Ronald Guilmette, operator of the unsecured proxies list RBL at Monkeys.com, said he has discontinued the service, lamenting the lack of support he received from network operators and law enforcement.
Compu-Net Enterprises, a small ISP in Tennessee, said it has turned off its blackhole.compu.net RBL after fears of a similar type of attack. The two closures follow the decision by Osirusoft to turn off its RBL after an attack in August.
An RBL is a list of IP addresses of email servers that are unsecured and can be used to send vast quantities of spam relatively anonymously.
ISPs and enterprises use the lists to help filter spam before it reaches their users. Compu-Net and Monkeys.com each estimate that more than one million mailboxes were protected in part by their lists.
A hopping mad Guilmette told ComputerWire that his domain came under a continuous, massive, crippling distributed denial of service attack from a network of what he estimates were more than 4,000 compromised residential PCs.
Attackers also sent out millions of spam messages, spoofed to appear to come from Guilmette and advertising particularly offensive pornography, that had his name and home phone number listed as the method of opting out of future mailings.
Bill Larson, network administrator at Compu-Net, said that he made the decision to pull the plug on his RBL after suffering from a similar type of email attack. The suggestion was, he said, that a DDoS attack would be next.
They gave us a clear signal that they were going to escalate the attacks, he said. Spam spoofed to look like it came from Compu-Net staff had already prompted dozens of complaints and threats from users and victims, he said.
While Guilmette is an independent software developer, Larson is an administrator at a regional ISP, and any DDoS attack against his network would inevitably have meant irate customers and lost business, which the company could not risk.
In a DDoS attack, the attackers first compromise large quantities of zombie PCs – usually unsecured Windows boxes on residential DSL or cable lines – and then instruct them to flood a specified target with spurious packets. The IP headers are often forged.
Osirusoft’s Joe Jared told ComputerWire in August that his RBL was hit with attacks of up to 1Gbps. Another victim said the attack was so large that his upstream ISP was forced to cut him off in order to not cause a DoS effect on its other clients.
It’s a very simple game, Guilmette, who ran Monkeys.com’s RBL from his home in California, said. Whoever has the most bandwidth wins. Whoever’s doing this obviously has a huge army and they are throwing everything they have at us.
Guilmette and Larson both said they have no faith in law enforcement to solve the problem. Guilmette said he filed a police report he expects to be buried, and tried to contact the FBI but never received a reply.
But a frustrated Guilmette particularly blames the large internet backbone providers for not having the systems or procedures in place, or the will to use them, that could help smaller users counter this kind of attack.
There’s no place to go to say ‘I’m being DDoSed are here are the IP addresses of the attackers’, he said. The solution is not for us to think of increasingly clever ways to dodge these bullets, it’s for those at the top tier to turn these criminals off.
Why is it that the people who should be in control of the internet are not, and the bad guys are? he said. How bad does it have to get?
Other spam fighters have had more luck, barely, fending off these types of attack – so far. SpamCop, which also sells anti-spam software, was able to mitigate the DoS assault, but only by paying a distributed content delivery network provider to host its site.
There are still several other RBLs active on the internet. Most of them, like the two latest casualties, are free services run as a labor of love. Many of them are currently still under attack and it may be only a matter of time before more decide enough is enough.
This article was based on material originally published by ComputerWire.
