Hacker News new | past | comments | ask | show | jobs | submit login
Notorious ‘Hijack Factory’ Shunned from Web (krebsonsecurity.com)
111 points by dsr12 8 months ago | hide | past | web | favorite | 38 comments

The conversations that strike up off the back of things like this (why does it take 4 years to disconnect them‽) really make me wonder what the internet will look like in a couple of decades.

There clearly is appetite at most levels of government for a restricted internet. Obvious crime, paedophilia, terrorism, etc but increasingly, you're seeing direct-to-consumer sites like Alibaba and Wish flogging knock-off crap over borders without paying taxes, without consumer safety checks and often without having license to make and sell that stuff in the first place.

It's not going to be long before somebody legislates that you're only allowed to peer a network if you agree to cut anybody off who enables that, including other peers who ignore abuse across their network. It'll effectively limit what "the internet" is allowed to contain. Essentially embargoing bad actors and those that enable them, and all in a very pro-active way.

It will —and should— put the fear of iJesus into consumer ISPs. They could easily cut off customers with computers operating within botnets, alerting them to infections, etc. At the peril of having your peerings cut off, you'd expect them to be a lot more pro-active too.

I honestly don't how I'd feel about this. It seems safer but if life has taught me anything, that usually just means it's not, and somebody's just quietly getting rich in the corner.

The first question is who decides what's illegal? Being gay is illegal in certain countries...

Making ISPs more proactive is only doable with either heavy restrictions what communication is allowed or heuristics (that fail). That sounds like anyone out of the ordinary (so a majority of this site's users) will get flagged as suspicious. The fun thing is that I've seen both methods already applied and either me or someone I know has been encumbered by them.

There's not a single piece of me that feels that this would somehow end up positive in total.

On the point of ISP pro-activeness, I really just mean that —without a warrant or other court order (or national security edict)— they currently do somewhere between zilch and nothing with abuse emails.

And everybody on the Internet knows this. When somebody brutes your login page or SSH server, what do you do? Nothing. It should be trivial to report IPs and timestamps back to ISPs. Many ISPs are already required to log connections at some level (destination and port) so this stands to verify the abuse report. Get a number of these shoot through for a single customer (IPs are unimportant at this point), and it's time for a nasty conversation.

The machinery to make this work already exists. It's the ISP that's the problem. Threaten non-compliance of continued abuse (or a lack of reduction in botnet activity, whatever) with disconnection to the parent peer, so the ISP takes it seriously, and we'll see reporting rates rocket.

Monitored at local level (FCC, Ofcom, etc), per existing ISP complaints.

But yeah, no ISP is going to do this without serious threat of action.

I'm not sure this is a great idea - the "bad guys" have access to writing nastygrams to your ISP, too. You have to be careful creating the mechanisms for this, otherwise you could have a situation like YouTube has: it's trivially easy to report a video for containing your copyrighted content and then receive the ad income from it, so a lot of videos will get frivolous claims attached to them.

Large ISPs in many countries are already required to log connection metadata. This could trivially be used to verify botnet activity, even identity CnC nodes.

I'm sure there is still scope for abuse, but letting ISPs ignore abuse reports isn't working out well for the rest of the internet either.

But yes, maybe attaching some real personal perjury liability —unlike the watered down DMCA abuse liability— might be a good idea. Good network admins know what abuse looks like and have logs to corroborate.

YouTube's system doesn't even require a DMCA complaint AFAICT, it just requires you to tell YouTube that you own the copyright.

BGP hijacking is pretty obviously bad-actor from the perspective of companies trying to give internet access.

I do see your argument for a slippery slope, but in this case the example given is clearly in the core competency of the company. There's no morals needed; this is how the internet is supposed to work, and you've bypassed that. Kick him out.

We don't think about slippery slopes when a renter starts burning the house down; it's clearly within the homeowners rights to start evicting.

Yes, there are definitely two points to address. I wasn't really touching the "why did it take 4 years?" because so many others have, I was teetering on edge of the logical next step of enforcing network rules globally.

I think it would have to be a single multi-signatory convention. And part of that stipulates that you can only peer against networks in signatory nations.

The process of deciding that sort of law would be awful but if everybody focussed on serious and network focussed crime and not protecting Mickey Mouse et al, something good could come from it.

