What Happened to Blue Security 293
shadowknot writes "Blue Security has published a detailed account of the attack on their servers perpetrated by spammer "PharmaMaster". The attack included a DDoS attack on the Blue Security operational system and a Black Hole filtering attack on the Blue Security website. From the article: "The first attack was to block worldwide access to Blue Security's corporate website (www.bluesecurity.com) by tampering with the Internet backbone using a technique called "Blackhole Filtering". The Second attack was a DDoS attack on Blue Security's operational system."
Coral Cache (Score:5, Informative)
For the lazy :) (Score:4, Informative)
Question about what Blue Security does (Score:2)
I haven't really paid attention to the "attack actual spam messages" front.
How is this any different from forwarding my email to myspamaddress@spamcop.net?
Re:For the lazy :) (Score:4, Interesting)
But!
Reading the account in TFA reveals that Blue Security was not undergoing a DDOS attack and that the DDOS attack on Typepad starts well after the address is redirected. Then the spammer seems to have widened the attack to bring down as many people as possible to make it look like Blue Security is at fault (which, at least according to their story - be nice to hear PharmaMaster's account, if he/they are not too cowardly to say anything) they were not.
I'm not a Blue Security user, but if they've managed to make a spammer this cranky, I'm going to seriously consider it.
Re:For the lazy :) (Score:5, Informative)
PharmaMaster went forth with the DDoS with the full knowledge that he was going to hit Six Apart's servers. That was the entire point -- he wanted BlueSecurity off the net entirely and was willing to step on anyone to get it done.
This was not malicious on BlueSecurity's part.
Not technically accurate... (Score:4, Interesting)
Notice that the bluesecurity.com website was *NOT* being flooded with packets. On the countrary, it was routed to null for all the internet except Israel. In summary, there were 4 different DOS attacks:
* Packet flooding (lots of traffic) the operational servers (the ones doing the opt-outs)
* Null routing blue's www (no traffic)
* Packet flooding the redirected www at Six Apart (lots of traffic)
* Packet flooding Tucow's DNS servers (lots of traffic)
So, technically, blue security didn't redirect the attack.
Re:For the lazy :) (Score:4, Interesting)
If I'm reading correctly -- Up to that point, the DDoS was on BS's dedicated machines, the site itself was blackholed rather than under attack; hence they weren't redirecting an attack, just redirecting users who wanted to know what was going on.
Also, I note the URL you have on your post...
DNS Vulnerabilities (Score:5, Informative)
[May 3rd 16:43 GMT]
PharmaMaster Strikes Again, Takes Down Tucows
PharmaMaster starts another attack and takes down Tucows's DNS servers which were serving thousands of sites, including Blue Security's. Tucows terminates Blue Security's account in an attempt to stop the attack.
And it was't all that long ago that DNS vulnerabilities [slashdot.org] were under discussion. Attacking a DNS server not only takes out the site intended, it has the bonus of collateral damage. Imagine the chagrin of all the other sites served by Tucows when they all go down en masse and imagine the PR campaign that Blue Security is going to have to wage to get any credibility back.
Re:DNS Vulnerabilities (Score:5, Insightful)
Considering who Bluesecurity are and what they do, this whole thing has actually seemed to me to serve as pretty good PR for them. It pisses off lots of people, but once the facts were out there pretty much everyone I know got pissed at the spammer, not Bluesecurity. Everyone hates spam, but now they see a spammer taking things to the next level of evil, which really strengthens the image of the "good guys." People who never heard of Bluesecurity before are becomeing ready to do what they can to work against this spammer.
Re:DNS Vulnerabilities (Score:5, Interesting)
Re:DNS Vulnerabilities (Score:5, Interesting)
Now if the spammer sends that message to 1000 BlueSecurity members, they will get 1000 messages generated and sent, one from each of the users they spammed. If they send it to 5000 users, well you get the idea. The more Blue people they spam, the more opt-out requests they get. One for one.
