Tag Archives: ip address

Beware: Attribution & Politics

Post Syndicated from Elizabeth Wharton original http://blog.erratasec.com/2016/09/beware-attribution-politics.html

tl;dr – Digital location data can be inherently wrong and it can be spoofed. Blindly assuming that it is accurate can make an ass out of you on twitter and when regulating drones.    

Guest contributor and friend of Errata Security Elizabeth Wharton is an attorney and host of the technology-focused weekly radio show “Buzz Off with Lawyer Liz” on America’s Web Radio.  This post is merely her musings and not legal advice.

Filtering through various campaign and debate analysis on social media, a tweet caught my eye. The message itself was not the concern and the underlying image has since been determined to be fake.  Rather, I was stopped by the140 character tweet’s absolute certainty that internet user location data is infallible.  The author presented a data map as proof without question, caveat, or other investigation.  Boom, mic drop – attribution!

According to the tweeting pundit, “Russian trollbots” are behind the #TrumpWon hashtag trending on Twitter.

The proof? The twitter post claims that the Trendsmap showed the initial hashtag tweets as originating from accounts located in Russia.  Within the first hour the tweet and accompanying map graphic was “liked” 1,400 times and retweeted 1,495 times. A gotcha moment because a pew-pew map showed that the #TrumpWon hashtag originated from Twitter accounts located in Russia.  Boom, mic drop – attribution!

Except, not so fast. First, Trendsmap has since clarified that the map and data in the tweet above are not theirs (the Washington Post details the faked data/map ).  Moreover, location data is tricky.  According to the Trendsmap FAQ page they use the location provided in a user’s profile and GeoIP provided by Google. Google’s GeoIP is crafted using a proprietary system and other databases such as MaxMind.  IP mapping is not an exact art.  Kashmir Hill, editor of Fusion’s Real Future, and David Maynor, delved into the issues and inaccuracies of IP mapping earlier this year.  Kashmir wrote extensively on their findings and how phantom IP addresses and MaxMind’s use of randomly selected default locations created digital hells for individuals all over the country –  Internet Mapping Glitch Turned Random Farm into Digital Hell.

Reliance on such mapping and location information as an absolute has tripped up law enforcement and is poised to trip up the drone industry. Certain lawmakers like to point to geofencing and other location applications as security and safety cure-all solutions. Sen. Schumer (D-N.Y.) previously included geofencing as a key element of his 2015 drone safety bill.  Geofencing as a safety measure was mentioned during Tuesday’s U.S. House Small Business Committee hearing on Commercial Drone Operations. With geofencing, the drone is programmed to prohibit operations above a certain height or to keep out of certain locations.  Attempt to fly in a prohibited area and the aircraft will automatically shut down.  Geofencing relies on location data, including geospatial data collected from a variety of sources.  As seen with GeoIP, data can be wrong.  Additionally, the data must be interpreted and analyzed by the aircraft’s software systems.  Aircraft systems are not built with security first, in some cases basic systems security measures have been completely overlooked.  With mandatory geofencing, wrong data or spoofed (hacked) data can ground the aircraft.

Location mapping is helpful, one data point among many.  Beware of attribution and laws predicated solely on information that can be inaccurate by design. One errant political tweet blaming Russian twitter users based on bad data may lead to a “Pants on Fire” fact check.  Even if initially correct, a bored 400lb hacker may have spoofed the data.

ISPs Offered Service to “Protect Safe Harbor” Under DMCA

Post Syndicated from Andy original https://torrentfreak.com/isps-offered-service-to-protect-safe-harbor-under-dmca-160924/

warningEarly August, a federal court in Virginia found Internet service provider Cox Communications liable for copyright infringements carried out by its customers.

The ISP was found guilty of willful contributory copyright infringement and ordered to pay music publisher BMG Rights Management $25 million in damages.

The case was first filed in 2014 after it was alleged that Cox failed to pass on infringement notices sent to the ISP by anti-piracy outfit Rightscorp. It was determined that the ISP had also failed to take firm action against repeat infringers.

Although the decision is still open to appeal, the ruling has ISPs in the United States on their toes. None will want to fall into the same trap as Cox and are probably handling infringement complaints carefully as a result. This is where Colorado-based Subsentio wants to step in.

Subsentio specializes in helping companies meet their obligations under CALEA, the Communications Assistance for Law Enforcement Act, a wiretapping law passed in 1994. It believes these skills can also help ISPs to retain their safe harbor protection under the DMCA.

This week Subsentio launched DMCA Records Production, a service that gives ISPs the opportunity to outsource the sending and management of copyright infringement notices.

“With the average ISP receiving thousands of notices every month from owners of copyrighted content, falling behind on DMCA procedural obligations is not an option,” says Martin McDermott, Chief Operating Officer at Subsentio.

“The record award of US$25 million paid by one ISP for DMCA violations last year was a ‘wake-up call’ — service providers that fail to take this law seriously can face the same legal and financial consequences.”

Subsentio Legal Services Manager Michael Allison informs TorrentFreak that increasing levels of DMCA notices received by ISPs need to be handled effectively.

“Since content owners leverage bots to crawl the internet for copyrighted content, the volume of DMCA claims falling at the footsteps of ISPs has been on the rise. The small to mid-level ISPs receive hundreds to thousands of claims per month,” Allison says.

“This volume may be too high to add to the responsibilities of a [network operations center] or abuse team. At the same time, the volume might not constitute the hiring of a full-time employee or staff.”

Allison says that his company handles legal records production for a number of ISP clients and part of that process involves tying allegedly infringing IP addresses and timestamps to ISP subscribers.

“The logistics behind tying a target IP address and timestamp to a specific subscriber is usually an administrative and laborious process. But it’s a method we’re familiar with and it’s a procedure that’s inherent to processing any DMCA claim.”

Allison says that the Cox decision put ISPs on notice that they must have a defined policy addressing DMCA claims, including provisions for dealing with repeat infringers, up to and including termination. He believes the Subsentio system can help ISPs achieve those goals.

“[Our system] automatically creates a unique case for each legal request received, facilitates document generation, notates actions taken on the case, and allows for customized reporting via any number of variables tied to the case,” Allison explains.

“By creating a case for each DMCA claim received, we can track ISP subscribers for repeat offenses, apply escalation measures when needed, and alert ISPs when a subscriber has met the qualifications for termination.”

TF understands that many of Subsentio’s current clients are small to mid-size regional ISPs in the United States so whether any of the big national ISPs will get involved remains to be seen. Nevertheless, it’s quite possible that the formalizing and outsourcing of subscriber warnings will lead to customers of some smaller ISPs enjoying significantly less slack than they’ve become accustomed to.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Two free HiveMQ plugins you don’t want to miss: Client Status and Retained Messages Query Plugin

Post Syndicated from The HiveMQ Team original http://www.hivemq.com/blog/two-free-hivemq-plugins-you-dont-want-to-miss-client-status-and-retained-messages-query-plugin/

plugins_puzzle

Our friends at ART+COM just released two of their HiveMQ plugins to the public. They are available on Github and may be useful to many MQTT deployments that need to utilize HTTP as an information channel.

HiveMQ Client Status Plugin

This plugin is available at Github.

This plugin exposes a HTTP GET endpoint to retrieve the currently connected and disconnected clients with their respective client identifiers and IP addresses. It is useful if you need to quickly check what clients are connected to the broker.

It creates a new HTTP GET endpoint

/clients

and returns a HTTP Response like this:

[ {
  "clientId" : "another client",
  "ip" : "127.0.0.1",
  "connected" : true
}, {
  "clientId" : "my-inactive-client",
  "connected" : false
} ]

HiveMQ Retained Message Query Plugin

This plugin is available at Github.

This plugin allows to query retained messages via HTTP instead of MQTT from HiveMQ. You can read about the motivation to write this plugin by the folks at ART+COM in the blog.

In short, this plugin exposes a HTTP Endpoint that expects a POST request with a query.

An example query could look like this:

{
  "topic": "path/of/the/topic",
  "depth": 0,
  "flatten": false
}

A response would look like this:

{
  "topic": "path/of/the/topic",
  "payload": "23",
  "children": [
	{
	  "topic": "path/of/child/topic",
	  "payload": "\"foo\""
	}
  ]
}

If you’re a MQTT.JS user, there is a small library called mqtt-topping by the ART+COM people that adds syntactic sugar for this plugin.

We hope you like the plugins as much as we do. Let us know in the comments what you think!

Malicious Torrent Network Tool Revealed By Security Company

Post Syndicated from Andy original https://torrentfreak.com/malicious-torrent-network-tool-revealed-by-security-company-160921/

danger-p2pMore than 35 years after 15-year-old high school student Rich Skrenta created the first publicly spread virus, millions of pieces of malware are being spread around the world.

Attackers’ motives are varied but these days they’re often working for financial gain. As a result, popular websites and their users are regularly targeted. Security company InfoArmor has just published a report detailing a particularly interesting threat which homes in on torrent site users.

“InfoArmor has identified a special tool used by cybercriminals to distribute malware by packaging it with the most popular torrent files on the Internet,” the company reports.

InfoArmor says the so-called “RAUM” tool is being offered via “underground affiliate networks” with attackers being financially incentivized to spread the malicious software through infected torrent files.

“Members of these networks are invited by special invitation only, with strict verification of each new member,” the company reports.

InfoArmor says that the attackers’ infrastructure has a monitoring system in place which allows them to track the latest trends in downloading, presumably so that attacks can reach the greatest numbers of victims.

“The bad actors have analyzed trends on video, audio, software and other digital content downloads from around the globe and have created seeds on famous torrent trackers using weaponized torrents packaged with malicious code,” they explain.

RAUM instances were associated with a range of malware including CryptXXX, CTB-Locker and Cerber, online-banking Trojan Dridex and password stealing spyware Pony.

“We have identified in excess of 1,639,000 records collected in the past few months from the infected victims with various credentials to online-services, gaming, social media, corporate resources and exfiltrated data from the uncovered network,” InfoArmor reveals.

What is perhaps most interesting about InfoArmor’s research is how it shines light on the operation of RAUM behind the scenes. The company has published a screenshot which claims to show the system’s dashboard, featuring infected torrents on several sites, a ‘fake’ Pirate Bay site in particular.

dashtorrents

“Threat actors were systematically monitoring the status of the created malicious seeds on famous torrent trackers such as The Pirate Bay, ExtraTorrent and many others,” the researchers write.

“In some cases, they were specifically looking for compromised accounts of other users on these online communities that were extracted from botnet logs in order to use them for new seeds on behalf of the affected victims without their knowledge, thus increasing the reputation of the uploaded files.”

raum-1

According to InfoArmor the malware was initially spread using uTorrent, although any client could have done the job. More recently, however, new seeds have been served through online servers and some hacked devices.

In some cases the malicious files continued to be seeded for more than 1.5 months. Tests by TF on the sample provided showed that most of the files listed have now been removed by the sites in question.

Completely unsurprisingly, people who use torrent sites to obtain software and games (as opposed to video and music files) are those most likely to come into contact with RAUM and associated malware. As the image below shows, Windows 7 and 10 packs and their activators feature prominently.

raum-2

“All of the created malicious seeds were monitored by cybercriminals in order to prevent early detection by [anti-virus software] and had different statuses such as ‘closed,’ ‘alive,’ and ‘detected by antivirus.’ Some of the identified elements of their infrastructure were hosted in the TOR network,” InfoArmor explains.

The researchers say that RAUM is a tool used by an Eastern European organized crime group known as Black Team. They also report several URLs and IP addresses from where the team operates. We won’t publish them here but it’s of some comfort to know that between Chrome, Firefox and MalwareBytes protection, all were successfully blocked on our test machine.

InfoArmor concludes by warning users to exercise extreme caution when downloading pirated digital content. We’d go a step further and advise people to be wary of installing all software from any untrusted sources, no matter where they’re found online.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Elsevier Wants CloudFlare to Expose Pirate Sites

Post Syndicated from Ernesto original https://torrentfreak.com/elsevier-wants-cloudflare-to-expose-pirate-sites-160917/

cloudflareElsevier is one of the largest academic publishers in the world.

Through its ScienceDirect portal the company controls access to millions of scientific articles spread out over thousands of journals, most of which are behind a paywall.

Not all academics are happy with these restrictions that hamper their work. As a result, hundreds of thousands of researchers are turning to ‘pirate’ sites such as Sci-Hub, Libgen and Bookfi to access papers for free.

Elsevier views these sites as a major threat to its business model and last year it filed a complaint at a New York District Court, accusing the sites’ operators of systematic copyright infringement.

The publisher managed to obtain a preliminary injunction to seize the sites’ domain names. However, the case is still ongoing and the three sites in question continue to operate from new domains.

Over the past several months a lot of media coverage focused on Sci-Hub and its operator Alexandra Elbakyan. However, Elsevier still has no clue who’s behind the other two sites. With help from Cloudflare, it hopes to fill in the gaps.

Earlier this week Elsevier submitted a motion for leave to take discovery (pdf), so it can demand logs and other personally identifiable data about the operators of Libgen and Bookfi from Cloudflare.

Both sites previously used Cloudflare’s CDN services and the publisher is hoping that they still have crucial information on file.

Elsevier already tried to obtain the host IP addresses of the sites through the “Trusted Reporter” program, but Cloudflare replied that it could not share this info for sites that are no longer active on its network.

In addition to contacting Cloudflare, the academic publisher also requested information from Whois Privacy Corp. – the domain registration anonymization service used by both Libgen.org and Bookfi.org – but the company hasn’t responded to these requests at all.

“Elsevier has used all of the tools at its disposal in its attempt to identify the operators of Libgen.org and Bookfi.org,” Elsevier informs the court.

“However, as a consequence of the Defendants’ use of various service providers to anonymize their identities, as well as the nonresponsiveness of those service providers to Elsevier’s requests to date, these efforts have thus far been fruitless.”

According to Elsevier, a court-ordered discovery subpoena is the only option to move the case forward and identify the defendants behind Libgen and Bookfi.

“As a result, Elsevier has exhausted all other reasonable options and now must now seek this Court’s intervention in order to obtain identifying information concerning John Doe Defendants […] from CloudFlare: a business which has had direct dealings with both Libgen.org and Bookfi.org,” Elsevier adds.

Since neither Libgen not Bookfi are currently using Cloudflare’s services, it remains to be seen whether the company still has the site’s old IP-addresses and other information on file.

On Thursday the court granted Elsevier’s leave to take discovery ordering CloudFlare to save all relevant logs until a final discovery decision is taken. Before that happens, CloudFlare will have a chance to respond to the request.

To leave room for the possible discovery process, Elsevier previously asked for the pretrial hearing to be postponed. It will now take place late October.