But you are probably right. The US —esp with current leadership— could very easily force protectionist terms on others. Nobody would want to be separated from the US. Switzerland would have no leverage. African countries would have no leverage. The EU and China might have a chance, but the latter especially stands to lose a lot more than it could gain. China still needs access to a global market.

It's definitely has potential to be deeply insidious. But with the value of the network, I'm just surprised people aren't suggesting more things like this.

To be clear, I'm not advocating this. I just see it as an inevitability.

It's really hard to reason around the 'think of the children' dilemma in these situations. Risk allows for creativity and many other valuable benefits in life, but with risk comes accepting the unacceptable. I think inside this lies the human condition.

See also previous discussion about this topic from yesterday

https://news.ycombinator.com/item?id=17501201 (56 comments)

I really don't know why this isn't more common.

Bad actors can often be identified. Their upstream should just disconnect them. Or their upstream should. Draw a boundary around them and their intransigent collaborators, and cut them out of the network like a cancer.

Isn't this because of the various safe harbor provisions ? If you start policing content then you cease to be a mere pipe and your gain much higher legal responsibility for whatever content passes through your systems.

In general I think it is a very bad idea to give this kind of policing power in the hands of private companies. They tend to be very conservative to avoid legal liability and they can also take arbitrary decisions. When Cloudfront decided to cutoff the Daily Stormer they crossed a line and many people were justifiably upset. It's the job of the legal system.

announcing bgp routes that someone else owns is completely cut and dried wrongdoing, there are no shades of gray there. it's like stealing postal mail from someone else's mailbox.

If someone reports to you that a bad actor (spammer, bruteforcer, whatever) is on your network, it would seem to eliminate your plausible deniability and safe harbor defense.

The real problem is economic; for any given ISP, they are going to side with their customers over some rando complainer most of the time. You don't get rich by disconnecting your own customers unless you absolutely have to.

Sometimes, this is good, if you're the one who might get disconnected (Cox was a great ISP to have, because for many years they would blithely ignore Bittorrent complaints and give you a dozen or so 'strikes' without consequence); it's awful and obnoxious if you are on the receiving end of an attack, and some shitlord low-budget VPS reseller or datacenter operator won't unplug the control server or whatever, or drags their feet to a ridiculous extent.

All about whose ox is getting gored.

>If someone reports to you that a bad actor (spammer, bruteforcer, whatever) is on your network, it would seem to eliminate your plausible deniability and safe harbor defense.

Sure, that seems like it could never be abused at all.

Policing content isn't the same thing as stopping active damage to the internet. Even in the US where free speech is king, you can't go around slashing tires or taking down stop signs and say it's protected by the 1st amendment or something.

Maybe they are afraid that once you start doing this, it may never end. Once you cut somebody out from your network, then you can no longer argue that you are just the dump pipe and don't judge your customers. This can lead to demands for cutting access to sites hosting controversial content etc. All this may generate tons of extra work and no matter what you do, you certainly are not going to please everybody.

Yeah but if someone comes along, cuts open your dumb pipe and redirects the flow somewhere else you obviously have a right to go after them.

As others have stated this isn't about blocking content, this is about cutting off an entity that was actively damaging infrastructure.

Every party involved there has to be careful and do their due diligence though; you can't just cut it off because there might be an actual legitimate business or a critical service in there.

You could also get corporate censorship of the Internet, simply because a hosting provider may allow a lot of content that is offensive, but not illegal. I wrote about this last year using The Daily Stormer as an example:


Ah, you beat me to it.

The article seems to make no mention at all of the possibility of collateral damage.

Were any honest actors harmed by this 'shunning'? Seems unlikely that this 'Bitcanal' web-hosting company was used exclusively by malicious parties.

Also, if this 'shunning' idea were to really catch on, couldn't it end up colliding with net-neutrality laws?

Pet peeve: shunned from Internet, not web.

An underlying question I have: Is it useful to trust IP-addresses on their range / owner / (distant) past behavior?

IPV6 offers to all practical intents and purposes a near infinite range so there that tactic won't work (you will simply exhaust your storage at some point).

IPV4 addresses in 'known bad' ranges can be totally benign, I know this because I've been the owner/steward of a whole pile of such addresses over the years. Typically the hosting providers where our stuff was colocated would be the likes of Leaseweb and Dynamic Pipe which had a lot of porn customers and spammers as customers.

It would not be rare at all to be blocked either on entire class C's or ports from those blocks of addresses in spite of never having had interaction with certain parties before.