You have a right to do it by yourself, tracking filling out forms on the spammer's ordering site, forwarding a copy to the ISP of the originating IP and/or mail server, forwarding it to the FDA if it is a drug relates spam, etc. How long will that take you? You could easily spend a few hours a day or more doing that.
Enter BlueSecurity stage right. They hire staff to track down the senders of that spam message you just received, just like you would have done. The difference is they take that information and distribute it to everybody else they know received that spam as well.
The thing is, these spammers should understand they have absolutely 0% of a chance of selling that item to any of the members of the Blue community. Why are they bothering to do this when it has no chance whatsoever of giving them even a single cent of profit? They should be happy to have the chance to clean their leads list. I've done telephone sales in the past (calling existing members about renewals) and I was happy to remove people who didn't want to be called from the list. For every person I removed from the list, it meant one less guaranteed no-sale next time the membership list cycled. In the long run I made more sales, and actually helped more people save money (it was cheaper to renew via phone than via the normal process) on a product they wanted.
I understand the calling I was doing is completely different than the spamming in this topic, but the end result is the same. The more guaranteed "no" leads you remove, the higher you sales percentage will be, and the more profits in the long run.
I had heard about Blue before this mess, but never got around to checking into their methods and signing up. Now that I see they are effective, and feel comfortable on how their network and client works (I also thought they DDoS'd the sites until I looked into it,) I have signed up. Now I'm waiting for their system to become fully functionable again so I can verify my account and start kicking spammer tail!
Jeremy
Re:DNS Vulnerabilities (Score:2)
Re:DNS Vulnerabilities-- not Blue Security's fault (Score:2)
That a hacker had to use a sledgehammer to cause them signifigant harm shows that Blue Security was/is doing something correctly.
The group that will need to gain back credibility, are the organizations that are the operating these vulnerable DNS servers because it's their vulnerability that allowed such signifigant collateral damage.
Re:DNS Vulnerabilities (Score:5, Interesting)
Um, how about "no such thing as bad publicity"?
In my journal i commented that the attack on Six Apart was the web equivalent of Pearl Harbor [slashdot.org]. It not only (possibly) called the attention of the authorities towards PharmaMaster, it also became worldwide famous: I've been searching blogs [google.com] for "blue security" and I've seen a lot of comments from people wanting to sign up when they're back online. One blogger in particular (forgot the url) said that "Blue Security" became the top technorati search during the attacks.
Bad Publicity for FarmerMistress (Score:2)
The guy as well may just put up a ginat banner proclaiming that he's a wold class jackass.
Re:DNS Vulnerabilities (Score:2)
Re:DNS Vulnerabilities (Score:2)
Tucows are cowards! (Score:4, Insightful)
While the spammer is clearly worthy or our scorn, I believe Tucows is even more deserving of public shame and disgrace. I expect a spammer to spam, I expect a hacker to hack, but I do not expect a (formerly) respectable business that takes my money to sell me out to criminals! Yes, I know they claim it was to protect their other customers, but tossing your baby to the lion to keep it from from attacking everyone else is reprehensible and I thought civilization had progressed beyond this.
I for one, will NEVER use any of their services or web properties again unless they issue a public apology for their actions. Not just to BlueSecurity, but to all of their customers, because this clearly sends a signal to all would-be DDoS attackers that Tucows customers are for sale for the price of a few million IP packets!
publicity! (Score:4, Interesting)
Heck, I even signed up; shall have to wait and see if it's worth it though.
Re:publicity! (Score:3, Interesting)
Looks to me like this Pharma dude really shot himself in the foot.
Re:publicity! (Score:2)
Tucow bad behavior? (Score:5, Insightful)
Re:Tucow bad behavior? (Score:2, Insightful)
I understand that in an ideal world a company should stand by a client suffering a DDoS attack, and there are many companies out there that do (but they advertise the service specially, and you pay thousands for it). But I don't think we can really say that a company providing budget services to the masses h
Re:Tucow bad behavior? (Score:4, Interesting)
Look at it this way - are you going to forget that Tucows turned off a legitimate client? Me neither. Are you going to consider Tucows next time you need a corporate provider? Me either.
