
Notorious ‘Hijack Factory’ Shunned from Web - dsr12
https://krebsonsecurity.com/2018/07/notorious-hijack-factory-shunned-from-web/
======
oliwarner
The conversations that strike up off the back of things like this (why does it
take 4 years to disconnect them‽) really make me wonder what the internet will
look like in a couple of decades.

There clearly is appetite at most levels of government for a restricted
internet. Obvious crime, paedophilia, terrorism, etc but increasingly, you're
seeing direct-to-consumer sites like Alibaba and Wish flogging knock-off crap
over borders without paying taxes, without consumer safety checks and often
without having license to make and sell that stuff in the first place.

It's not going to be long before somebody legislates that you're only allowed
to peer a network if you agree to cut anybody off who enables that, including
other peers who ignore abuse across their network. It'll effectively limit
what "the internet" is allowed to contain. Essentially embargoing bad actors
and those that enable them, and all in a very pro-active way.

It will —and should— put the fear of iJesus into consumer ISPs. They could
_easily_ cut off customers with computers operating within botnets, alerting
them to infections, etc. At the peril of having your peerings cut off, you'd
expect them to be a lot more pro-active too.

I honestly don't how I'd feel about this. It _seems_ safer but if life has
taught me anything, that usually just means it's not, and somebody's just
quietly getting rich in the corner.

~~~
dcbadacd
The first question is who decides what's illegal? Being gay is illegal in
certain countries...

Making ISPs more proactive is only doable with either heavy restrictions what
communication is allowed or heuristics (that fail). That sounds like anyone
out of the ordinary (so a majority of this site's users) will get flagged as
suspicious. The fun thing is that I've seen both methods already applied and
either me or someone I know has been encumbered by them.

There's not a single piece of me that feels that this would somehow end up
positive in total.

~~~
oliwarner
On the point of ISP pro-activeness, I really just mean that —without a warrant
or other court order (or national security edict)— they currently do somewhere
between zilch and nothing with abuse emails.

And everybody on the Internet knows this. When somebody brutes your login page
or SSH server, what do you do? Nothing. It _should_ be trivial to report IPs
and timestamps back to ISPs. Many ISPs are already required to log connections
at some level (destination and port) so this stands to verify the abuse
report. Get a number of these shoot through for a single customer (IPs are
unimportant at this point), and it's time for a nasty conversation.

The machinery to make this work already exists. It's the ISP that's the
problem. Threaten non-compliance of continued abuse (or a lack of reduction in
botnet activity, whatever) with disconnection to the parent peer, so the ISP
takes it seriously, and we'll see reporting rates rocket.

Monitored at local level (FCC, Ofcom, etc), per existing ISP complaints.

But yeah, no ISP is going to do this without serious threat of action.

~~~
ThrustVectoring
I'm not sure this is a great idea - the "bad guys" have access to writing
nastygrams to your ISP, too. You have to be careful creating the mechanisms
for this, otherwise you could have a situation like YouTube has: it's
trivially easy to report a video for containing your copyrighted content and
then receive the ad income from it, so a lot of videos will get frivolous
claims attached to them.

~~~
oliwarner
Large ISPs in many countries are already required to log connection metadata.
This could trivially be used to verify botnet activity, even identity CnC
nodes.

I'm sure there is still scope for abuse, but letting ISPs ignore abuse reports
isn't working out well for the rest of the internet either.

But yes, maybe attaching some real personal perjury liability —unlike the
watered down DMCA abuse liability— might be a good idea. Good network admins
know what abuse looks like and have logs to corroborate.

~~~
ThrustVectoring
YouTube's system doesn't even require a DMCA complaint AFAICT, it just
requires you to tell YouTube that you own the copyright.

------
okket
See also previous discussion about this topic from yesterday

[https://news.ycombinator.com/item?id=17501201](https://news.ycombinator.com/item?id=17501201)
(56 comments)

------
JulianMorrison
I really don't know why this isn't more common.

Bad actors can often be identified. Their upstream should just disconnect
them. Or _their_ upstream should. Draw a boundary around them and their
intransigent collaborators, and cut them out of the network like a cancer.

~~~
ajnin
Isn't this because of the various safe harbor provisions ? If you start
policing content then you cease to be a mere pipe and your gain much higher
legal responsibility for whatever content passes through your systems.