Meanwhile, the websites continue serving ‘pirated’ papers and books through their new domain names at golibgen.io, bookfi.net and sci-hub.cc.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Torrent Site Founder, Moderator and Users Receive Prison Sentences

Post Syndicated from Andy original https://torrentfreak.com/torrent-site-founder-moderator-users-receive-prison-sentences-160915/

jailWhenever anti-piracy groups decide to take action against large file-sharing platforms, they do so on the basis of achieving crushing punishments for their operators. Only severe punishments can stop hardcore pirates, they argue.

In France, a similar situation has been playing out. Back in June 2015 following a four-month investigation, people connected to the public torrent site OMGTorrent were arrested and taken into custody. Early claims suggested the site had offered for download more than 10,000 pirated movies.

Founded in 2008, the site had built up a solid userbase of around 3.5 million visitors per month. Police insisted it was a for-profit project.

“The people behind this platform do not do it for fun, through the platform they earn a lot of money,” a police spokesperson said at the time. “Even if they offer movies without requesting compensation, they earn money with various advertisements that appear alongside.”

Searches of two suspects’ homes yielded several computers plus more than 3.5 terabytes of the latest movies. A separate server found overseas contained several thousand more.

Police warned that the site’s operators could face 10 years in jail plus millions in damages, but they weren’t going to stop there. Their investigations had led them to four of the site’s top downloaders who they intended to prosecute for receiving stolen goods.

After more than a year, six people connected with the site have now been sentenced and it’s harsh punishments all round.

Following a hearing in March, yesterday the Criminal Court of Chalons-en-Champagne (Marne, France) sentenced the founder of OMGTorrent to one year in prison. The 28-year-old was also ordered to pay a fine of around five million euros for the unauthorized distribution of copyrighted works.

Also sentenced was a 38-year-old woman who had worked as a moderator on the site. She was given a four-month suspended sentence and told to pay damages to the plaintiffs in the case.

In an unusual turn of events, prosecutors also tracked down four of the site’s most heavy downloaders. They too were given prison sentences of one month each and are required to settle with rightsholders.

Based on an investigation carried out by ALPA (Association Against Audiovisual Piracy), the prosecution estimated that damages exceed 20 million euros.

Following the decision, the site’s founder posted an update to the Wareziens forum.

“I’ve been fined a total of 5,000,000 euros for financial damage, 12 months imprisonment and 4 more [months] from a former sentence. My mod has to pay approximately 1,000,000 euros for financial damage,” he wrote.

“Others, those who have downloaded, I don’t know the amount for them, but it far exceeds 500,000 euros. Note: They seized the servers and used them to get the IP addresses of the big downloaders of content.”

Lashing out at those who hounded him, the admin said the judgment had really hurt. He said he understands why he needed to be punished but for those lower down the chain, the sentences were “beyond comprehension.”

“To all the [anti-piracy groups and authorities]: You are a lot of vile shit, destroying lives of people who are already struggling to pay their rent, their food, their bills,” he said.

“Why all this? Because they wanted to watch and because they didn’t necessarily have the capabilities to buy a DVD / BluRay or go to the theaters.”

Listing the country’s most popular torrent indexes, trackers and DDL sites, the admin declared that they would never fall.

“Warez is a hydra, you cut off one head, 10 will grow back. You’ll never kill this beautiful community. It’s like drug dealers, it will never stop,” he said.

Following the raid on OMGTorrent, an unknown third-party managed to secure the domain. The site is now working, as it did before, as a public torrent index.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Copyright Trolls Claim Student Pirates Could Lose Scholarships, Face Deportation

Post Syndicated from Andy original https://torrentfreak.com/copyright-trolls-claim-student-pirates-lose-scholarships-face-deportation-160910/

trollAt the turn of the century when file-sharing was in its infancy, some of the earliest adopters of P2P technology were those in the student population.

Freely available Internet access for those in educational establishments meant unprecedented numbers of young people going online, and with that a large upswing in unauthorized downloading.

The RIAA was one of the first groups to take a stand, suing thousands of students across the United States in an effort to send a message that free music may very well come at a cost. Later, changes in legislation meant that schools and universities across the country could lose funding if they didn’t keep piracy under control.

Of course, students continue to download to this day and each time they do they risk receiving a warning letter or worse, as students in Canada are finding out.

According to the copyright office at the University of Manitoba, mainly US-based rightsholders are writing on a regular basis to students demanding cash settlements for alleged infringement.

Noting that the university forwards copyright infringement notices to students as they’re required to under the country’s ‘notice and notice‘ regime, the copyright office says some of the letters are “tantamount to extortion.”

In a piece published in official student newspaper The Manitoban, copyright office strategy manager Joel Guenette says that while many of the 8,000 notices received are legitimate (HBO is said to have sent many warnings in connection with Game of Thrones downloads), others sink to reprehensible lows.

In addition to cautioning over the potential for multi-million dollar lawsuits, some notice senders are stepping up their threats to suggest that students could lose their scholarships if fines aren’t paid. For visiting students, things become even more scary.

According to the university’s copyright office, some porn producers have told foreign students that they could face deportation if an immediate cash settlement of hundreds of dollars is not forthcoming.

“None of these are real consequences that could ever happen in the Canadian scheme of things, but we hear from students all the time – especially international students – who are really freaked out by this,” Guenette says.

While being scared is understandable in such situations, Guenette’s department is keen to educate students on what these notices really mean. Particularly, they’re keen to stress that notice senders have no idea who notices have been delivered to, so students shouldn’t believe that copyright holders already know who they are.

Day to day, there’s nothing in current law that compels the University to hand over their identities but students can still compromise themselves by negotiating directly with notice senders, so that isn’t advised.

“We can’t tell students ‘ignore these notices’ and we can’t tell students ‘never pay a claim’ but, personally, I want students to know what these are and I want them to know that most of these settlement claims are extortion,” Guenette says.

“When I’m talking to students directly, without giving them legal advice, I would say ‘if I were you, I would never pay this.’ In my opinion, I don’t think any student on campus should be paying this.”

The University of Manitoba certainly isn’t on its own as other educational establishments are reporting similar problems. According to a separate report, the University of Calgary also finds itself in a similar position.

The university says that it’s been receiving similar copyright notices since January 2015 and now wants to crackdown on unlawful file-sharing across campus. A meeting took place in August to discuss how the university intends to deal with unauthorized downloading but the problem isn’t straightforward.

“We can certainly track an IP address, but the difficulty is that the owner of that device is not necessarily the downloader of content. Someone can use someone else’s computer without that person’s knowledge,” says provost and vice-president Dru Marshall.

Complications aside, it’s likely that if the flood of notices to universities continue, they could be forced to take more robust action. How that will manifest itself is yet to be seen, but it’s unlikely that copyright trolls will benefit, despite being the main cause of the problem.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

ISP Deletes IP-address Logs to Fend Off Piracy “Extortion Letters”

Post Syndicated from Ernesto original https://torrentfreak.com/isp-deletes-ip-address-logs-fend-off-piracy-extortion-letters-160908/

deleteIn recent years file-sharers around the world have been threatened with lawsuits, if they don’t pay a significant settlement fee.

These so-called “copyright trolling” efforts have been a common occurrence in countries such as Germany and the United States, and last week they started in Sweden as well.

Rightsholders are targeting thousands of alleged pirates. First, they ask the court for a subpoena to expose the personal details of account holders connected to certain IP-addresses, which they then present to the associated ISPs.

Some Internet providers have been cooperating with these requests, but not all. Most notably, the privacy-oriented ISP Bahnhof is doing everything in its power to prevent its customers from being exposed.

This week the ISP explained how its logging policies are tailored to only allow only requests that are made in criminal cases, not civil claims against BitTorrent users or other alleged file-sharers.

In Sweden, ISPs are required to keep IP-address logs for six months under the Electronic Communications Act (LEK). This legislation allows the authorities to demand this type of data in criminal cases, such as those involving murder and terrorism.

To comply with this requirement, Bahnhof has setup a database of logs which are stored for the minimal required period and can be accessed for these cases only. The regular logs are purged immediately.

Bahnhof, illustrating its logging policy

ipbahn

When copyright holders request IP-address details, which they do under the contested IPRED legislation, the ISP simply has nothing to hand over. This is very similar to the non-logging policies of many VPN services.

“We store logs for six months to fight crime, absolutely. But we save everything in a separate system, which is only used for LEK,” Bahnhof CEO Jon Karlung says.

“My impression is that some other operators have their clients’ IP addresses stored in several different places. They then also become more vulnerable to having to disclose data IPRED rules.”

Bahnhof itself has operated like this for years, but now that mass file-sharing cases have landed in Sweden the value of this policy is becoming apparent.

Rightly so, according to the ISP, which says it has found a good way to fend off copyright trolls.

“If all operators stored data the way we do, we would avoid the extortion letters altogether. Because we have the motto ‘Internet privacy’ we are very careful with personal data,” Karlung says.

Bahnhof’s CEO adds that other companies should think more carefully about where data is stored. The more databases there are, the more likely it is that they can be compelled to share subscriber data.

“The more different databases there are, the greater the risk that privacy is compromised,” Karlung adds.

Rick Falkvinge, founder of the Swedish Pirate Party, applauds Bahnhof’s logging policy. He discussed the issue in a recent article and informs TorrentFreak that data retention laws which are supposed to help catch terrorists shouldn’t be used against file-sharers.

“The damage these copyright trolls are doing to society is immeasurable. They were able to get shameless mail-order legislation justified by the war on terror, and are now turning those anti-terrorism laws against defenseless single mothers in order to protect a crumbling entertainment monopoly.

“There is absolutely no reason to tolerate, nor to forgive, this kind of behavior,” he adds

It will be interesting to see whether any of the ISPs currently handing over personal detailed connected to IP-addresses will follow suit and change their policies in the future.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

New – HTTP/2 Support for CloudFront

Post Syndicated from Jeff Barr original https://aws.amazon.com/blogs/aws/new-http2-support-for-cloudfront/

When I interview a candidate for a technical position, I often ask them to explain what happens when they see a interesting link and decide to click on it. I encourage them to go in to as much detail as they would like. The answers let me know how well they understand and can explain a complex concept. Some candidates will sum up the entire process in a sentence or two. Others have filled an entire whiteboard with detailed diagrams. At a very simple level, here are the steps that I like to see (If you know much about HTTP, you know that I have failed to mention the SSL handshake, cookies, response codes, caches, content distribution networks, and all sorts of other details):

  1. The domain name is converted to an IP address by way of a DNS lookup.
  2. A TCP connection is made to the remote server.
  3. A GET request is issued.
  4. The remote server locates (or generates) the desired content and returns it to fulfill the request.
  5. The TCP connection is closed.
  6. The client processes and displays the result..

A complex web page might contain references to scripts, style sheets, images, and so forth. If this is the case, the entire sequence must be repeated for each reference. On mobile devices, each connection request wakes up the radio, adding hundreds or thousands of milliseconds of overhead (read about Application Network Latency Overhead to learn more).

Amazon CloudFront is a global content distribution network, or CDN. Several of CloudFront’s features help to make the process above more efficient. For example, it caches frequently used content in dozens of edge locations scattered across the planet. This allows CloudFront to respond to requests more quickly and over a shorter distance, thereby improving application performance. With no minimum usage commitments, CloudFront can help you to deliver web sites, videos, and other types of content to your end users in an economical and expeditious way.

New HTTP/2 Support
The retrieval process that I described above contains a lot of room for improvement. Repeated DNS lookups are avoidable, as are TCP connection requests. HTTP/2, a new version of the HTTP protocol, streamlines the process by reusing the TCP connection if possible. This core feature, combined with many other changes to the existing HTTP model, has the potential to reduce latency and to improve the performance of all types of web applications.

Today we are launching HTTP/2 support for CloudFront. You can enable it on a per-distribution basis today and your HTTP/2-aware clients and applications will start to make use of it right away. While HTTP/2 does not mandate the use of encryption, it turns out that all of the common web browsers require the use of HTTPS connections in conjunction with HTTP/2. Therefore, you may need to make some changes to your site or application in order to take full advantage of HTTP/2. Due to the (fairly clever) way in which HTTP/2 works, older clients remain compatible with web endpoints that do support it.

The connection from CloudFront back to your origin server is still made using HTTP/1. You don’t need to make any server-side changes in order to make your static or dynamic content accessible via HTTP/2.

Several AWS customers have already been testing CloudFront’s HTTP/2 support and have seen clear performance improvements. Marfeel is an ad tech platform that helps publishers to create, optimize, and monetize mobile web sites. They told us that CloudFront’s HTTP/2 support has reduced their first-render time by 17%. This allows the sites that they create to consistently load within 0.8 seconds. making them more accessible to mobile readers.

Enabling HTTP/2
To enable HTTP/2 for an existing CloudFront distribution, simply open up the CloudFront Console, locate the distribution, and click on Edit. Then change the Supported HTTP Versions to include HTTP/2:

The change will be effective within minutes and your users should start to see the benefits shortly thereafter. As I noted earlier, HTTP/2 must be used in conjunction with HTTPS. You can use your browser’s developer tools to verify that HTTP/2 is being used. Here’s what I see when I use the Network tool in Firefox:

You can also add HTTP/2 support to Curl and test from the command line:

$ curl --http2 -I https://d25c7x5dprwhn6.cloudfront.net/images/amazon_fulfilment_center_phoenix.jpg
HTTP/2.0 200
content-type:image/jpeg
content-length:650136
date:Sun, 04 Sep 2016 23:32:39 GMT
last-modified:Sat, 03 Sep 2016 15:21:01 GMT
etag:"b95a82b8df7373895a44a01a3c1e6f8d"
x-amz-version-id:fgWz_QaWo_.4GF7_VOl0gkBwnOmOALz6
accept-ranges:bytes
server:AmazonS3
age:644
x-cache:Hit from cloudfront
via:1.1 91e54ea7c5cc54f4a3500c72b19a2a23.cloudfront.net (CloudFront)
x-amz-cf-id:Dr_A3emW7OdxWfs3O0lDZfiBFL7loKMFCP9XC0_FYmCkeRuyXcu5BQ==

Learning More
Here are some resources that you can use to learn more about HTTP/2 and how it can benefit your application:

Available Now
This feature is available now and you can start using it today at no extra charge.


Jeff;

 

Processing VPC Flow Logs with Amazon EMR

Post Syndicated from Michael Wallman original https://blogs.aws.amazon.com/bigdata/post/Tx2Y2H2DYGSEURN/Processing-VPC-Flow-Logs-with-Amazon-EMR

Michael Wallman is a senior consultant with AWS ProServ

It’s easy to understand network patterns in small AWS deployments where software stacks are well defined and managed. But as teams and usage grow, its gets harder to understand which systems communicate with each other, and on what ports. This often results in overly permissive security groups.

