office, which costs pittance compared to bandwidth prices 5 years ago”

      A pittance? A cheap business grade 20 megabit connection costs $1500/mo around here. Where are you getting 1 gigabit/sec for “a pittance”?

    2. “Nope. “Botnet” implies a level amateurism that really doesn’t exist in this realm anymore. While zombified PCs were fun DDOS toys for early hackers, they simply lack the bandwidth to do any real harm anymore. I have a 1GB link in my small office, which costs pittance compared to bandwidth prices 5 years ago. It would take, literally, tens of thousands of broad-band connected PCs to saturate such a link.”

      This isn’t really accurate. There are still quite a lot of DDOS attacks that disrupt services and are a real headache for companies on the internet. There is no relationship between cost of a link and how much damage can be inflicted by a DDOS attack. A layer 7 attack vector such as Slowloris TCP weakness or malicious DNS requests can easily overwhelm an daemon trying to provide a network service. Also techniques like amplification can turn 100 infected machines into a veritable fire hose of traffic.

      Part of the reason is that while a small Botnets may only be several thousand hosts, they can be highly distributed so simply ACL’ing one host at a time won’t do. For a business on the internet, you can’t just shut down an service either because that is curing the disease by killing the patient. Being able to keep your clients connected and scrubbing the attack traffic is a tricky business that requires a different technique for almost every kind of attack. For example, SYN cookies won’t do any good against infected machines that do a full three-way handshake but then just hold open the connection.

      Lastly I think you underestimate how large the available pool of infected hosts for sale to attackers really is. The management of botnets is highly sophisticated allowing for execution of code sent to the zombies after they are infected. Time is sold on these networks in huge chunks of bandwidth or working hours.

      You are correct in your post that there are all kinds of new nastiness that is spewing out of these machines. However, to dismiss Botnets as a toy or not a threat to the continued operation of companies trying to provide services online, is not correct.
      That said, the idea of the evil ISP is still rubbish.

  6. Ok, so I went and read the article. Let me tone down what I said by a notch or two. It’s not new. It’s not a crisis. And, yes, Lanstein is undoubtedly pushing a product. ARIN is doing their part to stop it. Shame on Cory for his choice of snippets.

    There is an army of geeks in organizations like IETF and policy makers in ICANN that are actively pushing for protocols and mechanisms to combat just this sort of thing.

    DNSSEC is the next big stick in the fight. No one wants to implement it though.

  7. “These LIRs and RIRs aren’t going to push back if you say you need a /24 or /16.”

    To somewhat-second NickTheDick… This isn’t how the blacklists work. Spam blacklisting “authorities” will identify a tainted subnet, and contact the provider of that subnet. If they’re unresponsive, THEY’RE tainted, and the provider is now “justified” in blocking THEIR entire IP range.

    If you want to talk about the thugs of the Internet, it’s not the phishers and botnet ops. It’s the blacklist “authorities”. These guys set themselves up on their own dime, make snap decisions about IPs and companies and individuals that they’ve never met or researched, and then are utterly unresponsive to undoing their blacklisting.

    I can’t tell you how many times I’ve had to go to bat for a client who got assigned an IP address formerly owned by a blacklisted entity, but I CAN tell you how many times the blacklisters have been willing to have a conversation about it and actually undo their black-holing: zero. All for what, so my Gmail account only gets 200 spams a day instead of 300?

  8. Lot of false information in these comments. Less in the actual article.

    Works like this, paisons, there’s some functions that require dedicated namespace and some that require IP address space. Criminals (archetypally, American kingpins from Boca Raton and California working through Asia to clear profits and through Eastern Europe for technical infrastructure and contract murder) use the domain tasting system or compromised registrars to cycle rapidly through host and domain names and stolen credit card numbers to run slightly more slowly through IP space. Whatever they use gets blacklisted rather quickly, in 2 to 72 hours, but they only need one hit to pay for half a million tries, regardless of which of a half-dozen or more scams they are running. Used to be they used hacked servers or pink contracts through the majors, but Vixie and crackpot vigilantes like him killed off the pink contracts through Verizon and pals and servers are using more secure OSes these days. Dedicated server rooms in the Ukraine are the new thing, I hear.

    [Gives Jumba his View Master]
    Pleakley: Here, educate yourself!

  9. “These LIRs and RIRs aren’t going to push back if you say you need a /24 or /16.”

    Well of course – you can’t get a /24 without first filling out a 27b/6.

  10. Merreborn@#12 – I’ve seen references to US prices like that from the usual race-to-the-bottom-feeder Tier 1; I don’t know what access costs are involved (e.g. that’s probably for a raw connection at Equinix, and it costs more if you want it delivered to you downtown or out in the boonies.) But even if it’s not available to you right now, trends are heading in that direction. I still remember when we could sell people T1s for $1500, and T3s, and…

  11. After reading the comments here I can safely say that I’m well out of my depth. There is nothing here that I flatly don’t understand, but my grasp on these concepts is tenuous.