In general I think it is a very bad idea to give this kind of policing power
in the hands of private companies. They tend to be very conservative to avoid
legal liability and they can also take arbitrary decisions. When Cloudfront
decided to cutoff the Daily Stormer they crossed a line and many people were
justifiably upset. It's the job of the legal system.

~~~
Kadin
If someone reports to you that a bad actor (spammer, bruteforcer, whatever) is
on your network, it would seem to eliminate your plausible deniability and
safe harbor defense.

The real problem is economic; for any given ISP, they are going to side with
their customers over some rando complainer most of the time. You don't get
rich by disconnecting your own customers unless you absolutely have to.

Sometimes, this is good, if you're the one who might get disconnected (Cox was
a great ISP to have, because for many years they would blithely ignore
Bittorrent complaints and give you a dozen or so 'strikes' without
consequence); it's awful and obnoxious if you are on the receiving end of an
attack, and some shitlord low-budget VPS reseller or datacenter operator won't
unplug the control server or whatever, or drags their feet to a ridiculous
extent.

All about whose ox is getting gored.

~~~
SlowRobotAhead
>If someone reports to you that a bad actor (spammer, bruteforcer, whatever)
is on your network, it would seem to eliminate your plausible deniability and
safe harbor defense.

Sure, that seems like it could never be abused at all.

------
api
Pet peeve: shunned from _Internet_ , not web.

------
wjnc
An underlying question I have: Is it useful to trust IP-addresses on their
range / owner / (distant) past behavior?

~~~
jacquesm
IPV6 offers to all practical intents and purposes a near infinite range so
there that tactic won't work (you will simply exhaust your storage at some
point).

IPV4 addresses in 'known bad' ranges can be totally benign, I know this
because I've been the owner/steward of a whole pile of such addresses over the
years. Typically the hosting providers where our stuff was colocated would be
the likes of Leaseweb and Dynamic Pipe which had a lot of porn customers and
spammers as customers.

It would not be rare at all to be blocked either on entire class C's or ports
from those blocks of addresses in spite of never having had interaction with
certain parties before.

Kudos to the people at Spamhaus who _never_ blocked us and went out of their
way to ensure they only hit the boxes of the spammers with surgical precision.

Finally, 'distant past behavior' is what caused me to have to jump through all
kinds of hoops to reclaim the IP address of my present day mail server.

There is no set protocol to register a change of tenancy for an IP address and
I'm pretty sure if such a protocol did exist that spammers would abuse it but
it is super annoying to have to go begging cap in hand to the likes of Google,
Apple and Microsoft for clemency when you've done nothing wrong (and to be
ignored...).

~~~
dvfjsdhgfv
> it is super annoying to have to go begging cap in hand to the likes of
> Google, Apple and Microsoft for clemency when you've done nothing wrong (and
> to be ignored...).

This is really upsetting. The imbalance of power is especially pronounced here
as they don't really care whether you deliver you mail or not - you do. You're
totally at their mercy. That's why lots of people nowadays say "it's too much
hurdle to maintain my own e-mail server, I'll just use some service" \- and in
this way they give even more power to Google and the rest.

We'll wake up one day and realize e-mail is no longer as free as it used to
be, but it will be too late.

~~~
gingerlime
Totally agree. I'm not entirely sure the various spam RBLs have a much better
process though, and some blacklisting seems arbitrary. Wouldn't each RBL have
their own obscure process as well?

I'm dreading the day that I have to switch my personal mail server's IP
address.

(important disclaimer: it's been a while since I had to deal with un-
blacklisting, so maybe things have changed since?)

~~~
pbhjpbhj
It's not enough not to be on blacklists, Google Mail and MS Outlook online use
complex, cryptic, algos to determine whether to receive mails and whitelisting
someone is very far down the filter for MS (don't know about Gmail) so
receiving mail you've told Outlook you want, from non-RBLed servers on long-
term domains is blocked ... but you can pay to ensure the mail gets through.

We're talking single emails, in reply, from whitelisted addresses, being
blocked because they come from (paraphrasing) "a server associated with a
server whose IP address was previously a spam source".

That's a shared hosting experience. Mind you we were trying to send a flood of
perhaps 10 emails a month to ourselves, so you can understand why they'd
ignore our whitelisting./s