In this post, I show you how to gain valuable insight into your network by using Amazon EMR and Amazon VPC Flow Logs. The walkthrough implements a pattern often found in network equipment called ‘Top Talkers’, an ordered list of the heaviest network users, but the model can also be used for many other types of network analysis. Customers have successfully used this process to lock down security groups, analyze traffic patterns, and create network graphs.

VPC Flow Logs

VPC Flow Logs enables the capture of IP information flowing to and from network interfaces within a VPC. Each Flow Log record is a 5-tuple set of 5 different values that specify the source, destination, and protocol for an Internet protocol (IP) flow:

version account-id interface-id srcaddr dstaddr srcport dstport protocol packets bytes start end action log-status

VPC Flow Logs can be enabled on a single network interface, on a subnet, or an entire VPC. When enabled on the VPC, it begins log collection on all network interfaces within that VPC. In large deployments of tens of thousands of instances, Flow Logs can easily generate terabytes of compressed log data per hour!

To process this data at scale, this post takes you through the steps in the following graphic.

Create the data source

The first challenge is getting structured VPC Flow Log data into Amazon S3. AWS provides a number of tools and services to facilitate this, which can be built by a single CloudFormation stack. Use the flowlogs-vpc-toptalker.json template in the AWS Big Data Blog Github repository, which contains the AWS CloudFormation template, working code, and sample Amazon Kinesis events.

With the template, you can deploy the following workflow in a single command. This design follows a serverless architecture, where no servers need to be managed or maintained.

A VPC Flow Log, or data-source, originates from all elastic network interfaces within a VPC. An IAM role allows the vpc-flow-logs service to write data to a defined log group in Amazon CloudWatch Logs. CloudWatch Log subscriptions allow log data to flow seamlessly into Amazon Kinesis, where AWS Lambda is then configured to batch data, apply some minor filtering and transformation, and then compress and upload to S3.

To get started, simply run the CloudFormation template, and once deployed you can use the AWS-Cli or Console to enable FlowLogs on your VPC. See the CloudFormation stack’s Outputs to determine S3 log location and the command to enable VPC Flow Logs:   

$ aws cloudformation create-stack --stack-name toptalkers --template-body file://flowlogs-vpc-toptalker.json --capabilities CAPABILITY_IAM
... Wait until CREATE_COMPLETE ...
$ aws cloudformation describe-stacks --stack-name toptalkers  --query 'Stacks[].Outputs[?OutputKey==`S3LogLocation`].OutputValue' --output text
toptalkers-bucket-xyukipb8r9x9
$ aws cloudformation describe-stacks --stack-name toptalkers  --query 'Stacks[].Outputs[?OutputKey==`AddFlowLogToVpcCmd`].OutputValue' --output text
aws ec2 create-flow-logs --resource-type VPC --traffic-type ACCEPT --resource-ids <vpc_id> --log-group-name toptalkers-FlowLogs-UNUXO8DD9YLV --deliver-logs-permission-arn arn:aws:iam::XXXXXXXXXXXX:role/toptalkers-FlowLogsToCloudWatch-119JQ3CPHNVM

In the above command, replace VpcId accordingly. In this post, I focus on top-talkers, and so I am only concerned with IP connections that are actually made. Given this, –traffic-type is set to ACCEPT. The created bucket has a seven-day expiration policy.

Pre-process with an AWS Lambda function

As mentioned above, a Lambda function is used for both batching and preprocessing Flow Log data. The following code uses Lambda’s invocation id as the destination object name, and only includes messages that have a log-status of OK. This simplifies the data set, and allows for simplification of the mapper function.

// Set key name 
exports.handler = function(event, context) {
    var key = path + "/" + context.invokeid + ".gz"; 

// Apply message filter 
var fl = JSON.parse(buffer.toString('ascii'));   
data = data.concat(fl.logEvents.map(function(item) {
    return item.message;
})).filter(function(item) {
    return (item.indexOf('OK') == -1) ? false : true;			               
});

After it is running, this Lambda function stores compressed Flow Log network traffic in S3.  To examine Flow Log data being written by the Lambda function, follow the steps below. First, list and then download a single object from the S3 Flow Log target. After you unzip the object, the processed Flow Log data appears.

## List bucket 
$ aws s3 ls s3://toptalkers-bucket-xyukipb8r9x9/flowlogs
2016-02-24 04:25:07        139 00166138-965e-4211-9d03-a53a84b8db2f.gz
2016-02-24 04:30:08       1469 05c1cbd9-bf80-4107-a752-42e199c1040c.gz
...

## Download object format
$  aws s3 cp s3://toptalkers-bucket-xyukipb8r9x9/flowlogs/00166138-965e-4211-9d03-a53a84b8db2f.gz .

## View contents of processed Flow Log data
$ gunzip -c 00166138-965e-4211-9d03-a53a84b8db2f.gz | head
2 998287060599 eni-565b501d 10.0.7.184 104.131.53.252 28159 123 17 9 684 1456287302 1456287888 ACCEPT OK
2 998287060599 eni-565b501d 10.0.7.184 108.61.194.85 23781 123 17 9 684 1456287302 1456287888 ACCEPT OK
2 998287060599 eni-565b501d 10.0.12.219 10.0.7.184 123 123 17 9 684 1456287302 1456287888 ACCEPT OK
2 998287060599 eni-565b501d 10.0.13.221 10.0.7.184 123 123 17 9 684 1456287302 1456287888 ACCEPT OK

NOTE: In some cases, it can take some time (10+ minutes) after you’ve created the Flow Log for the log group to be created and for data to be displayed.

Process with MapReduce

MapReduce processing comes in two Apache Streaming steps, and uses the Hadoop Aggregate package, along with comparator and field selection classes. First, flowlogs-counter.py collapses the input into <src_ip>:<dst_ip>:<dst_port> format, and uses the built-in aggregate reducer to combine like entries.

Below is an excerpt of the flowlogs-counter.py file that formats the messages for use with the aggregate:

## flowlogs-counter summary
for line in fileinput.input("-"):
    i = shlex.split(line.rstrip('\r\n'))
    print "LongValueSum:%s:%s:%s\t%s" % (i[3], i[4], i[6], 1)

## Example output of Step 1 (after reduce)
10.0.0.167:59.72.153.2:56980	1
10.0.0.227:192.88.99.255:0	14
10.0.0.227:52.91.67.35:57942	1
10.0.11.186:10.0.0.227:49813	1
10.0.11.186:10.0.0.227:49850	1
10.0.11.186:10.0.0.227:49874	1
10.0.11.186:10.0.0.227:49933	2
...

The second step uses an awk filter to remove connections outside of well-known ports or system ports. It then uses Hadoop’s comparator class to sort based on the input’s second field, and reverses order with the largest number of connections on top. Finally, a single reducer pipes the output into a compressed gz file on S3.

NOTE: To remove the awk filter, replace with cat as the mapper function.

In essence, this step is Hadoop’s way of parallelizing the shell script below.

## toptalker example in shell
$ hdfs dfs -cat /aggregate-dir/* | awk -F "[:|\t]" '{if($3<=1024) print $0}'| sort -T /mnt -n -r -k2 | gzip > /mnt/toptalkers.gz

NOTE: With in-memory caching and optimized execution, Apache Spark on Hadoop YARN can be used for increased performance. Spark is supported natively by EMR; VPC Flow Log processing with Spark will be addressed in future AWS blog posts.

Run example

With most AWS services, the AWS CLI provides a command line interface to the API; EMR is no exception. The CLI commands can execute the workflow described above.

Step 1: After a sufficient data set is collected, disable VPC Flow Log. Otherwise the single S3 output location becomes infinitely large. For longer-running Flow Log captures, see Amazon Kinesis Firehose.

$ aws ec2 delete-flow-logs --flow-log-ids 

Step 2: Create an emr_toptalker_step.json file.

NOTE: Update all instances of toptalkers-bucket-xyukipb8r9x9 with the bucket created by the CloudFormation stack.  

$ cat emr_toptalker_steps.json
[
  {
    "Name": "flowlogs-counter",
    "Type": "STREAMING",
    "ActionOnFailure": "CANCEL_AND_WAIT",
    "Args": [
      "-files", "s3://aws-big-data-blog/vpc-toptalkers/flowlogs-counter.py",
      "-mapper", "flowlogs-counter.py",
      "-reducer", "aggregate",
      "-input", "s3://toptalkers-bucket-xyukipb8r9x9/flowlogs",
      "-output","s3://toptalkers-bucket-xyukipb8r9x9/aggregate"
    ]
  },
  {
    "Name": "flowlogs-sort",
    "Type": "STREAMING",
    "ActionOnFailure": "CONTINUE",
    "Args": [
      "-D", "mapreduce.job.reduces=1",
      "-D", "mapreduce.output.fileoutputformat.compress=true",
      "-D", "mapreduce.output.fileoutputformat.compress.codec=org.apache.hadoop.io.compress.GzipCodec",
      "-D", "mapreduce.job.output.key.comparator.class=org.apache.hadoop.mapreduce.lib.partition.KeyFieldBasedComparator",
      "-D", "stream.num.map.output.key.fields=2",
      "-D", "mapreduce.partition.keycomparator.options=-k2,2nr",
      "-files", "s3://aws-big-data-blog/vpc-toptalkers/portfilter.awk",
      "-mapper", "portfilter.awk",
      "-reducer", "cat",
      "-input", " s3://toptalkers-bucket-xyukipb8r9x9/aggregate",
      "-output", "s3://toptalkers-bucket-xyukipb8r9x9/toptalker"
    ]
  }
]

Step 3:  Create a cluster and run steps (update <keyname>).

For high traffic VPCs, 10 task nodes per 1000 nodes in the VPC is a good place to start.

$ aws emr create-cluster --release-label emr-5.0.0 --name TopTalker --tags Name=TopTalker --ec2-attributes KeyName= --instance-groups InstanceGroupType=MASTER,InstanceCount=1,InstanceType=r3.4xlarge InstanceGroupType=CORE,InstanceCount=10,InstanceType=m3.2xlarge --use-default-roles --steps file://emr_toptalker_steps.json --auto-terminate

Step 4:  See results in <src_ip>:<dst_ip>:<dst_port>\t<count>.

$ aws s3 cp s3://toptalkers-bucket-xyukipb8r9x9/toptalkers/part-0000.gz toptalker.gz
$ gunzip –c toptalkers.gz
10.0.1.16:10.0.10.253:80	197326
10.0.10.253:10.0.12.140:3306	122012
10.0.2.191:10.0.10.253:80	100947
10.0.2.133:52.35.46.46:80	56462
52.37.13.115:10.0.1.16:80	43416
10.0.2.133:52.36.86.115:80	41085
52.37.13.115:10.0.2.191:80	31257
10.0.4.83:10.0.12.219:80	158

Toptalker transformations

Now that you have a toptalker file in IP format, you can process it outside of Hadoop.

Below are a number of transformations that customers have applied, which in many cases collapsed the file further. For example, you might choose to treat all instances within a Auto Scaling group as a single entry, which can be achieved by converting the IP address to a security group or use the instance name tag. Or you might want to map ports to their service names, i.e., 80  httpd.

The command below is a transformation in the simplest form. Using the CLI, you can quickly create an IP address to security group name mapping.

$ aws ec2 describe-network-interfaces --query 'NetworkInterfaces[].[PrivateIpAddress,Groups[0].GroupName]' --output text
10.0.8.126	WebServerSecurityGroup
10.0.0.167	launch-wizard-3
10.0.5.143	ELBSecurityGroup
10.0.2.133	BastionSecurityGroup
10.0.0.58	ELBSecurityGroup
10.0.12.140	RDSSecurityGroup
...

Conclusion

Looking forward, we would like to start collecting scripts/programs that turn top-talkers into extended and more useful maps. So clone the repo, and get “top talking”!

For more on this subject, see the Security Group Visualization blog post. If you have questions or suggestions, please leave a comment below.

———————–

Related

Securely Access Web Interfaces on Amazon EMR Launched in a Private Subnet

Want to learn more about Big Data or Streaming Data? Check out our Big Data and Streaming data educational pages.

New BBC iPlayer Rules Easily Defeated, Especially via VPN

Post Syndicated from Andy original https://torrentfreak.com/new-bbc-iplayer-rules-easily-defeated-especially-via-vpn-160901/

iplayerlogoTo legally watch broadcast television in the UK, viewers need to buy a TV license. Currently, one of those costs £145.50 per year but there are signs that the numbers of those investing in one have been dwindling.

Aside from the usual license dodgers, some people have legally chosen not to buy a TV license due to increasing volumes of BBC programming being made available on its iPlayer streaming service.

The iPlayer is split into two types of service – live TV and catchup. People viewing live TV, BBC1 for example, have always needed a TV license. However, those watching only catchup TV have been able to do so without parting with £145. This morning all of that changed.

“The law changed on 1 September 2016,” says a notice posted today to the UK’s official TV Licensing site.

“You must be covered by a TV Licence to download or watch BBC programmes on iPlayer – live, catch up or on demand. This applies to any device and provider you use. Don’t forget, you still need a TV Licence to watch or record programmes on any channel as they are being shown on TV or live on an online TV service.”

With the so-called “iPlayer loophole” closed from a legal perspective, eyes are now turning to how this can possibly be enforced. To do so properly, the BBC could provide license payers with a password and username to log into the service. Instead, however, the BBC has chosen to maintain its trust-based service, shown in the image below.

license-1

Simply clicking “I have a TV License. Watch now” is all that’s required to access the service and it’s expected that at least hundreds of thousands will do so without having an appropriate license. So what enforcement options does the BBC and the UK’s TV Licensing body have?

“We know the vast majority of people are law abiding and would anticipate those who need a licence for the first time will buy one,” a TV Licensing spokesperson said today, adding:

“We have a range of enforcement techniques which we will use and these have already allowed us to prosecute people who watch on a range of devices, not just TVs.”

Just as they have been for decades, TV Licensing are deliberately vague about the options available to them, but one thing they won’t be doing is spying on the traffic flying around people’s home wifi networks. That rumor began to circulate earlier this month but the reporting was both sensational and inaccurate. That’s not to say there aren’t options available though.

In ordinary circumstances, anyone who connects to the iPlayer service does so via an IP address allocated to them by their ISP. At this point, the BBC often has a clear idea of which ISPs are being used and the rough geographic location of the IP addresses accessing their service. Useful perhaps, but not particularly so.

Even if your IP address is static (doesn’t change) and you do (or don’t) have a license, TV Licensing and/or the BBC have no easy way of matching that IP address to a TV License payer. Indeed, the IP address they know accessed their service could belong to almost anyone.

Only complicating matters is that a TV license covers an entire household and all of the people in it, regardless of what device they’re using to access the service. Indeed, many IP addresses could be covered under one license. Some of those IP addresses, used by mobile phones for example, could be in an entirely different geographic location.