Kudos to the people at Spamhaus who never blocked us and went out of their way to ensure they only hit the boxes of the spammers with surgical precision.

Finally, 'distant past behavior' is what caused me to have to jump through all kinds of hoops to reclaim the IP address of my present day mail server.

There is no set protocol to register a change of tenancy for an IP address and I'm pretty sure if such a protocol did exist that spammers would abuse it but it is super annoying to have to go begging cap in hand to the likes of Google, Apple and Microsoft for clemency when you've done nothing wrong (and to be ignored...).

> There is no set protocol to register a change of tenancy for an IP address

Yes there is. It's called the SWIP [0] process and if you buy an IP block, you are required to submit SWIP forms to register the reallocation with ARIN or RIPE. [1]

Of course, this only applies when the ownership of the range is changing. If you're using a hosting provider who owns the block, and another customer on the block was a spammer, then you're right -- there is no way to transfer. But you also don't really own the IP range in that case.

[0] https://en.wikipedia.org/wiki/Shared_Whois_Project

[1] https://www.arin.net/resources/request/reassignments.html

I was very careful not to use the word 'owner'.

Yes, so you’re technically correct. :) What’s interesting is that there actually is a distinction between the “org” and the “customer” in the SWIP process, but IME the “customer” reallocation is rarely used, and certainly not for cases of a single IP. So yeah, if you’re renting a VPS or a dedicated server with anything less than a /24, you have basically no control over your IP reputation.

That said, providers generally do keep records of which IP is associated with which customer at which time. That information is just not publicly available in real time.

> it is super annoying to have to go begging cap in hand to the likes of Google, Apple and Microsoft for clemency when you've done nothing wrong (and to be ignored...).

This is really upsetting. The imbalance of power is especially pronounced here as they don't really care whether you deliver you mail or not - you do. You're totally at their mercy. That's why lots of people nowadays say "it's too much hurdle to maintain my own e-mail server, I'll just use some service" - and in this way they give even more power to Google and the rest.

We'll wake up one day and realize e-mail is no longer as free as it used to be, but it will be too late.

Totally agree. I'm not entirely sure the various spam RBLs have a much better process though, and some blacklisting seems arbitrary. Wouldn't each RBL have their own obscure process as well?

I'm dreading the day that I have to switch my personal mail server's IP address.

(important disclaimer: it's been a while since I had to deal with un-blacklisting, so maybe things have changed since?)

It's not enough not to be on blacklists, Google Mail and MS Outlook online use complex, cryptic, algos to determine whether to receive mails and whitelisting someone is very far down the filter for MS (don't know about Gmail) so receiving mail you've told Outlook you want, from non-RBLed servers on long-term domains is blocked ... but you can pay to ensure the mail gets through.

We're talking single emails, in reply, from whitelisted addresses, being blocked because they come from (paraphrasing) "a server associated with a server whose IP address was previously a spam source".

That's a shared hosting experience. Mind you we were trying to send a flood of perhaps 10 emails a month to ourselves, so you can understand why they'd ignore our whitelisting./s

Not sure they've changed that much since. I have a mail server, and while it's not blacklisted by any of the bigger ones (MS, Google and so on), my whole /24 block(!) is on the blacklist of whoever is providing spam filtering to Slackware (signed up for their mailing lists while I was still using Google as a mail provider).

Because the provider says: "If you are on a network that is known for allowing email marketing to occur, you may be out of luck as well. If you aren't doing email marketing consider a different network."[0] I haven't yet gone through and actually contacted them especially since my IP is included in their "worst" category[1]. It's also the only place I've had a problem with so far, so not worth the hassle yet.

[0] http://www.mipspace.com/contact.php [1] http://www.mipspace.com/ratings.php

SPEWS doesn't seem to have achieved much other than make a bunch of people really fucking angry.


If you don't, you have to track ownership information, which sounds like an administrative nightmare.

It depends on the use. You probably wanted a simple answer, but it isn't a simple question.

jacquesm is known to give pretty exhaustive answers ;) I knew it wasn't an easy question, but the article seemed to indicate that at least some parties do indiscriminate blocking which struck me as rather dumb. Hence the question.

Some parties (including myself at one point in the past) block with low cost.

Suppose you're a microservice that does caching, fast-track authentication or similar. If you block a user, that user will have to spend several or even many seconds on reauthentication and/or cache refreshing, but that's the whole cost. Is your proper threshold for blocking high or low?

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact