[192878] in North American Network Operators' Group
Re: Avalanche botnet takedown
daemon@ATHENA.MIT.EDU (Paul Ferguson)
Thu Dec 1 15:43:26 2016
X-Original-To: nanog@nanog.org
From: Paul Ferguson <fergdawgster@mykolab.com>
In-Reply-To: <32485.1480624683@segfault.tristatelogic.com>
Date: Thu, 1 Dec 2016 12:43:16 -0800
To: "Ronald F. Guilmette" <rfg@tristatelogic.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
--Apple-Mail=_BAD39FD1-80D5-4C90-BC56-403DE2326361
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=utf-8
> P.S. WTF is "double fast flux[tm]=E2=80=9D?
Double fast-flux is when not only the TTL is set very low on the A =
record(s), bit also on the NS:
https://en.wikipedia.org/wiki/Fast_flux
- ferg
> On Dec 1, 2016, at 12:38 PM, Ronald F. Guilmette =
<rfg@tristatelogic.com> wrote:
>=20
>=20
> In message <20161201173426.2861.qmail@ary.lan>,
> "John Levine" <johnl@iecc.com> wrote:
>=20
>> More info here:
>>=20
>> =
https://www.europol.europa.eu/newsroom/news/%E2%80%98avalanche%E2%80%99-ne=
twork-dismantled-in-international-cyber-operation
>=20
> I'm always happy when even a small handful of miscreants are captured
> and taken off the Internet, but...
>=20
> The press release itself says that this botnet had been running since
> 2009. So, you know, are we supposed to break out the champaign and
> start celebrating because it "only" took LE *seven years* to take down
> this one botnet and capture a grand total of five cybercriminals?
>=20
> Like I say, I'm happy that this one botnet was killed, but to my way
> of thinking, the fact that it took seven years to do so is a testament
> *not* to the spectacular 21st century capabilities of modern law
> enforcement, but rather to the ever widening gap between the time
> scales of law enforcment processes, typically measured in months or
> years, and the time scales of malicious packets flying around the
> Internet, usually measured in miliseconds.
>=20
> The Internet, viewed as an organism, quite clearly has, at present,
> numerous autoimmune diseases. It is attacking itself. And its immune
> system, such as it is, clearly ain't working. There's going to come
> a day of reckoning when it will no longer be possible to paper over
> this sad and self-evident fact. (And no, I'm *not* talking about
> the fabled "Digital Pearl Harbor". I'm talking instead about the
> Internet equivalent of the meteor that wiped out the dinosaurs.)
>=20
>=20
> Regards,
> rfg
>=20
>=20
> P.S. WTF is "double fast flux[tm]"? Is that anything like "double =
secret
> probation" from Animal House?
>=20
> P.P.S. I love this part of the press release, because it is so =
telling:
>=20
> "The successful takedown of this server infrastructure was =
supported
> by ... Registrar of Last Resort, ICANN..."
>=20
> Hahahahaha! Yea. Translation, for those of you who do not speak
> diplomacy-speak: "It isn't hardly just you unofficial anti-spammers =
and
> anti-cybercrime volunteers and private security companies that can't
> manage to get many domain registrars and somtimes even domain =
registries
> to lift a finger to help. Even some of us international law =
enforcement
> guys, who have badges and everything, were also told to go pound sand =
by
> several of the world's worst and most unhelpful registrars and =
registries.
> In fact, they were soooooooo colossally unhelpful that in the end, we
> finally had to go and plead our case all the way up to ICANN, just in
> order to get anything done."
=E2=80=94
Paul Ferguson
ICEBRG.io
Seattle, Washington, USA
--Apple-Mail=_BAD39FD1-80D5-4C90-BC56-403DE2326361
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename=signature.asc
Content-Type: application/pgp-signature;
name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iF4EAREKAAYFAlhAi2QACgkQKJasdVTchbJBagD/Tidsa4qQ9mtl6fu6e6H2Lu9u
7ZKH2fwlfcZ27ip9rYIBALZvh9tNAhti8v4kKrNIt8IiDrC+RqjnJSo++dZD9sHE
=jCJa
-----END PGP SIGNATURE-----
--Apple-Mail=_BAD39FD1-80D5-4C90-BC56-403DE2326361--