These variables and numerous others mean that TV Licensing would have huge difficulty trying to use Internet technology to track down unlicensed iPlayer users in the same way that copyright holders might track down BitTorrent pirates.

While the latter knows for sure that no one has permission to be sharing files, the former has no idea whether there is a licensed person behind any IP address. On that basis, getting a court to force ISPs to hand over details would be unlikely, if not impossible. Even if that did happen, the chances of the person having a license or some other mitigating circumstance would be extremely high indeed.

But of perhaps more importance are the chances of TV Licensing and the BBC even trying. By their own estimations around 94% of households have a valid TV license, which means that around the same percentage of UK IP addresses accessing iPlayer are doing so legally. That is not a particularly good starting point for weeding out pirates.

But for those who are truly cautious (or simply using one anyway), accessing the iPlayer from a VPN service is also a possibility. In tests carried out this morning, a properly licensed TF tester accessed iPlayer from three separate VPN services without any issues whatsoever.

Not only did UK-based IP addresses work, but also overseas one too, meaning that foreign users who aren’t eligible to buy a license can also gain access to the service. Indeed, properly licensed UK viewers can also view from a foreign IP address which might initially appear unlicensed. It’s a minefield.

So in conclusion, it seems unlikely that the BBC or TV Licensing will be enforcing illegal use of its iPlayer service in any different manner than it already does for conventional TV.

All households without a license will be gathered into a database and presumed to be TV license dodgers. They will receive letters in the post warning them that not having a license is illegal. However, unless they get caught in the act of viewing, there’s little that can be done to stop them. TV Licensing has no power of entry.

Finally, catchup services offered by other companies other than the BBC aren’t covered, so people can watch ITV Player, 4OD, Demand 5 and any other service such as Netflix without needing any license. That being said, a TV license is just £3 per week and is hardly going to break the bank.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Run Containerized Microservices with Amazon EC2 Container Service and Application Load Balancer

Post Syndicated from Daniele Stroppa original https://aws.amazon.com/blogs/compute/microservice-delivery-with-amazon-ecs-and-application-load-balancers/

This is a guest post from Sathiya Shunmugasundaram, Gnani Dathathreya, and Jeff Storey from the Capital One Technology team.

—————–

At Capital One, we are rapidly embracing cloud-native microservices architectures and applying them to both existing and new workloads. To advance microservices adoption, increase efficiencies of cloud resources and decouple application layer from the underlying infrastructure, we are starting to use Docker to containerize the workloads and Amazon EC2 Container Service (Amazon ECS) to manage them.

Docker enables environment consistency and allows us to spin up new containers in a location (Dev / QA / Performance / Prod) of choice in seconds vs. minutes / hours / days it used to take us in the past.

Amazon ECS gives us a platform to manage Docker containers with no hassle. We chose ECS because of its simplicity in deploying and managing containers. Our API platform is an early adopter and ECS-based deployments quickly became the norm for managing the lifecycle of stateless workloads.

Container orchestration has traditionally been challenging. With the Elastic Load Balancing Classic Load Balancer, we have had limitations routing to multiple ports on the same server and are also unable to route services based on context, which meant that we needed to use one load balancer per service. By using open source software like Consul, Nginx, and registrator it was possible to achieve dynamic service discovery and context based routing but at the cost of adding more complexity and costs for running these additional components.

This post shows how the arrival of the Application Load Balancer has significantly simplified Docker based deployments on ECS and enabled delivering microservices in the cloud with enterprise class capabilities like service discovery, health checks, and load balancing.

Overview of Application Load Balancer

With the announcement of the new Application Load Balancer, we can take advantage of several out of the box features that are readily integrated with ECS. With dynamic port mapping option for containers we can simply register a service with a load balancer, and ECS transparently manages the registration and de-registration of Docker containers. We no longer need to know the host port ahead of time, as the load balancer automatically detects it and dynamically reconfigures itself. In addition to the port mapping, we also get all the features of traditional load balancers, like health checking, connection draining and access logs to name a few.

Similar to EC2 Auto Scaling, ECS also has the ability to auto scale services based on CloudWatch alarms. This functionality is critical as it allows us to scale-in or scale-out based on demand. This feature coupled with the new Application Load Balancer gives us fully-featured container orchestration. The pace at which we can now spin up new applications on ECS has greatly improved and we can spend much less time managing orchestration tools.

The Application Load Balancer also introduces path-based routing. This feature allows us to easily map different URL paths to different services. In a traditional monolithic application, URL paths are often used to denote different parts of the application, for example, http://.com/service1 and http://.com/service2.

Traditionally this was done using a context root in an application server or by using different load balancers for each service. With the new path-based routing, these parts of the application can be split into individual ECS-backed services without changing the existing URL patterns. This makes migrating applications seamless, as clients can continue to call the same URLs. A large monolithic application with many subcontexts like www.example.com/orders, www.example.com/inventory can be refactored into smaller micro services and each such path can be directed to a different target group of servers such as an ECS Service with Docker containers.

Key features of Application Load Balancers include:

  • Path-based routing – URL-based routing policies enable using the same ELB URL to route to different microservices
  • Multiple ports routing on same server
  • AWS integration – Integrated with many AWS services, such as ECS, IAM, Auto Scaling, and CloudFormation
  • Application monitoring – Improved metrics and health checks for the application

Core components of Application Load Balancers include:

  • Load balancer – The entry point for clients
  • Listener – Listens to requests from clients on a specific protocol/port and forwards to one or more target group based on rules
  • Rule – Determines how to route the request – based on path-based condition and priority matches to one or more target groups
  • Target – The entity that runs the backend servers – currently EC2 is the available target group. The same EC2 instance can be registered multiple times with different ports
  • Target group – Each target group identifies a set of backend servers which can be routed based on a rule. Health checks can be defined per target group. The same load balancer can have many target groups

ALB Components

Sample application architecture

In the following example, we show two services with three tasks deployed on two ECS container instances. This shows the ability to route to multiple ports on the same host. Also, there is only one Application Load Balancer that provides path-based routing for both ECS services, simplifying the architecture and reducing costs.

Sample App

Configuring Application Load Balancers

The following steps create and configure an Application Load Balancer using the AWS Management Console. These steps can also be done using the AWS CLI.

    1. Create an Application Load Balancer using the AWS Console
      • Login to the EC2 Console (https://console.aws.amazon.com/ec2)
      • Select Load Balancers
      • Select Create Load Balancer
      • ALB Console

      • Choose Application Load Balancer
    2. Configure Load Balancer
    3. Configure Load Balancer

      • For Name, type a name for your load balancer.
      • For Scheme, an Internet-facing load balancer routes requests from clients over the Internet to targets. An internal load balancer routes requests to targets using private IP addresses.
      • For Listeners, the default is a listener that accepts HTTP traffic on port 80. You can keep the default listener settings, modify the protocol or port of the listener, or choose Add to add another listener.
      • For VPC, select the same VPC that you used for the container instances on which you intend to run your service.
      • For Available subnets, select at least two subnets from different Availability Zones, and choose the icon in the Actions column.
    4. Configure Security Groups
    5. You must assign a security group to your load balancer that allows inbound traffic to the ports that you specified for your listeners.

    6. Configure Routing
      • For Target group, keep the default, New target group.
      • For Name, type a name for the new target group.
      • Set Protocol and Port as needed.
      • For Health checks, keep the default health check settings.

      ALB Routing

    7. Register Targets
    8. Your load balancer distributes traffic between the targets that are registered to its target groups. When you associate a target group to an Amazon ECS service, Amazon ECS automatically registers and deregisters containers with your target group. Because Amazon ECS handles target registration, you do not add targets to your target group at this time.

      ALB Targets

      • Click Next:Review
      • Click Create
    9. Registering Docker containers as a target
      • If you don’t already have an ECS cluster, open the Amazon ECS console first run wizard at https://console.aws.amazon.com/ecs/home#/firstRun.
      • From the ECS Cluster’s Services tab, Click Create
      • Create Service

      • Provide the Task definition for service
      • Provide a Service Name and number of tasks
      • Click the Configure ELB button
      • Choose Application Load Balancer
      • ECS Service ALB

      • Choose the ecsService Role as IAM role
      • Choose the Application Load Balancer created above
      • Select a container that you want the load balancer to use and click Add to ELB
      • ECS Service ALB

      • Select the target group name that was created above
      • Click Save and then Create Service

Cleaning up

  • Using the ECS Console, go to your Cluster and Service, update the number of tasks to 0, and then delete the service.
  • Using the EC2 Console, select the Load Balancer created above and delete.

Conclusion
Docker has given our developers a simplified application automation mechanism. Amazon ECS and Application Load Balancers make it easy to deliver these applications without needing to manage dynamic service discovery, load balancing and container orchestration. Using ECS and Application Load Balancers new services can be deployed in less than 30 minutes and existing services updated with newer versions in less than a minute. ECS automatically takes care of rolling updates and Application Load Balancer takes care of registering new versions quickly and unregistering existing containers gracefully. This not only improves the agility of teams, but also reduces the overall time to market.

New – Run SAP HANA on Clusters of X1 Instances

Post Syndicated from Jeff Barr original https://aws.amazon.com/blogs/aws/new-run-sap-hana-on-clusters-of-x1-instances/

My colleague Steven Jones wrote the guest post below in order to tell you about an impressive new way to use SAP HANA for large-scale workloads.


Jeff;


Back in May we announced the availability of our new X1 instance type x1.32xlarge, our latest addition to the Amazon EC2 memory-optimized instance family with 2 TB of RAM, purpose built for running large-scale, in-memory applications and in-memory databases like SAP HANA in the AWS cloud.

At the same time, we announced SAP certification for single-node deployments of SAP HANA on X1 and since then many AWS customers have been making use of X1 across the globe for a broad range of HANA OLTP use cases including S/4HANA, Suite on HANA, Business Warehouse on HANA, and other OLAP based BI strategies.  Even so, many customers have been asking for the ability to use SAP HANA with X1 instances clustered together in scale-out fashion.

After extensive testing and benchmarking of scale-out HANA clusters in accordance with SAP’s certification processes we’re pleased to announce that today in conjunction with the announcement of BW/4HANA, SAP’s highly optimized next generation business warehouse, our AWS X1 instances are now certified by SAP for large scale-out OLAP deployments including BW/4HANA for up to 7 nodes or 14 TB of RAM. We are excited to be able to support the launch of SAP’s new flagship Business Warehouse offering BW4/HANA with new flexible, scalable, and cost effective deployment options.

Here’s a screenshot from HANA Studio showing a large (14 TB) scale-out cluster running on seven X1 instances:

And this is just the beginning; as indicated, we have plans to make X1 instances available in other sizes and we are testing even larger clusters in the range of 50 TB in our lab. If you need scale-out clusters larger than 14 TB, please contact us; we’d like to work with you.

Reduced Cost and Complexity
Many AWS customers have also been running SAP HANA in scale-out fashion across multiple R3 instances. This new certification brings the ability to consolidate larger scale-out deployments onto fewer larger instances, reducing both cost and complexity. See our SAP HANA Migration guide for details on consolidation strategies.

Flexible High-Availability Options
The AWS platform brings a wide variety of options depending on your needs for ensuring critical SAP HANA deployments like S/4HANA and BW/4HANA are highly available. In fact, customers who have run scale-out deployments of SAP HANA on premises, or with traditional hosting providers, tell us they often have to pay expensive maintenance contracts in addition to purchasing standby nodes or spare hardware to be able to rapidly respond to hardware failures. Others unfortunately forgo this extra hardware and hope nothing happens.

One particularly useful option customers are leveraging on AWS platform is a solution called Amazon EC2 Auto Recovery.  Customers simply create an Amazon CloudWatch alarm that monitors their EC2 instance(s) which automatically recovers the instance to a healthy host if it becomes impaired due to an underlying hardware failure or a problem that requires AWS involvement to repair. A recovered instance is identical to the original instance, including attached EBS storage volumes as well as other configurations such as hostname, IP address, and AWS instance IDs. Standard pricing for Amazon CloudWatch applies (for example $0.10 per alarm per month us-east). Essentially this allows you to leverage our spare capacity for rapid recovery while we take care of the unhealthy hardware.

Getting Started
You can deploy your own production ready single-node HANA or scale-out HANA solution on X1 using the updated AWS Quick Start Reference Deployment for SAP HANA in less than an hour using well-tested configurations.

Be sure to also review our SAP HANA Implementation and Operations Guide for other guidance and best practices when planning your SAP HANA implementation on Amazon Web Services.

Are you in the Bay Area on September 7 and want to join us for an exciting AWS and SAP announcement? Register here and we’ll see you in San Francisco!

Can’t make it? Join our livestream on September 7 at 9 AM PST and learn how AWS and SAP are working together to provide value for SAP customers.

We look forward to serving you.

Steven Jones, Senior Manager, AWS Solutions Architecture

Indian ISPs Speed Up BitTorrent by ‘Peering’ With a Torrent Site

Post Syndicated from Ernesto original https://torrentfreak.com/indian-isps-speed-bittorrent-peering-torrent-site-160828/

torboxlogoFrom a networking perspective most Internet providers are generally not very happy with BitTorrent users.

These users place a heavy load on the network and can reduce the performance experienced by other subscribers. In addition, the huge amount of data transferred outside the ISPs’ own networks is also very costly.

Some ISPs are trying to alleviate the problem by throttling or otherwise meddling with BitTorrent traffic, but there is a more customer-friendly solution.

Instead of working against their torrenting subscribers, various Internet providers in India have found a win-win solution. They help users to download content faster by linking them to local peers in their own network.

ISPs such as Alliance Broadband, Excitel, Syscon Infoway and True Broadband, have been offering accelerated torrents for a while. Some have had their own custom ‘caching’ setups but increasingly they are teaming up with the torrent search engine Torbox.

While not well-known in the rest of the world, Torbox is a blessing for many Indians who are lucky enough to have an ISP that works with the site.

Through Torbox they can download torrents at speeds much higher than their regular Internet connection allows. This is possible because Torbox links them to peers in the local network, which means that the traffic is free for the ISP.

torboxubuntu

Most people who visit Torbox will see a notice that their ISP doesn’t have a peering agreement. However, for those who have a supporting ISP the torrent site returns search results ordering torrents based on the proximity of downloaders.

Torbox uses downloaders’ IP-addresses to determine who their ISP is and directs them to torrents with peers on the same network.

“It’s a highly sophisticated IP technology based on network proximity,” Torbox explains, adding that every ISP is welcome to sign a peering agreement.

“Then based on your IP address TorBox can estimate how well you are connected to peers who have the content in question. It’s quite a tough job but luckily it works,” they add.

The downloads themselves go through a regular torrent client and don’t use any special trackers. However, the torrent swarms often connect to dedicated “cache peers” as well, which serve bits and pieces to speed up the swarm.

