Avalanche botnet takedown

Paul Ferguson fergdawgster at mykolab.com
Thu Dec 1 20:43:16 UTC 2016

> P.S.  WTF is "double fast flux[tm]”?

Double fast-flux is when not only the TTL is set very low on the A record(s), bit also on the NS:


- ferg

> On Dec 1, 2016, at 12:38 PM, Ronald F. Guilmette <rfg at tristatelogic.com> wrote:
> In message <20161201173426.2861.qmail at ary.lan>,
> "John Levine" <johnl at iecc.com> wrote:
>> More info here:
>> https://www.europol.europa.eu/newsroom/news/%E2%80%98avalanche%E2%80%99-network-dismantled-in-international-cyber-operation
> I'm always happy when even a small handful of miscreants are captured
> and taken off the Internet, but...
> The press release itself says that this botnet had been running since
> 2009.  So, you know, are we supposed to break out the champaign and
> start celebrating because it "only" took LE *seven years* to take down
> this one botnet and capture a grand total of five cybercriminals?
> Like I say, I'm happy that this one botnet was killed, but to my way
> of thinking, the fact that it took seven years to do so is a testament
> *not* to the spectacular 21st century capabilities of modern law
> enforcement, but rather to the ever widening gap between the time
> scales of law enforcment processes, typically measured in months or
> years, and the time scales of malicious packets flying around the
> Internet, usually measured in miliseconds.
> The Internet, viewed as an organism, quite clearly has, at present,
> numerous autoimmune diseases.  It is attacking itself.  And its immune
> system, such as it is, clearly ain't working.  There's going to come
> a day of reckoning when it will no longer be possible to paper over
> this sad and self-evident fact.  (And no, I'm *not* talking about
> the fabled "Digital Pearl Harbor".  I'm talking instead about the
> Internet equivalent of the meteor that wiped out the dinosaurs.)
> Regards,
> rfg
> P.S.  WTF is "double fast flux[tm]"?  Is that anything like "double secret
> probation" from Animal House?
> P.P.S.  I love this part of the press release, because it is so telling:
>     "The successful takedown of this server infrastructure was supported
>     by ... Registrar of Last Resort, ICANN..."
> Hahahahaha!  Yea.  Translation, for those of you who do not speak
> diplomacy-speak:  "It isn't hardly just you unofficial anti-spammers and
> anti-cybercrime volunteers and private security companies that can't
> manage to get many domain registrars and somtimes even domain registries
> to lift a finger to help.  Even some of us international law enforcement
> guys, who have badges and everything, were also told to go pound sand by
> several of the world's worst and most unhelpful registrars and registries.
> In fact, they were soooooooo colossally unhelpful that in the end, we
> finally had to go and plead our case all the way up to ICANN, just in
> order to get anything done."

Paul Ferguson
Seattle, Washington, USA

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 236 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20161201/5197ed36/attachment.sig>

More information about the NANOG mailing list