Re:Tucow bad behavior? (Score:3, Insightful)
> domain registration and DNS services, they are probably earning what - $20 a year from Blue Security?
And how much can any of their remaining customers trust Tucows will protect US from the next idiot? So now all this asshat has to do is drop Tucows a note listing who he is pissed at this week and they will drop our domains too? No, millions for defense but never paying tribute is the only winning
This isn't just between PharmaMaster & Bluefro (Score:5, Interesting)
Re:This isn't just between PharmaMaster & Blue (Score:2)
Re:This isn't just between PharmaMaster & Blue (Score:2, Interesting)
Re:This isn't just between PharmaMaster & Blue (Score:3, Informative)
They also read through the forums and found some of the actual spammers' websites:
http://www.northworks.biz/ [northworks.biz] This one is one of the shadi
Re:This isn't just between PharmaMaster & Blue (Score:3, Informative)
@echo off
set http_proxy=http://yourproxyhereifapplicable
rem remove the above if you don't have a proxy server
wget http://www.northworks.biz/install_mc_shareware.exe [northworks.biz] --proxy-user
=username --proxy-pass=password
goto start
without a proxy:
@echo off
wget http://www.northworks.biz/install_mc_shareware.exe [northworks.biz]
goto start
(save as s batch file in the same dir as wget)
download wget from www.gnu.org/software/wget/
have fun
Re:This isn't just between PharmaMaster & Blue (Score:3, Insightful)
way to screw up the batch file...
the ":start" bit should be on a line by itself.
Re:This isn't just between PharmaMaster & Blue (Score:3, Interesting)
Re:This isn't just between PharmaMaster & Blue (Score:2)
Backbone level blackholing? (Score:5, Interesting)
No offence to the Blue guys' disrupted service, but I think this is the most interesting bit. I wonder whether this description is correct and if so, how the spammer achieved THAT.
Re:Backbone level blackholing? (Score:4, Interesting)
"
* ICQ Message: "Support [tier-1 ISP name withheld] says: Yes wont be a problem, i'll make sure to block all traffic to this domain very soon just get me reports mate"
* "[tier-1 ISP name withheld] will block traffic to your websites god i love this war
This was more clear on some other article, but I can't find it at the moment. The spammers supposedly have an engineer on a backbone helping them. All I want to know is how the engineer expected not to be caught (I'm assuming he is caught... or there is a whole heck of lot more corruption out there than I thought)
Re:Backbone level blackholing? (Score:2, Interesting)
Re:Backbone level blackholing? (Score:2)
There are a lot of idiots out there who have zombiefied Windows machines and either don't realize, or don't really care (because it doesn't slow them down enough to make the system totally unusable) that their system might be sending out millions of spam messages per day.
I don't know how much renting a botnet costs, but I wonder if some anti-spam group could go and start renting botnets, and destorying them. Have the captive machines format their own drives o
Re:Backbone level blackholing? (Score:2)
Consider that the criminals might not want to rent their botnets to someone who doesn't return them in working order, and that they have an existing customer base that they may not want to alienate by helping out an anti-spam group.
What is? (Score:2, Interesting)
A router equivalent of /dev/null (Score:2)
Re:A router equivalent of /dev/null (Score:2)
Nothing (Score:2)
/dev/null is a special device and it is nothing. If you write to it it goes nowhere just disappears.
Common joke is that you backedup to /dev/null because it had plenty of space.
I don't think windows has a similar function readily available.