Torbox itself doesn’t get involved in the traffic side, they only point people to the “peering” torrents. The actual peering is handled by other services, such as Extreme Peering, which is operated by Extreme Broadband Services (EBS).

TorrentFreak spoke with EBS director Victor Francess, who says that with this setup most torrent data is served from within the ISP’s own network.

“It all creates a very powerful user experience, so in fact just about 10-20% of all torrent traffic comes from the upstream and everything else is local,” Francess says.

As for the content, Torbox links to the torrents you would generally find on a torrent site. It even has a handy catalog page featuring some recent blockbusters and other popular videos. This page also advertises Strem.io as a service that can be used to stream video torrents directly.

torboxcatalog

TorrentFreak spoke to several Indian Torbox users at different ISPs, who are all pretty happy with the service. It allows them to download torrents at much faster rates than their regular Internet speed.

One user told us that his downloads sometimes reach a 10 MBps download speed, while his Internet connection is capped at 4 MBps.

The ISPs themselves are not too secretive about their peering agreements either. Excited previously advertised the Torbox peering on its main site and others such as Sifi Broadband still do.

torboxpl

Alliance Broadband still lists Torbox in its FAQ at the time of writing, describing it as a “local content search engine” through which subscribers receive files “at ultra-high speed from the other peering users.”

For most outsiders it’s intriguing to see ISPs publicly cooperating with a torrent site, but in India it’s reality.

The question is, however, how long this will last. In recent months piracy has become a hot topic in India, with Bollywood insiders linking it to massive losses and even terrorism.

Ironically, many ISPs have also been ordered by courts to block access to hundreds of piracy sites, including many torrent search engines. For now, however, Torbox remains freely accessible.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Inside ‘The Attack That Almost Broke the Internet’

Post Syndicated from BrianKrebs original https://krebsonsecurity.com/2016/08/inside-the-attack-that-almost-broke-the-internet/

In March 2013, a coalition of spammers and spam-friendly hosting firms pooled their resources to launch what would become the largest distributed denial-of-service (DDoS) attack the Internet had ever witnessed. The assault briefly knocked offline the world’s largest anti-spam organization, and caused a great deal of collateral damage to innocent bystanders in the process. Here’s a never-before-seen look at how that attack unfolded, and a rare glimpse into the shadowy cybercrime forces that orchestrated it.

The following are excerpts taken verbatim from a series of Skype and IRC chat room logs generated by a group of “bullet-proof cybercrime hosts” — so called because they specialized in providing online hosting to a variety of clientele involved in spammy and scammy activities.

Facebook profile picture of Sven Olaf Kamphuis

Facebook profile picture of Sven Olaf Kamphuis

Gathered under the banner ‘STOPhaus,’ the group included a ragtag collection of hackers who got together on the 17th of March 2013 to launch what would quickly grow to a 300+Gigabits per second (Gbps) attack on Spamhaus.org, an anti-spam organization that they perceived as a clear and present danger to their spamming operations.

The attack –a stream of some 300 billion bits of data per second — was so large that it briefly knocked offline Cloudflare, a company that specializes in helping organizations stay online in the face of such assaults. Cloudflare dubbed it “The Attack that Almost Broke the Internet.

The campaign was allegedly organized by a Dutchman named Sven Olaf Kamphuis (pictured above). Kamphuis ran a company called CB3ROB, which in turn provided services for a Dutch company called “Cyberbunker,” so named because the organization was housed in a five-story NATO bunker and because it had advertised its services as a bulletproof hosting provider.

Kamphuis seemed to honestly believe his Cyberbunker was sovereign territory, even signing his emails “Prince of Cyberbunker Republic.” Arrested in Spain in April 2013 in connection with the attack on Spamhaus, Kamphuis was later extradited to The Netherlands to stand trial. He has publicly denied being part of the attacks and his trial is ongoing.

According to investigators, Kamphuis began coordinating the attack on Spamhaus after the anti-spam outfit added to its blacklist several of Cyberbunker’s Internet address ranges. The following logs, obtained by one of the parties to the week-long offensive, showcases the planning and executing of the DDoS attack, including digital assaults on a number of major Internet exchanges. The record also exposes the identities and roles of each of the participants in the attack.

The logs below are excerpts from a much longer conversation. The entire, unedited chat logs are available here. The logs are periodically broken up by text in italics, which includes additional context about each snippet of conversation. Also please note that the logs below may contain speech that some find offensive.

====================================================================

THE CHAT LOG MEMBERS
————————————————————
Aleksey Frolov : vainet[dot]biz, vainet[dot].ru, Russian host.
————————————————————
Alex Optik : Russian ‘BP host’. AKA NEO
————————————————————
Andrei Stanchevici : secured[dot]md Moldova
————————————————————
Cali : Vitalii Boiko AKA Vitaliyi Boyiko AKA Cali Yhzar, alleged by Spamhaus to be dedicated crime hosters urdn[dot]com.ua AKA Xentime[dot]com AKA kurupt[dot]ru
————————————————————
Darwick : Zemancsik Zsolt, 23net[dot]hu, Hungarian host.
————————————————————
eDataKing : Andrew Jacob Stephens, Ohio/Florida based spamware seller formerly listed on Spamhaus’s Register of Known Spam Operations (ROKSO). Was main social media mouthpiece of Stophaus (e.g. see @stophaus). Andrew threatens to sue everyone for libel, and is likely to show up in the comments below and do the same here.
————————————————————
Erik Bais : A2B Internet, Netherlands
————————————————————
Goo : Peter van Gorkum AKA Gooweb.nl, alleged by Spamhaus to be a botnet supplier in the Netherlands.
————————————————————
Hephaistos : AKA @AnonOps on Twitter
————————————————————
HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: Sven Olaf Kamphuis
AKA Cyberbunker AKA CB3ROB
————————————————————
Karlin König : Suavemente/SplitInfinity, San Diego based host.
————————————————————
marceledler : German hoster that Spamhaus says has a history of hosting spammers, AKA Optimate-Server[dot]de
————————————————————
Mark – Evgeny Pazderin : Russian, alleged by Spamhaus to be hoster of webinjects used for man-in-the-middle attacks (MITM) against online banking sessions.
————————————————————
Mastermind of Possibilities : Norman “Chris” Jester AKA Suavemente/SplitInfinity, alleged by Spamhaus to be San Diego based spam host.
————————————————————
Narko :Sean Nolan McDonough, UK-based teenager, trigger man in the attack. Allegedly hired by Yuri to perform the DDoS. Later pleaded guilty to coordinating the attack in 2013.
————————————————————
NM : Nikolay Metlyuk, according to Spamhaus a Russian botnet provider
————————————————————
simomchen : Simon Chen AKA idear4business counterfeit Chinese products, formerly listed on Spamhaus ROKSO.
————————————————————
Spamahost : As its name suggests, a Russian host specializing in spam, spam and spam.
————————————————————
twisted : Admin of Cyberbunker[dot]com
————————————————————
valeralelin : Valerii Lolin, infiumhost[dot]com, Ukraine
————————————————————
Valeriy Uhov : Per Spamhaus, a Russian ‘bulletproof hoster’.
————————————————————
WebExxpurts : Deepak Mehta, alleged cybercrime host specializing in hosting botnet C&Cs. AKA Turbovps (<bd[at]turbovps[dot]com>).
————————————————————
wmsecurity : off-sho[dot]re ‘Bulletproof’ hoster. Lithuania. AKA “Antitheist”. Profiled in this story.
————————————————————
Xennt : H.J. Xennt, owner of Cyberbunker.
————————————————————
Yuri : Yuri Bogdanov, owner of 2×4[dot]ru. According to Spamhaus, 2×4[dot]ru is a longtime spam friendly Russian host, formerly part of Russian Business Network (RBN). Allegedly hired Narko to launch DDoS attack against Spamhaus.
============================================================

[17.03.2013 19:51:31] eDataKing: watch the show: http://www.webhostingtalk.com/showthread.php?t=1247982
[17.03.2013 19:52:02] -= Darwick =-: hell yeah! :)
[17.03.2013 19:52:09] -= Darwick =-: hit them hard :)
[17.03.2013 19:54:07] -= Darwick =-: is that a ddos attack?
[17.03.2013 19:54:56] eDataKing: but let’s forget what it is and focus on it’s consequence lol 😉

====================================================================

A number of chat members chastise eDataKing for incessantly posting comments to what they refer to as “nanae,” a derisive reference to the venerable USENET anti-spam list (news.admin.net-abuse.email) that focused solely on exposing spammers and their spamming activities. eDataKing is flustered and posting on nanae with rapid-fire, emotional replies to anti-spammers, but his buddies don’t want that kind of attention to their cause.

[17.03.2013 20:27:57] Mastermind of Possibilities: Andrew why are you posting in nanae? Stop man lol

====================================================================

Some of the chat participants begin debating whether they should consider adopting residence in a country that does not play well with the United States in terms of extradition.

[18.03.2013 02:28:30] eDataKing: what about a place that takes an ex-felon from the US for citizenship or expat?

====================================================================

The plotters begin running scans to find misconfigured or ill-protected systems that can be enslaved in attacks. They’re scanning the Web for domain name servers (DNS) systems that can be used to amplify and disguise or “reflect” the source of their attacks. Narko warns Sven about trying to enlist servers hosted by Dutch ISP Leaseweb, which was known to anticipate such activity and re-route attack traffic back to the true source of the traffic.

[18.03.2013 16:39:22] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: is just global transit thats filtered with them
[18.03.2013 16:39:33] narko: they change the ip back to your real server ip
[18.03.2013 16:39:38] narko: you will ddos your own server if you try this attack at leaseweb
[18.03.2013 16:39:46] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: hmm
[18.03.2013 16:39:50] Antitheist: what about root.lu?
[18.03.2013 16:39:54] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: very creative of them
[18.03.2013 16:39:55] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: lol
[18.03.2013 16:40:21] Antitheist: and nforce
18.03.2013 16:49:22] Antitheist: i host many cc shops, they even appeared on krebs blog 😀
[18.03.2013 16:49:27] narko: where?

At around 4 p.m. GMT that same day, Sven announces that the group’s various cyber armies had succeeded in knocking Spamhaus off the Internet. Incredibly, Sven advertises his involvement with the group to all 3,850 of his Facebook friends.

17.03.2013 22:30:01] my 3850 facebook friends <img src=” class=”wp-smiley” style=”height: 1em; max-height: 1em;” />” class=”wp-smiley” style=”height: 1em; max-height: 1em;” />” class=”wp-smiley” style=”height: 1em; max-height: 1em;” /> www.spamhaus.org still down, and that criminal bunch of self declared internet dictators will still remain down, until our demands are met <img src=” class=”wp-smiley” style=”height: 1em; max-height: 1em;” />” class=”wp-smiley” style=”height: 1em; max-height: 1em;” />” class=”wp-smiley” style=”height: 1em; max-height: 1em;” /> over 48h already <img src=” class=”wp-smiley” style=”height: 1em; max-height: 1em;” />” class=”wp-smiley” style=”height: 1em; max-height: 1em;” />” class=”wp-smiley” style=”height: 1em; max-height: 1em;” /> resolving your shit. end of the line buddy <img src=” class=”wp-smiley” style=”height: 1em; max-height: 1em;” />” class=”wp-smiley” style=”height: 1em; max-height: 1em;” />” class=”wp-smiley” style=”height: 1em; max-height: 1em;” /> should have called and paid for the damages.
[17.03.2013 22:25:54] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: rokso no longer exists haha
[17.03.2013 22:29:51] Mastermind of Possibilities: Where is that posted ?
[17.03.2013 22:30:01] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: my 3850 facebook friends 😛
[17.03.2013 22:30:12] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: you know, stuff people actually -use-… unlike smtp and nntp
[17.03.2013 22:30:12] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: lol
[17.03.2013 22:30:23] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP:facebook.com/cb3rob

====================================================================

Spamhaus uses a friendly blog — Wordtothewise.com — to publish an alert that it is “under major dDos.” While Spamhaus is offline, various parties to the attack begin hatching ways to take advantage by poisoning search-engine results so that when one searches for “Spamhaus,” the first several results instead redirect to Stophaus[dot]org, the forum this group set up to coordinate the attacks.

w2tw

18.03.2013 13:09:09] Alex Optik:http://www.stopspamhaus.org/2013_02_01_archive.html
[18.03.2013 13:09:35] Alex Optik: as i see there is already has same projects
[18.03.2013 13:09:59] narko: (wave)
[18.03.2013 13:10:17] eDataKing: that site is owned by a person in this group Alex
stealing seo to bump spamhaus while it’s offline 3 days
[18.03.2013 16:14:14] Antitheist: do you mind if we put spamhaus metatags on stophaus?
[18.03.2013 16:14:24] Antitheist: so we can come up first on google soon 😀
file fake info alert to ICANN
[18.03.2013 16:26:45] narko: Your report concerning whois data inaccuracy regarding the domain spamhaus.org has been confirmed. You will receive an email with further details shortly. Thank you.
[18.03.2013 16:29:26] narko: Any future correspondence sent to ICANN must contain your report ID number.
Please allow 45 days for ICANN’s WDPRS processing of your Whois inaccuracy
claim. This 45 day WDPRS processing cycle includes forwarding the complaint
to the registrar for handling, time for registrar action and follow-up by
ICANN if necessary.

====================================================================

Sven Kamphuis then posts to Pastebin about “OPERATION STOPHAUS,” a tirade that includes a lengthy list of demands Sven says Spamhaus will have to meet in order for the DDoS attack to be called off. Meanwhile, another spam-friendly hosting provider — helpfully known as “Spamahost[dot].com,” joins the chat channel. At this point, the attack has kept Spamhaus.org offline for the better part of 48 hours.

Narko's account on Stophaus.

Narko’s account on Stophaus.

[19.03.2013 00:02:43] Yuri: another one hoster, spamahost.com added.
[19.03.2013 00:02:48] Yuri: i hope he can help with some servers.
[19.03.2013 00:02:57] spamahost: Will do ^^ :)
[19.03.2013 00:05:49] eDataKing: be safe when accessing this link, but there was an edu writeup:http://isc.sans.edu/diary/Spamhaus+DDOS/15427
[19.03.2013 00:05:51] spamahost: Spamhaus can blow me.
[19.03.2013 00:06:00] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: me too 😛
[19.03.2013 00:06:20] spamahost: What software you using to send out attacks?
[19.03.2013 00:06:22] spamahost: IRC and bots?
[19.03.2013 00:06:28] Yuri: spamhaus like spamahost very very much.
[19.03.2013 00:06:35] Yuri: that’s the realy true love
[19.03.2013 00:06:37] spamahost: Yes they love us
[19.03.2013 00:38:20] Yuri: MEGALOL
[19.03.2013 00:38:27] Yuri: spamhaus is down 3 days
[19.03.2013 00:38:58] Yuri: this is the graph of our mail server http://mx1.2×4.ru/cgi-bin/mailgraph.cgi
that shows amount of spam rejected by our mail server.
last days there are much less SPAm
[19.03.2013 00:39:13] Yuri: http://mail.2×4.ru same graph here.

