[90804] in North American Network Operators' Group
Re: Interesting new spam technique - getting a lot more popular
daemon@ATHENA.MIT.EDU (Hank Nussbacher)
Thu Jun 15 02:59:40 2006
Date: Thu, 15 Jun 2006 09:56:01 +0300
To: nanog@merit.edu
From: Hank Nussbacher <hank@efes.iucc.ac.il>
Errors-To: owner-nanog@merit.edu
> * A spamware daemon is installed on the dedicated server, to keep
>the network interface in promiscuous mode
>
> * The daemon determines which IP addresses on the local subnet are
>not in use. It also determines the addresses of the network routers.
>One or more unused IP addresses are commandeered for use by the
>spammer.
>
> * The perp server sends unrequested ARP responses to only the
>gateway routers, so that the routers never have to ask for a layer-3
>to layer-2 association -- it's alway in the ARP cache of the routers.
>Nobody else sees this traffic in an EtherSwitch fabric, so ARPWATCH
>and its kin are defeated. Pings and traceroutes also fail with "host
>unreachable.". The daemon then only has to watch on the NIC, in
>promiscuous mode, for TCP packets to the hijacked address on port 80,
>and pass them down the tunnel to the remote Web server.
>
> * Finally, GRE and IPIP tunneling is used to connect the stolen IP
>addresses to the spammer's real servers hosted elsewhere.
>
>The end result is that the spammer has created a server at an IP
>address which not even the owners of the network are aware of.
And if one went to http://www.senderbase.org/ and monitored their own IP
block, wouldn't the spammer appear there? Or just plain monitoring spikes
in outgoing port 25 traffic should alert someone that something is amiss.
-Hank