So what do you use it for? Well when you have somet
Re:Nothing (Score:2)
\Devices\Null in NT, more frequently accessed with the annoying DOS legacy "magic filename" NUL (yet another file you can't create). NUL is just a symbolic link in the "global" directory (a DOS compatibility hack basically) but it should be possible to use IoRegisterDeviceInterface to create an actual
Re:Nothing (Score:2, Informative)
Why null routing is critical (Score:4, Informative)
A variation of this technique is to route packets to an internal "blackhole router" instead of to Null0. This consumes a little more resources than the Null0 option but still far less than an ACL. The blackhole router does nothing else other than null routing the traffic. It can also be used to route the traffic to a sniffing device to give the admin an opportunity to see what the malicious traffic really was. The blackhole router can also advertise internally the blackhole routes. This is useful when you network policy prohibits making changes to critical hardware such as a border router without sufficient peer review. Often when you must null route something you must do it in a hurry (ie, a customer is being attacked). Being able to make the changes on a non-critical box (the blackhole router) and having the routes changes propgate up to a critical piece of hardware (the border router(s)) is very useful.
Another reason to use them is to prevent routing loops. Lets say for example you have an access server terminating dialin customers. You've loaded out your AS with 192 modems. A /24 has been allocated for this AS. Your AS advertises that /24 with OSPF back into the core of your ISP network. However the AS's routing table doesn't contain a route for all 253 of the useable IPs in that /24. Instead individual routes are added as individual users dial in. Lets say a packet comes in that's destined for an IP that isn't in use. The AS looks at its routing table and says to itself that it doesn't have a route to that IP. It falls back on its default route which is the router upstream of the AS that just routed the packet to the AS. Rinse and repeat. A routing loop ensues.
Sometimes in BGP you have to have a static route to a given netblock to turn around and advertise it. You already have internal routes that would ultimately route the packet to the right destination. However to get BGP working you have to create a specific route. You can simply create a static route to that subnet via Null0 with a cost of 254 and make BGP happy.
There are dozens of examples of why you need null routing. Does that help? You can search on Cisco's website for additional references.
DDoS Extortionists (Score:5, Interesting)
link to information week's article (Score:3, Informative)
Sad state of backbone administration (Score:2, Interesting)
Of course if the attack had oc
Re:Sad state of backbone administration (Score:2)
_Detailed_ timeline? (Score:4, Interesting)
"Some shit happened."
As a security guy, this could have been really interesting, but it's not.
Poor response (Score:5, Insightful)
[May 3rd 23:23 GMT]
PharmaMaster Boasts Success
Tucows is a company I will never recommend or use to host any of my domains.
Caving in to a spammer/hacker retaliation will not garner much support.
http://www.joker.com/ [joker.com] serves my needs well
Re:Poor response (Score:2)
Uh, you just take at face value something some random schmuck writes as an analysis? More likely they MOVED BlueSecurity's account somewhere else.
I think you need some of that restless legs syndrome medication, that knee is jerking a bit too hard.
Pharma Master (Score:5, Insightful)
Enquiring minds (and all that) want to know.
Re:Pharma Master (Score:4, Informative)
Re:Pharma Master (Score:2)
*cough*
Slashdot army unite! (Score:5, Insightful)
Do not listen to FUD-spreading ignoramuses who will no doubt leave many
Who do you trust to solve your spam problem? Microsoft? Your government? If they really cared, wouldn't the problem have have been solved long before spam encompassed 90% of all email? Blue Security offers a realistic, fair, assertive, and EFFECTIVE means of hitting spammers where it hurts - in the database and in the pocketbook. They need your help to make spam an unprofitable, inconvenient vehicle for advertisers.
I urge each and every
Spammers are childishly thrashing around the internet like a bull in a china shop, having a flailing temper tantrum because people dare to stand up for their privacy. It is the duty of
We have the numbers and the motivation. Aren't you sick and tired of these rich criminals wasting our time, defrauding our elders, and endangering our children day after day? If we stand together, just as the spammers stand together to attack Blue Security, then we WILL win.
Sign up for a Blue Frog account ASAP and encourage your friends and family to do the same, as I have. And if you think it's possible to reason with spammers, check out this CastleCops forum thread [castlecops.com] that shows inside conversations from a spammer message board.