====================================================================

The Stophaus members discover that Spamhaus is now protected by Cloudflare. This amuses the Stophaus members, who note that Spamhaus has frequently listed large swaths of Cloudflare Internet addresses as sources of spam.

cloudflare

[19.03.2013 00:47:07] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: cloudflare
[19.03.2013 00:47:48] Antitheist: fuck who would believe
[19.03.2013 00:48:10] Antitheist: after they listed all cloudlares /24 for being criminal supportive because of free reverse proxying
[19.03.2013 00:49:11] Antitheist: here we go again…
[19.03.2013 00:49:12] Antitheist: http://www.spamhaus.org/sbl/query/SBL179312
[19.03.2013 00:49:14] Antitheist: lol
[19.03.2013 00:49:46] Antitheist: it had been officialy bought…b-o-u-g-h-t
[19.03.2013 00:50:45] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: hmm
[19.03.2013 00:50:57] Antitheist: narko?
[19.03.2013 00:51:11] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: k… just take down the spamhaus.org nameservers…all 8 of em
[19.03.2013 00:51:22] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: after all the client on cloudflare is ‘spamhaus.eu’
[19.03.2013 00:51:33] Cali: spamhaus under cloudflare?
[19.03.2013 00:51:35] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: they still need the spamhaus.org nameservers for that and their shitlist to work
[19.03.2013 00:51:40] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: yeah with spamhaus.eu
[19.03.2013 00:51:46] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: which is a cname to spamhaus.org
[19.03.2013 00:51:59] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: so just take out the 8 spamhaus nameservers and stop targetting the old website
[19.03.2013 00:52:09] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: that ALSO takes out their dns shitlists…
[19.03.2013 00:52:12] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: indirectly
[19.03.2013 00:52:22] Yuri: that’s a fuck. a lot of work for us
[19.03.2013 00:53:20] Yuri: may be just let’s make cloudflare down ?
[19.03.2013 00:53:29] Antitheist: thats hard yuri
[19.03.2013 00:53:31] Yuri: so they will refuse any spamhaus
[19.03.2013 00:53:43] Antitheist: you need to cripple level3 and nlayer
[19.03.2013 00:54:04] Antitheist: |OR|
[19.03.2013 00:54:12] Antitheist: you need to spend too much traffic
[19.03.2013 00:54:16] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: narko: new target… the 8 nameservers of spamhaus.org… and still smtp-ext-layer.spamhaus.org ofcourse
[19.03.2013 00:54:20] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: no morewww.spamhaus.org
[19.03.2013 00:54:24] Antitheist: since cloudflares packages are traffic volume priced
[19.03.2013 00:55:44] Karlin Konig: I don’t think they are charging spamhaus
[19.03.2013 00:56:27] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: as stated before, unfair competition, in many ways
[19.03.2013 00:56:28] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: lulz
[19.03.2013 00:57:46] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: hmm is cloudflare hosting? or a reverse proxy?
[19.03.2013 00:57:57] Cali: reverse proxy.
[19.03.2013 00:58:00] Yuri: reverse
[19.03.2013 00:58:09] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: as when its a reverse proxy, it probably goes to that spamhaus.as1101.net box
[19.03.2013 00:58:13] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: aka, surfnet.
[19.03.2013 01:00:10] Cali: already offline 😀
[19.03.2013 01:00:17] Cali: This website is offline
[19.03.2013 01:02:26] narko: I will make down their cloudflare 😉 if I have enough free servers
[19.03.2013 01:02:30] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: they moved it to cloudlfare
[19.03.2013 01:02:31] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: lol
[19.03.2013 01:02:43] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: then just go for the nameservers on spamhaus.org
[19.03.2013 01:02:49] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: which also breaks their dns shitlist
[19.03.2013 01:02:52] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: after 24h
[19.03.2013 01:02:55] Cali: usually websites use cloudflare dns as well.
[19.03.2013 01:02:58] Cali: so they might change soon.
[19.03.2013 01:03:03] Cali: I think you should give them some hope
[19.03.2013 01:03:10] Cali: because they will be so proud to bring it back
[19.03.2013 01:03:14] Cali: then you switch it off again :)
[19.03.2013 01:03:20] Cali: they will rage :)
[19.03.2013 01:03:23] Karlin Konig: it’s down again
[19.03.2013 01:03:24] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: they do… spamhaus.EU is on cloudflare dns
[19.03.2013 01:03:25] Karlin Konig: lol
[19.03.2013 01:03:30] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP:spamhaus.org… is on spamhaus dns
[19.03.2013 01:03:45] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: for the very obvious reason that they have 70 dns shitlist servers in that zone
[19.03.2013 01:03:49] Cali: yeah but I think they might change that soon.
[19.03.2013 01:03:52] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: and those use their weird rotating system
[19.03.2013 01:03:54] Cali: ahah
[19.03.2013 01:03:57] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: cloudflare can’t do that
[19.03.2013 01:04:04] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: they can’t change the domain of the dns shitlist
[19.03.2013 01:04:05] Cali: even with the paid version?
[19.03.2013 01:04:07] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: so they have to keep that
[19.03.2013 01:04:30] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: soo… if they come up again, just kill the dns servers on their main domainspamhaus.org
[19.03.2013 01:04:33] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: 😛
[19.03.2013 01:04:33] Cali: ok, now it is online and responds.
[19.03.2013 01:04:50] narko: ok
[19.03.2013 01:04:52] narko: moment
[19.03.2013 01:05:07] Cali:http://www.spamhaus.org/images/spamhaus_dnsbl_basic.gif “meet spamhaus policy”
[19.03.2013 01:05:07] Cali: lol
[19.03.2013 01:05:14] Cali: like IPs have to meet Spamhaus policies
[19.03.2013 01:05:18] Cali: lol
[19.03.2013 01:05:24] narko: they are using the cloudflare paid plan
[19.03.2013 01:05:31] narko: as they have 5 IP
[19.03.2013 01:05:31] narko: not 2
[19.03.2013 01:05:44] narko: i think it means that cf will keep them longer
[19.03.2013 01:05:46] narko: :(
[19.03.2013 02:09:03] narko: added some extra gbit/s to two dns servers that seemed half-up :) lets see if google dns renews it now
[19.03.2013 02:09:28] Yuri: fuck.. no dns resolve :))))
[19.03.2013 02:09:45] narko: (mm)
[19.03.2013 02:09:57] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: when -these- time out, they’re out of business
[19.03.2013 02:10:01] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: <<>> DiG 9.8.1-P1 <<>> A b.ns.spamhaus.org
[19.03.2013 08:01:24] Yuri: good morning
[19.03.2013 08:01:32] Yuri: it was short night for me…. fuck
[19.03.2013 08:01:40] Yuri: spamhaus is down ? again :) ?
[19.03.2013 08:02:09] Yuri: looks it’s some our friend work
[19.03.2013 08:10:30] simomchen: how about we hijack spamhaus’s IP together , if can not take them down again ?
[19.03.2013 08:10:59] Yuri: we would like to.
[19.03.2013 08:11:08] Yuri: but we need upstream who will allow us to do that
[19.03.2013 08:11:25] simomchen: we can just announce those over IX exchange
[19.03.2013 08:11:34] simomchen: them , do not need upstream allow this
[19.03.2013 08:11:39] nmetluk: Russian upstreams allow:)
[19.03.2013 08:13:10] Yuri: (at least we have one good russian upstream here)
[19.03.2013 08:14:15] Yuri: spamhaus desided to bring some shit sbls toinfiumhost.com, /22 listed just for nothing.and some extra SBLs to pinspb
[19.03.2013 08:14:28] eDataKing: that is how they do it
[19.03.2013 08:14:35] eDataKing: that is why it is terrorism
[19.03.2013 08:14:57] simomchen: SH will force upstreams disconnect them
[19.03.2013 08:15:05] simomchen: that’s their next step
[19.03.2013 08:15:15] Yuri: they are too big to be disconneted
[19.03.2013 08:15:22] eDataKing: yes, the upstream does not really make the decision because the decision is coerced through damages
[19.03.2013 08:15:43] eDataKing: who is too big to be disconnected?
[19.03.2013 08:16:03] simomchen: infiumhost.com ?
[19.03.2013 08:16:31] Yuri: pinspb.ru
[19.03.2013 08:16:33] Yuri: gpt.ru
[19.03.2013 08:16:42] Yuri: and other that was with some new sbls today
[19.03.2013 08:16:50] Yuri: currenty it’s just nothing serious
[19.03.2013 08:16:58] Yuri: they keep searching
[19.03.2013 08:24:33] simomchen: Donate to the fund needed to shut SH down for good. Send your donations via Bitcoin to 17SgMS56W6s1oMU7oEZ66NFkbEk1socnTJ

====================================================================

At this point, several media outlets begin erroneously reporting that the DDoS attack on Spamhaus and Cloudflare is the work of Anonymous (probably because Kamphuis ended his manifesto with the Anonymous tagline, “We do not forgive. We do not forget”).

[19.03.2013 12:35:51] Antitheist: lol, anonymous indonesia took the responsibility for the spamhaus ddos
[19.03.2013 12:35:51] Antitheist: https://twitter.com/anonnewsindo
[19.03.2013 12:36:38] Antitheist: wait no, its all over softpedia! hahaha
[19.03.2013 12:37:31] Antitheist: http://news.softpedia.com/news/Anonymous-Hackers-Launch-DDOS-Attack-Against-Spamhaus-338382.shtml
[19.03.2013 12:46:11] narko: http://www.spamhaus.org/sbl/query/SBL179322
[19.03.2013 12:46:39] Antitheist: http://www.spamhaus.org/sbl/query/SBL179321
[19.03.2013 12:55:30] Yuri: people report that MAIL from spamhaus start working
[19.03.2013 12:55:42] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: oeh! spam!
[19.03.2013 12:56:03] Antitheist: the mail is their weakest point, since cloudflare cannot protect it
[19.03.2013 12:56:22] Antitheist: so we need to hit there. the result means no SBL removals :)
[19.03.2013 12:56:33] Antitheist: mad mad admins pulling off hair 😀
[19.03.2013 14:46:09] Yuri: news.softpedia.com
[19.03.2013 14:46:16] Antitheist: they think its anonymous because of Svens pastebin
[19.03.2013 14:46:48] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: also good
[19.03.2013 14:46:56] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: then the rest of anon also thinks its anon 😛
[19.03.2013 14:47:00] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: and starts to help
[19.03.2013 14:47:01] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: lol
[19.03.2013 14:47:17] Yuri: wow what a news
[19.03.2013 14:47:17] Antitheist: lol anon-amplification yeah
[19.03.2013 14:47:26] Yuri: spamhaus says in twitter that softpedia new is false
[19.03.2013 14:47:29] Yuri: :)))
[19.03.2013 14:47:40] Yuri:http://www.spamhaus.org/news/article/693/softpedia-publish-misleading-story-of-anonymous-attack-on-spamhaus
[19.03.2013 15:10:05] eDataKing: 1. Let them think Anons were behind it and do not dispute
[19.03.2013 15:10:05] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: can’t sign up for twitter as i don’t have any working email lol
[19.03.2013 15:10:21] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: edataking: its allready all over the press that its not anons lol.
[19.03.2013 15:10:22] Antitheist: I know Mohit from thehackernews, if it gets posted there it will soon be viral
[19.03.2013 15:10:26] eDataKing: or 2. Remind them that Anons are everyone and Anonymous as a group did not orchestrate it
[19.03.2013 15:10:30] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: at least in .nl its quite clear that its the republic cyberbunker and others
[19.03.2013 15:10:30] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: haha
[19.03.2013 15:10:58] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: that anon also has some ehm… stuff to ‘arrange’ with spamhaus, is a different story
[19.03.2013 15:11:19] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: *points out that over half of my facebook friends have the masks anyway*
[19.03.2013 15:11:28] eDataKing: Anonymous name gets major media
[19.03.2013 15:11:33] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: and that i’m still officially the PR guy for anonymous germany
[19.03.2013 15:14:36] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: y my name don’t fit twitter..
[19.03.2013 15:14:40] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: HRH Sven Olaf Prince
getting twitter accounts shut down, listing stophaus on the sbl.

====================================================================

Spamhaus has by now worked out the identity of many Stophaus members, and has begun retaliating at them individually by listing Internet addresses tied to their businesses and personal life. Here, Narko reveals that he runs his own (unprofitable) hosting firm that Spamhaus found and listed it as an address to be blocked because it was hosting stophaus[dot]org.