    Can anyone suggest good reading material on the subject? I am in no way interested in operating DDOS attacks, but am quite interested in how they are typically employed and what kinds of options exist for the victims of such attacks to defend themselves. Short of having crazily large bandwidth, is there any way to guarantee against successful attack? Is there any way a government could permanently set up DDOS attacks against certain sites, rendereing them useless?


    1. Jose Nazario has a very good book titled Defense and Detection Strategies Against Internet Worms. He covers a good amount of what is out there. It’s pretty broad strokes but it’ll give you an better idea of how Botnets and Worms work.

      The site has a lot of good information as well. Covers theory and also news of attacks and what’s new. Not nearly as terse as trying to figure out the impact of a new exploit from disclosers.

      It may seem odd, but look at the BGP protocol as well. BGP has nothing to do with Botnets or Maleware. However it is designed to propagate information, in this case routing information, through the internet in a very non-centralized manor. The design of the protocol allows a lot of context information being encoded into the message itself.

      Also the TCP/IP Illustrated series of books by W. Richard Stevens should be on your shelf. To be on a soap box a bit, a lot of people who are web savvy aren’t nearly as knowledgeable about the mechanics of how Internet actually works as they think. This causes a lot of verbiage that is just wrong but sounds right on an anecdotal or ‘cool’ level.

      Good luck in your research! There is a lot out there but it’s a very good way to learn about the, what I think, is the very interesting place where computers and networks meet.

  12. Here’s what they could do:

    Just work WITH the users as a trade-off.

    First, devise a “Sharing” program that goes above and beyond BitTorrent and TOR but also works with them. Tons of laid of / never yet hired MIT and that calibre guys, including I bet lots from the major computer companies. Make it so it uses the computer’s idle time, such as at night fully, and minimally when used so it doesn’t disrupt YouTube vids and Flash games.

    Work with some of the “Pirate Bay” heads to give this “Street Cred”.

    What it will do:
    1. Trade data back and forth with a fractal changing pattern so it’s impossible to track.
    2. Use wasted CPU cycles for computing projects.
    3. Enable totally anonymous communication, at least text/image/data transfer, possibly audio/video down the road.
    4. Protect the computer from viruses, malware, spyware including “Legal” ones like “Magic Lantern”.
    5. Be ‘voluntary’ but ‘conditional’. You don’t have to have it on, you don’t have to keep it on your system, but you do have to have it on and running to use their system.
    6. It has a “TruCrypt” but enhanced backup system where you can store ANY amount of data with ANY number of passwords so even if the Fuzz grab you and shake you, you can ‘break’ and give them dummy stuff. Like a fantasy plot to embarrass a public official that while a crime is more misdemeanor level, archives of ADULT women pornography “Stolen” by not paying fees of a major ‘legit’ pornographer, business info if you have a business, etc…
    ——Though, obviously “I don’t talk to the police. I want a lawyer. I want a lawyer….” is the best way to go. Nobody EVER talks themselves out of being arrested, but lots of people including innocent ones have talked to the police and then become the prime suspect and what they said or how the police decided to conveniently interpret their words hung them when evidence would not have otherwise.
    ——And, everyone working with it has multiple layers of “Codes” so they can, even with a gun to their heads give the “Pigs” what they want, but sucker them horribly.
    7. Lots of “Legit” businesses it could support, a “Webmasters, make money from your site” to disguise the “Endport” among dozens, millions of websites then these people get the occasional check.

    I’d call it “Visit BlackBeard’s Mansion” or “Kiss the Don’s Ring”…

    Now it would earn money by:

    1. Hackers could use it to “CodeBreak” for it’d create a petaflop level computer.
    2. Scientists, universities could use it for data analysis.
    3. 3D enthusiasts could use it for rendering giant images and animations.
    4. Websites selling services they wish kept out of authorities eyes could exist entirely within the “DarkNet” and get money in ways untraceable.
    5. Likewise, providers of goods and services that might be “Hindered” by the authorities could also sell their wares.
    6. For speed boosts, direct tips to ‘better’ parts of the DarkNet, other options, users themselves might ‘contribute’ more:-)
    7. Legal education and insurance. Whole careers could be made. Educate (free basic 101, cheap extra classes) on how NOT to talk to the police, how to disguise things, legal insurance to get a pit bull lawyer to help, mental training (biofeedback goes mainstream!) so you are ‘building a house’ if the pigs keep you incommunicado for days and the only thing coming out of your lips is: “I want a lawyer.”

    So, it’d help the “Underground” by giving the general public free, or cheap, and very safe access to these markets. At the same time, it’d make the net LESS dangerous for users, for if it got full of viruses and stuff, people wouldn’t use it that much. Likewise for privacy, LimeWire is dying because the Feds are able to track it too easily. It would help privacy and freedom and weaken governments by turning the people to support the “Robin Hood” criminals and vote against laws, use “Jury Nullification” to help a “Friend” for a REAL good reward, etc.

    Just an idea:-)

  13. it is designed to propagate information, in this case routing information, through the internet in a very non-centralized manor

    Stately Wayne Manor?

Comments are closed.