Re:Slashdot army unite! (Score:2)
They are not ready yet to accept new accounts. It has been days and I still have not gotten their validation email. They do ha
Re:Slashdot army unite! (Score:3)
Re:Slashdot army unite! (Score:2)
Re:Slashdot army unite! (Score:2)
Re:Slashdot army unite! (Score:3, Informative)
Blackmail tactics (Score:3, Informative)
Re:Blackmail tactics (Score:5, Funny)
Re:Blackmail tactics (Score:2, Funny)
Yep, we should take action. Somebody has to. As people who profit from spam don't want to take effective action against them, we're in our right of defending ourselves. Maybe the guilt is not only theirs, but those 0.005% people who buy penis enlagement pills, viagra, cialis and such.
The amount of short-dicked, impotent men waiting for a nigerian fortune is simply unbelievable.
If they were attacked... (Score:5, Funny)
Thanks PharmaMaster for referring me!
The only solution to spam... (Score:3, Insightful)
We put down rabid dogs because they have the potential to harm human beings despite having no intention to do so. Why is it less humane to remove life that actively and maliciously harms others?
I'd love to meet that spammer... (Score:4, Funny)
this is black hole filtering: (Score:3, Interesting)
Summary for the lazy: (Score:2, Interesting)
For those new to this whole "BlueFrog" story, unsure who is the "good guy":
Pro:
Con:
SUE the advertisers (Score:2, Insightful)
What nonsense (Score:4, Insightful)
There is no way that a single "backbone" provider could have installed a null route to block all traffic to their network. Bluesecurity is served by a Haifa-based provider called Netvision (Autonomous System number 1680). Netvision buys internet transit from four providers:
--UUnet/701 (uunet north america)
--UUnet/702 (uunet europe/middle east)
--btn/3491 (beyond the network)
--telia/1299 (telia sonera international backbone).
what the heck is BS claiming? that *all* of them installed a null route at once. do they even know what a null route is.
i'm getting annoyed enough at this nonsense to think about blogging about it in more detail over at www.renesys.com/blogs . perhaps later today.
foolishness.
Re:What nonsense (Score:3, Interesting)
Could be a BGP blackhole route (Score:3, Interesting)
Netvision also seems to have GlobalXing/AS3549 as a transit provider.
My suspicion (since I don't have a looking glass with a historical search), is that someone with access to the main BGP reflectors inside
Re:Yup, this sucks. (Score:4, Insightful)
Re:Yup, this sucks. (Score:2)
I feel a bit left out now
Re:Yup, this sucks. (Score:5, Insightful)
Re:Yup, this sucks. (Score:5, Informative)
Don't quit Blue Security. My philosophy boils down to "millions for defense, not a penny for tribute" (Jefferson).
Client List NOT Compromised!!! (Score:5, Interesting)
Blue Security is up and running again. Not only will I continue to use the Blue Frog, I will also promote it now. I do not like bullies, and will do whatever I can to stop them. Blue Security and others that help people punch back against spammers should be commended. I myself have written a signed applet that also punishes spammers.
One can look at it by visiting http://www.plaza1.net/SpammerSlapper [plaza1.net] .
The applet is GPL, and the source code is embedded in the applet. If you do not want to actually punish spammers, do not accept the certificate. I am also thinking about creating a java application that works in a similar way to Blue Frog - only the complaint instructions will be distributed via a peer to peer protocol and cryptographically signed. Any ideas on this one?
Re:Client List NOT Compromised!!! (Score:3, Interesting)
Traffic Is NOT What Spamvertised Sitres Want (Score:4, Insightful)
When a site receive traffic from those who do not buy, it is the same as a store which has 200 people just looking around (and not buying). These browsers cause wear and tear on the carpet, require the watchful eye of security, require resources to answer questions, and make it more crowded so that it is more difficult for paying customers to find what they are looking for and complete the transaction.