[19.03.2013 17:50:04] narko: im back
[19.03.2013 17:50:25] narko: the nameservers for stophaus need to be changed
[19.03.2013 17:51:04] narko: spamhaus SBLed my site and my host will terminate me unless spamhaus tells them that it’s ok
[19.03.2013 17:51:08] narko: fucking internet police
[19.03.2013 17:52:57] eDataKing: ok, what are we changing them to?
[19.03.2013 17:53:40] narko: i will set up dns servers on my home connection
[19.03.2013 17:53:41] narko: lol
[19.03.2013 17:53:45] narko: i dont think my isp gives a shit
[19.03.2013 17:53:48] narko: i’m alraedy in PBL
[19.03.2013 17:53:56] eDataKing: lol, as long as you are safe
[19.03.2013 17:53:59] narko: what does it matter if i’m in SBL? 😛
[19.03.2013 17:54:04] narko: well.. as long as they won’t ddos me
[19.03.2013 17:54:05] eDataKing: ok, then it should be all good
[19.03.2013 17:54:06] narko: I have a static ip
[19.03.2013 17:54:18] eDataKing: what about your upstream?
[19.03.2013 17:54:50] narko: I want to buy a /24 and host this just to fuck spamhaus
[19.03.2013 17:54:57] narko: anyone selling /24 😛 i pay €200
[19.03.2013 17:55:34] narko: i cannot believe that my host is telling me i need to leave for a fake SBL listing that is not even hosted at their network
[19.03.2013 17:55:38] Yuri: they will list all network at once and put upsteam
[19.03.2013 17:55:39] narko: why do they listen to spamhaus..?
[19.03.2013 18:21:28] simomchen: let me make a CC to them in China
[19.03.2013 18:21:35] eDataKing: then this will kill them in the end
[19.03.2013 18:21:49] Antitheist: https://www.cloudflare.com/business
[19.03.2013 18:22:10] Yuri: stophaus.com moved to new DNS.
[19.03.2013 18:22:16] simomchen: I brought 50K adsl Broilers just now
[19.03.2013 18:22:48] eDataKing: Then their DNS is a ticking timebomb dependent on public support. They don’t have a lot of that left
[19.03.2013 18:23:46] Yuri: 50k of what?
[19.03.2013 18:23:52] Antitheist: DNS of stophaus should be hosted on cloudflare imho
[19.03.2013 18:24:13] Antitheist: they will be afraid to list it lol
[19.03.2013 18:24:20] simomchen: 50000 ADSL broilers zombies , hehe
[19.03.2013 18:24:23] Yuri: cloudflare will kick off
[19.03.2013 18:24:27] Yuri: oohh.. shit.
[19.03.2013 18:24:48] Yuri: we need a plan how to fight :)
[19.03.2013 18:27:02] simomchen: Antitheist:
<<< we need bots that will do large POST requests on the search form of ROKSOyes, that’s CC attack I said just now. ROKSO is not big enought , I’m CC their http://www.spamhaus.org/sbl/latest/ currently
[19.03.2013 18:27:11] simomchen: do not know cloudflare can handle that
[19.03.2013 18:27:24] Antitheist: SBL are not in mysql
[19.03.2013 18:27:53] Antitheist: there is no search on the DB when you request them [19.03.2013 18:28:06] eDataKing: true
[19.03.2013 18:28:12] Antitheist: but a search form, any of them, must have at least 1 SELECT statement [19.03.2013 18:28:15]
simomchen: okay, http://www.spamhaus.org/rokso/ how about this page ?
[19.03.2013 18:28:23] Antitheist: yes, see the search form
[19.03.2013 18:28:27] eDataKing: RBLs are on a Logistics server at abuseat.org
[19.03.2013 18:28:29] Antitheist: you need to post long random shit there
[19.03.2013 18:28:34] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: SBL157600 5.157.0.0/22 webexxpurts.com 19-Mar 13:53 GMT Spammer hosting (escalation) SBL157599 5.153.238.0/24 webexxpurts.com 19-Mar 13:53 GMT Spammer hosting (escalation)
[19.03.2013 18:28:36] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: lol
[19.03.2013 18:28:41] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: wasn’t he in here the other day 😛
[19.03.2013 18:28:46] eDataKing: at least the cbl is
[19.03.2013 18:28:54] eDataKing: yes
[19.03.2013 18:28:59] eDataKing: He left?
[19.03.2013 18:29:05] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: dunno
[19.03.2013 18:29:05] simomchen: okay, let me make a ‘search’
[19.03.2013 18:29:08] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: changed names?
[19.03.2013 18:29:12] eDataKing: maybe
[19.03.2013 18:29:21] eDataKing: that was who I thought Darwin was
[19.03.2013 18:29:47] eDataKing: like he changed his name in the middle of a conversation
[19.03.2013 18:29:54] eDataKing: and Darwin picked up the chat
[19.03.2013 18:29:54] Antitheist: oh good news, its available in GET as well
[19.03.2013 18:30:01] Antitheist: http://www.spamhaus.org/rokso/search/?evidence=LONGSHITGOESHERE
[19.03.2013 18:30:40] eDataKing: They are desperate to take down the content though
[19.03.2013 18:30:55] eDataKing: I knew they would be scared to show their faces to public scrutiny
[19.03.2013 18:36:03] Yuri: SBL179370 66.192.253.42/32 twtelecom.net 19-Mar 15:15 GMT Suavemente/SplitInfinity/Innova Direct
: Feed to Jelly Digital (AS4323 >>> AS33431)
SBL179369 4.53.122.98/32 level3.net
19-Mar 15:03 GMT Suavemente/SplitInfinity/Innova Direct : Feed to Critical Data Network, Inc. (AS3356 >>> AS53318) spamhaus started to fuck hardly everywhere. they are angry.
[19.03.2013 18:37:39] Antitheist: no mercy anymore, everyone who they scraped out of stophaus members gets the entire /24 listed in ROKSO :)
[19.03.2013 18:37:40] simomchen: cloudflare service them , we are angry too
[19.03.2013 18:40:35] simomchen: but if the ddos keeping , I think spamhaus would go bankrupt
[19.03.2013 18:40:52] narko: they won’t go bankrupt
[19.03.2013 18:40:55] narko: he will just buy a smaller boat
[19.03.2013 18:41:00] simomchen: because cloudflare must charge tons of money form them
[19.03.2013 18:41:34] simomchen: what they can do in that boat ? if they do not pay to cloudflare , they will down again
[19.03.2013 18:41:48] narko: cloudflare only cost $200 per month
[19.03.2013 19:02:27] Yuri: For SBLs spamhaus
use
[19.03.2013 19:02:27] Yuri:
<<< http://stopforumspam.com/
https://www.projecthoneypot.org/ – этот точно
https://zeustracker.abuse.ch/
https://spyeyetracker.abuse.ch/those sites 100%
[19.03.2013 19:02:39] narko: ok let’s make these down 😉
[19.03.2013 21:32:06] narko: i run my host company since FEB 2012 and i am still losing like 350$ per month lol
[19.03.2013 21:32:28] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: we’ve been doing it commercially since 1996 on ‘cb3rob’
[19.03.2013 21:32:34] eDataKing: how much would that be?
[19.03.2013 21:32:39] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: and well.. there are times where it runs at a loss 😛
[19.03.2013 21:32:45] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: and there are times where it makes heaps 😛
[19.03.2013 21:32:55] narko: i have not had a single month
[19.03.2013 21:33:01] narko: where the costs of servers+licenses were covered..
[19.03.2013 21:33:12] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: you don’t have your own servers either/
[19.03.2013 21:33:13] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: ?
[19.03.2013 21:33:16] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: just reselling?
[19.03.2013 21:33:32] narko: rent server, install cpanel, advertise
[19.03.2013 21:33:33] narko: (y)
[19.03.2013 21:33:45] eDataKing: agreed
[19.03.2013 21:33:54] narko: but I think soon i will buy my own servers and colo
[19.03.2013 21:33:56] narko: it will be cheaper
[19.03.2013 21:34:04] eDataKing: agreed as well
[19.03.2013 21:34:06] narko: the problem is
[19.03.2013 21:34:11] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: i’d say thats the only way to do it 😛
[19.03.2013 23:43:05] narko: i don’t understand this
[19.03.2013 23:43:16] narko: how can cloudflare take 100gbps of udp and latency is not even increased by 1ms
[19.03.2013 23:47:05] Antitheist:http://www.apricot2013.net/__data/assets/pdf_file/0009/58878/tom-paseka_1361839564.pdf
[19.03.2013 23:47:19] Antitheist: CloudFlare has seen DNS reflection attacks hit 100Gbit traffic globally
[19.03.2013 23:47:23] Antitheist: they are used to it
[19.03.2013 23:47:49] narko: when they were hosting at rethem hosting
[19.03.2013 23:47:52] narko: I took down sprint
[19.03.2013 23:47:54] narko: i took down level3
[19.03.2013 23:47:56] narko: i took down cogent
[19.03.2013 23:48:06] narko: but cloudflare nothing!
[19.03.2013 23:48:26] narko: back in 2009 cloudflare went down with 10gbps
[19.03.2013 23:48:28] narko: all down..
[19.03.2013 23:49:34] narko: o i’m causing some dropped packets now 😛
[19.03.2013 23:56:06] Cali: narko, was it you who DDoSed us like a year and half ago ? 😀
[19.03.2013 23:56:14] narko: what network?
[19.03.2013 23:56:27] narko: or site
[19.03.2013 23:56:32] narko: sent it me in private chat and i can tell you
[20.03.2013 00:05:39] narko: http://i.imgur.com/M2mbNE0.png
[20.03.2013 00:05:44] narko: Spamhaus cloudflare current status
[20.03.2013 00:05:48] narko: with over 100Gbps of attack traffic
[20.03.2013 00:07:39] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: hmm does this affect other cloudflare customers, as in that case its bye bye spamhaus pretty soon
[20.03.2013 00:07:40] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: lol
[20.03.2013 00:07:49] narko: i dont know
[20.03.2013 00:07:56] narko: i hope so because i cant keep such traffic up for a long time
[20.03.2013 00:08:02] narko: it’s probably closer to 200 than 100 Gbps
[20.03.2013 00:08:07] Cali: it will be harder than that I think.
[20.03.2013 00:09:35] Cali: no more icmp @cloudflare?
[20.03.2013 00:09:52] narko: 7 * * * Request timed out.

[20.03.2013 00:22:24] Antitheist: they list every IP/DNS that resolves stophaus in any way
[20.03.2013 00:22:31] narko: “Please update us when this client no longer utilises *any* part of our network so we can get back in touch with Spamhaus.”
[20.03.2013 00:22:35] Antitheist: we can change it every hour and block the entire internet lol
[20.03.2013 00:22:47] narko: They do not understand the word “THIS CLIENT HAS NOTHING TO DO WITH YOUR NETWORK”
[20.03.2013 00:22:53] narko: they treat it like it’s a request from law enforcement
[20.03.2013 00:22:56] narko: not some moron on a boat
[20.03.2013 00:47:00] Antitheist: so whats up with wordtothewise
[20.03.2013 00:47:02] narko: i only met you peoples on friday and never heard of most of you before then 😛
[20.03.2013 00:47:29] eDataKing: lol, I just talk like I know everyone
[20.03.2013 00:47:48] eDataKing: It’s better than being secretive. I get nervous around quite people.
[20.03.2013 00:47:59] eDataKing: I think they are plotting on me lol 😉
[20.03.2013 00:48:01] narko: I said too much already in this chat
[20.03.2013 00:48:04] narko: I’m expecting the raid soon
[20.03.2013 00:48:06] narko: 😛

====================================================================

Narko has directed most of his botnet resources at Cloudflare now instead of Spamhaus, and the group is surprised to see Spamhaus go offline when it was hidden behind Cloudflare’s massive DDoS protection resources. Also, Yuri enlists the help of some other attackers to join in the assault.

[20.03.2013 01:00:32] Antitheist: This website is offline. No cached version is available
[20.03.2013 01:00:33] Antitheist: LOL
[20.03.2013 01:00:47] narko: lol
[20.03.2013 01:00:50] narko: not working for me either
[20.03.2013 01:00:56] Antitheist: narko you are the king
[20.03.2013 01:00:59] Antitheist: haha
[20.03.2013 01:01:00] narko: i didnt do anything
[20.03.2013 01:01:03] narko: i was just attacking cloudflare
[20.03.2013 01:01:16] Antitheist: well, thats not something they wanted to have
[20.03.2013 01:01:17] narko: see now its back up :(
[20.03.2013 01:01:36] Cali: It is offline here.
[20.03.2013 01:01:44] Antitheist: off…
[20.03.2013 01:01:45] narko: it went down again
[20.03.2013 01:01:51] narko: and back
[20.03.2013 01:03:11] Cali: yup
[20.03.2013 01:04:33] narko: let’s create some more records
[20.03.2013 01:04:36] narko: for DNS of stophaus
[20.03.2013 01:04:47] narko: dummy records, such as the IP of softlayer.com , etc
[20.03.2013 01:04:55] narko: it won’t affect the site because it will just try from the next server
[20.03.2013 01:05:01] narko: but they’re going to SBL some big sites
[20.03.2013 01:05:02] narko: lol
[20.03.2013 01:05:47] Antitheist: it will create more damage if we list MTAs
[20.03.2013 01:06:06] narko: ok let’s see
[20.03.2013 01:06:20] narko:
[20.03.2013 02:16:57] narko: Cloudflare changed the ips
[20.03.2013 02:16:59] narko: put only 2 IPs now
[20.03.2013 02:17:05] narko: will move attack to these IPs
[20.03.2013 02:18:24] narko: also I have a friend with a small botnet. I asked him to contribute
[20.03.2013 02:19:45] Yuri: i see.
[20.03.2013 02:19:59] Yuri: i asked some hackers to assist also
[20.03.2013 02:20:31] narko: my friend is in saudi arabia. he has bots in arab regions. will provide some diversity to the attack.
[20.03.2013 02:20:52] Yuri: spamhaus sbl site is the high end of iceberg
[20.03.2013 02:21:11] Yuri: did you try to put down spamhas relates sites?
[20.03.2013 02:21:23] narko: after spamhaus.org main site :))
[20.03.2013 02:21:55] narko: i am just getting very annoyed at this company now
[20.03.2013 02:22:08] narko: i just received 2 minutes ago “We are sorry to inform that your account has been terminated.” from my host.
[20.03.2013 02:22:14] narko: due to SBL
[20.03.2013 02:22:43] Yuri: on what host?
[20.03.2013 02:22:52] narko: EuroVPS.com
[20.03.2013 02:23:02] Yuri: write me pm what do you need
[20.03.2013 03:13:26] narko: lets host here
[20.03.2013 03:13:38] narko:http://www.beltelecom.by/business/hosting/virtual-dedicated-server
[20.03.2013 03:13:45] narko: i dont think they can even speak english. to read the abuse report from spamhaus. 😀
[20.03.2013 03:14:03] Cali: lol
20.03.2013 17:07:45] eDataKing: lol
[20.03.2013 17:27:58] narko: looks like one of the cloudflare dc is down
[20.03.2013 17:28:08] narko: previously my connection to spamhaus was to amsterdam
[20.03.2013 17:28:10] narko: now it’s to paris :)
[20.03.2013 17:28:53] simomchen: keeping ddos them , then , cloudflare will cick SH out
[20.03.2013 17:29:03] narko: i am adding more
[20.03.2013 17:29:20] narko: if you know anyone with botnet – ask them to help too. there will be a point where even the $2000 cloudflare enterprise plan is not worth it to them.
[20.03.2013 17:31:42] simomchen: maybe someone joined us. SH released xxx is making ddos them. and some other guys saw this.but do not connect us. they was blackmailed by SH before. so , it’s a hidden retaliation time for them
[20.03.2013 17:32:04] narko: hope so
[20.03.2013 17:32:09] narko: it seems they split the load between 2 dc [datacenters] actually
[20.03.2013 17:32:12] Antitheist: who is ddosing them?
[20.03.2013 17:32:17] narko: spamhauas has 2 ip and 1 is amsterdam other is paris
[20.03.2013 17:32:18] Antitheist: where did you see it idear4business
[20.03.2013 17:33:16] Yuri: look, there too much people who is not active here. may be we could remove them from this chat ?
[20.03.2013 17:33:29] narko: yes I think that’s good idea. there’s some people who i have never seen one messaage
[20.03.2013 17:33:48] simomchen: they do not wanna to show their identity, just wanna to make retaliation. I guess those. can not seeing this. but at least , some of our clients also joined , and making ddos SH from China. they hate spamhaus , because SH made their domains ‘clent hold’ (over 50000 domains) in the passed year
[20.03.2013 17:33:49] Yuri: let’s create new one subchat and move there. how is the idea?
[20.03.2013 17:34:32] Antitheist: spamhaus made 500 of my domains hold
[20.03.2013 17:34:38] narko: everyone who has bp host
[20.03.2013 17:34:40] Antitheist: cnobin, its a bizcn reseller
[20.03.2013 17:34:46] narko: hijack the botnets of your clients and ddos spamhaus 😛
[20.03.2013 17:34:51] Antitheist: lol)))
[20.03.2013 17:35:14] narko: my experience with BP hosts – you can always get some free bots from whoever used the IP previously :))))
[20.03.2013 17:35:27] Antitheist: if you have the same panel
[20.03.2013 17:35:40] narko: well I just adapt my software to accept their commands
[20.03.2013 17:35:41] simomchen: no need to hijack , if our clients wanna to ddos someone , they will buy some botnets. it’s cheap in China , like 0.01 EUR/each
[20.03.2013 17:35:44] narko: most of them are not encrypted at all
[20.03.2013 17:35:45] NM: :)
[20.03.2013 17:35:50] simomchen: Sven also know that
[20.03.2013 17:35:56] narko: each bot?
[20.03.2013 17:36:01] simomchen: yes
[20.03.2013 17:36:06] simomchen: ADSL bot
[20.03.2013 17:36:10] narko: what is the upload speed of china ADSL?
[20.03.2013 17:36:16] simomchen: with dynamic IP
[20.03.2013 17:36:24] simomchen: just 50-100Kbps
[20.03.2013 17:36:40] narko: we need some netherland/sweden/romania bots 😛
[20.03.2013 17:36:49] narko: they have 100mbps or more
[20.03.2013 17:37:04] NM: In Russia too
[20.03.2013 17:37:33] simomchen: SH is not works in China till now. and sometime , they are going up down up down.
[20.03.2013 17:38:09] narko: spamhaus can make down .cn domains ?
[20.03.2013 17:38:18] Yuri: yes.
[20.03.2013 17:38:39] simomchen: our clients is selling something to EU and US, so , they do not use .cn
[20.03.2013 17:38:50] simomchen: usually , they use .com/net
[20.03.2013 17:39:16] narko: they should apply for a new tld
[20.03.2013 17:39:17] narko: .ugg
[20.03.2013 17:39:33] simomchen: yes
[20.03.2013 17:39:51] Antitheist: .rx
[20.03.2013 17:39:54] Yuri: )))))
[20.03.2013 17:40:09] Yuri: .ugg (y)
[20.03.2013 17:40:17] narko: (sun)
[20.03.2013 17:40:43] narko: i hosted botnets under .w2c.ru domain
[20.03.2013 17:41:10] narko: and the domain was not made down
[20.03.2013 17:41:34] Yuri: hey. wtf, it’s my domain :)
[20.03.2013 17:41:41] narko: yes I had dedicated server
[20.03.2013 17:41:44] narko: free subdomain
[20.03.2013 17:41:57] Yuri: :O:D
[20.03.2013 17:42:11] narko: but i needed to move
[20.03.2013 17:42:19] narko: because a big ISP in Europe blocked all your ip range 😛
[20.03.2013 17:42:26] narko: i lost half my bots
[20.03.2013 17:44:53] narko: ok. currently i have running against spamhaus:
[20.03.2013 17:45:15] narko: ~100Gbps UDP
~ 20M pps TCP
~ 65k req/s HTTP
distributed between the 2 IP
[20.03.2013 17:45:21] narko: cloudflare must remove them soon..
[20.03.2013 17:45:21] narko: cloudflare must remove them soon.
[20.03.2013 19:25:20] narko: i think spamhaus wrote to my pamyent processor
[20.03.2013 19:25:23] narko: has it happened before?
[20.03.2013 19:25:44] narko: an IP address started to browse my site. assigned to 2Checkout Inc. now my merchant account is put into a review status.
[20.03.2013 19:27:32] eDataKing: How did they get your processor’s info?
[20.03.2013 19:27:43] narko: they require it to be written in the site
[20.03.2013 19:27:48] narko: “Services provided by 2Checkout Inc”
[20.03.2013 19:27:51] eDataKing: Also, they tried that with my Paypal account for 3 years. We are still Top-Tier members
[20.03.2013 19:28:03] eDataKing: they reviewed the records and it took 6 hours to be restored
[20.03.2013 19:28:18] eDataKing: no other complaint ever made it past the first level of abuse
[20.03.2013 19:28:20] narko: lol
[20.03.2013 19:28:31] narko: someone called paypal and said i was threatening to kill them unless they paid me money
[20.03.2013 19:28:34] narko: and my account was limited for a week