Right now, the ratio of revenue-generating traffic (those who come to a website to buy) verses the non revenue-generating traffic is high enough to justify having the website running and paying the spammers. When there is 8 gigs of traffic (non revenue generating) from spam haters for every byte of revenue producing traffic, then advertising a website via spam will be very UNPROFITABLE. When those who advertise by spam see loss instead of profits, they will quit paying spammers (or stop spamming themselves). This is why spammers hate the likes of Blue Security, SpammerSlapper, SpamFryer, and other retalitory tools.
What the spammers do not realize is that people who are ready to resort to using such antispammer tactics DO NOT like spamvertised websites nor will they buy crap from these websites. Blue Security is actually doing spammers a favor by pointing out the email receipients who do not want the spam and are willing to cause problems. If I were a spammer, I would want to listwash my sucker list and get rid of the email addresses of troublemakers and concentrate on the idiots who buy stuff advertised via spam. That way I would have to send out a lot less spam to get the sales I want. Spammers should go only after the suckers and leave the rest of us alone. When these nooby suckers decide that they are tired of being robbed and spammed into oblivion, they can then add their name and voice to the rest of the angry masses who have HAD ENOUGH.
Re:Client List NOT Compromised!!! (Score:3, Informative)
This is what annoys me. What are they thinking? They're helping spammers listwash. The fact that a spa
Re:Client List NOT Compromised!!! (Score:2)
If the spammers have your address already (and if you get spam, they do) all they have to do is diff their cleaned list against their uncleaned one in it and they know who on Blue Security's list is also a valid address on their list.
However, continuing to send more spam to those addresses is utter fucking stupidity by the spammers.
If you're on Blue Security's list then you obviously hate spam and will not buy anything advertised that way. Therefore
Re:Client List NOT Compromised!!! (Score:3, Insightful)
My brain just crapped its skull. (Score:4, Funny)
Re:I want names and addresses! (Score:5, Informative)
I would like to thank him! (Score:2)
Thanks Pharma!
Re:"operational system" (Score:5, Informative)
Re:"operational system" (Score:3, Informative)
Stuff like Political ads and prosletyzing where no response is needed
will still go out. But anyone trying to sell some questionable product
from a website or email drop is not going to want to get hammered with the
return of a big percentage of the spam emails.
Phishing and other forms of identity theft are also going to be a lot harder.
If you go to the Bluesecurity site, you'll see they have multiple classes
of spam and responses to each class. So
Re:"operational system" (Score:2)
Re:Pharma master identity (Score:2)
Unfortunately, the only witness account of PharmaMaster comes from BlueSecurity themselves, I wonder if the feds could subpoena ICQ to give details of the conversation and see which IP it came from.
Ehm the FBI? (Score:2)
Not that I think that they would bother with a spammer but a guy can dream can't he?
Re:Ehm the FBI? (Score:3, Funny)
Re:Ehm the FBI? (Score:2)
Re:Ehm the FBI? (Score:2)
Not true. Since the idiot spammer DDoS'd the Tucows DNS server it affected thousands of sites all over the world. If either the Tucows server or one of those sites whose DNS is hosted by Tucows is located in the US then the FBI has all the jurisdiction they would need to launch an investigation. Of course just because they can doesn't necessarially mean they will. But if any of those customers is big enough they ju
How about the US DoD? (Score:2, Insightful)
Not too mention, the actions of pharmamaster are borderline terrorism. (just in case the NSA is watching ;) Not even freedom fighter terrorism, just good old fashioned fearmongering terrorism.
Re:Pharma master identity (Score:2)
Re:Tier 1 ISP (Score:2, Insightful)
Maybe UUNET, maybe not (Score:4, Informative)
An InfoWorld article [infoworld.com] from May 4th quoted Blue Security CEO Eran Reshef as saying:
Since Blue Security is now referring to "tier-1 ISP name withheld", that means one of several things:Re:Maybe UUNET, maybe not (Score:4, Informative)
4. They're going to be named in a lawsuit, and they don't want to prejudice it with media attention, or counter-suits of defamation.
5. They've contacted the ISP to resolve their issues and don't want to annoy them by publicising who they were.
Re:Could anyone sign up? (Score:2)