====================================================================

At this point, Narko is sending between 150-300 Gbps of packet love at Cloudflare’s major datacenter Internet addresses. Cloudflare.com briefly goes offline. Cloudflare publishes a blog post stating that the attack was successfully handled and mitigated by Cloudflare. Narko disagrees, saying Cloudflare was able to mitigate the attack because he paused it. Spamhaus posts an update on the ongoing attacks, claiming that most of its operations are returning to normal.

Narko shares this screenshot in the chat forum. It shows that the attack on Cloudflare is at more than 100 Gbps, which is more than enough to knock most sites offline.

Narko shares this screenshot in the chat forum. It shows that the attack on Cloudflare is at more than 100 Gbps, which is more than enough to knock most sites offline.

20.03.2013 19:58:21] narko: did someone else start attack to cloudflare? their site is even down now :))
[20.03.2013 19:58:27] Yuri: we need to post it to the public, in twitter and etc?
[20.03.2013 20:33:19] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: we’ll just break the god damn internet if thats what it takes 😛
[20.03.2013 20:33:20] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: lol
[20.03.2013 20:46:19] eDataKing: http://blog.cloudflare.com/the-ddos-that-knocked-spamhaus-offline-and-ho
[20.03.2013 20:46:38] eDataKing: The DDoS That Knocked Spamhaus Offline (And How We Mitigated It)
[20.03.2013 20:46:43] eDataKing: they mitigated it?
[20.03.2013 20:46:45] eDataKing: news to me
[20.03.2013 20:47:11] eDataKing: hmm
[20.03.2013 20:47:12] eDataKing: CloudFlare’s own history grew out of Project Honey Pot, which started as an automated service to track the resources used by spammers and publishes the HTTP:BL.
[20.03.2013 20:47:21] eDataKing: good data
[20.03.2013 20:47:24] eDataKing: didn’t know that
[20.03.2013 20:48:53] eDataKing: Beginning on March 18th?
[20.03.2013 20:48:59] eDataKing: that is factually incorrect
[20.03.2013 20:51:11] narko: reading now
[20.03.2013 20:51:47] eDataKing: the attack did not start a day before their great admins mitigated it
[20.03.2013 20:51:54] eDataKing: is it even mitigated?
[20.03.2013 20:52:12] narko: hehehehe :)))))))))))))))))))))
[20.03.2013 20:52:15] narko: this is like 140Gbps
[20.03.2013 20:52:27] eDataKing: lol
[20.03.2013 20:52:37] eDataKing: don’t look like mitigation to me lol
[20.03.2013 20:52:57] eDataKing: Their article almost reads as a challenge
[20.03.2013 20:53:14] narko: I stopped the attack
[20.03.2013 20:53:25] narko: i am generating a new dns list. then I will start again and it will be over 200 gbps
[20.03.2013 20:53:30] narko: the current list is quite old

====================================================================

Narko grows concerned about getting busted because Andrew (eDataKing) mistakenly published on the anti-spam Google Group forum NANAE a screenshot that included Narko’s Skype screen name. Helpfully for the U.K. authorities closing in on him, Narko provides a link to view the screenshot that includes what he identifies as his Skype screen name.

Narko's screen as he's in the middle of launching attacks on Spamhaus. A portion of his Skype address at the time can be seen in the upper right corner of the screenshot.

Narko’s screen as he’s in the middle of launching attacks on Spamhaus. A portion of his Skype address at the time can be seen in the upper right corner of the screenshot.

20.03.2013 21:08:59] eDataKing: lol,
[20.03.2013 21:08:59] eDataKing: This morning at 09:47 UTC CloudFlare effectively dropped off the Internet. The outage affected all of CloudFlare’s services including DNS and any services that rely on our web proxy. During the outage, anyone accessing CloudFlare.com or any site on CloudFlare’s network would have received a DNS error. Pings and Traceroutes to CloudFlare’s network resulted in a “No Route to Host” error.
[20.03.2013 21:09:15] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: 😛
[20.03.2013 21:09:25] eDataKing: sry, that was on 03-03
[20.03.2013 21:09:27] eDataKing: not related
[20.03.2013 21:09:38] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: someone was doing it better than narko ?
[20.03.2013 21:09:40] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: wth
[20.03.2013 21:09:41] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: lol
[20.03.2013 21:09:48] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: get that guy in here too haha
[20.03.2013 21:09:57] eDataKing: wait to see what narko does next though
[20.03.2013 21:15:03] Yuri: spamhaus down ?
[20.03.2013 21:15:07] Yuri: cloudflare shows down
[20.03.2013 21:15:34] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: nope
[20.03.2013 21:15:38] eDataKing: nope
[20.03.2013 21:19:37] narko: we need to find more people.
[20.03.2013 21:19:49] narko: cloudflare network just has a lag with my attack
[20.03.2013 21:20:00] narko: my attack + some botnets will take them down entirely. then they have no choice but to kick spamhaus.
[20.03.2013 22:24:39] narko: who posted the screenshot on nanae please remove it
[20.03.2013 22:24:41] narko: it has written my skype name
[20.03.2013 22:24:59] narko: t.ravis
[20.03.2013 22:25:04] eDataKing: that was the indian
[20.03.2013 22:25:13] eDataKing: you said to post it
[20.03.2013 22:25:22] eDataKing: I’ll tell him
[20.03.2013 22:25:31] eDataKing: I don’t think it can be removed though
[20.03.2013 22:25:52] eDataKing: argh, why didn’t you edit that image?
[20.03.2013 22:26:01] eDataKing: I will be sure to check all images from here out
[20.03.2013 22:26:11] eDataKing: but doesn’t the image only say probing?
[20.03.2013 22:26:24] narko: no it has my skype username
[20.03.2013 22:26:27] narko: i didn’t expcet it to be posted
[20.03.2013 22:26:29] narko: i just said
[20.03.2013 22:26:31] narko: narko:
<<< http://i.imgur.com/prDIVYU.png — current status
[20.03.2013 22:27:51] Yuri: don’t see any info on screenshot
[20.03.2013 22:28:09] eDataKing: I see all but the last digit
[20.03.2013 22:28:16] eDataKing: enough to run a trace on that skype account
[20.03.2013 22:28:28] eDataKing: but nothing incriminating
[20.03.2013 22:28:48] eDataKing: don’t they already blame you though?
[20.03.2013 22:28:59] narko: no one on nanae/spamhaus knows about me
[20.03.2013 22:29:03] eDataKing: I’ll tell the indian to wait for approval bwefore posting anything else
[20.03.2013 22:29:16] eDataKing: I will also look at the images if there are any more screens
[20.03.2013 22:29:38] eDataKing: can you grab a new skype account and nix this one just in case?
[20.03.2013 22:29:44] narko: i am just worried. because it has my skype name < i am uploaded the image from my home connection, and FBI in USA already has a case on me ddosing before, they were going to people in america and asking them questions about me
[20.03.2013 22:29:44] narko: no
[20.03.2013 22:29:45] narko: its fine for me
[20.03.2013 22:29:48] narko: for now *
[20.03.2013 22:29:50] eDataKing: you said this one was for this session only right?
[20.03.2013 22:29:53] narko: yes
[20.03.2013 22:30:22] eDataKing: the image won’t have any hex code though because it is on imgur
[20.03.2013 22:30:24] Yuri: other solution – is to upload same imase from other IPs
[20.03.2013 22:30:31] eDataKing: yes
[20.03.2013 22:30:36] Yuri: so they have to think who is that was…
[20.03.2013 22:30:41] eDataKing: oh, gotcha
[20.03.2013 22:30:44] eDataKing: yeah
[20.03.2013 22:31:13] eDataKing: I am so used to be completly anon that I would have never imagined you imported that from home
[20.03.2013 22:31:54] eDataKing: can you delete it from imgur?
[20.03.2013 22:32:30] eDataKing: I want to mitigate any issues because the indian is my dude and I feel responsible for what he did
[20.03.2013 22:32:34] narko: no
[20.03.2013 22:32:37] narko: nothing will happen
[20.03.2013 22:32:41] narko: nothing has ever happened
[20.03.2013 22:40:58] narko: but I ran an illegal site (carding, ddos, etc) from 2010-2012 and 90% customers were US
[21.03.2013 03:40:43] narko: well i’m going to sleep
[21.03.2013 03:40:49] narko: wll attack cloudflare again tomorrow :)

====================================================================

Stophaus claims victory when Spamhaus moves off of Cloudflare’s network and over to Amazon. The Stophaus members begin planning their next move.

[21.03.2013 10:00:21] eDataKing: CBL (cbl,http://t.co/M9Jz8KKvi5) is up again, after a heavy DDOS. It is now protected through amazon cloud. #spamhaus
[21.03.2013 10:14:19] simomchen: so , SH have separated , and protedted by 2 cloud ?
[21.03.2013 10:14:54] eDataKing: yep
[21.03.2013 10:15:10] eDataKing: but they are only buying a short amlunt of time really
[21.03.2013 10:16:23] simomchen: they must have a contract with cloudflare and amazon , once ddos leave over 7 days. maybe, they will break the contract with these 2 companies
[21.03.2013 13:19:10] Antitheist: congratilations narko your SBL was removed
[21.03.2013 13:19:25] narko: after 3 days 😛 I’m still moving. I have server from new DC in russia now
[21.03.2013 13:19:31] Antitheist: pin?
[21.03.2013 13:19:34] narko: yes
[21.03.2013 13:20:02] narko: I will not deal with the british datacenters any more
[21.03.2013 13:20:08] narko: even swiftway didn’t give a shit about the SBL
[21.03.2013 13:20:18] narko: but Racksrv treats it like they’re the secret police
[21.03.2013 14:15:03] Yuri: looks spamhaus pissed off
they try to piss everywhere
[21.03.2013 14:15:07] Yuri: SBL179470
217.65.0.0/22 citytelecom.ru
21-Mar-2013 11:59 GMT
Spammer hosting (escalation)
[21.03.2013 14:15:30] narko: is this for providing connectivity to 2×4?
[21.03.2013 14:15:35] narko: or another
[21.03.2013 14:15:41] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: no this is for being russians haha
[21.03.2013 14:15:46] narko: lol
[21.03.2013 14:16:00] Yuri: he provide us and some others.
[21.03.2013 14:16:02] NM: i cant open their site
[21.03.2013 14:42:49] Yuri: i found why
——————
spamahost wrote yesturday in facebook.
One of our VPS nodes is undergoing a node transfer. We are moving the “Zeus” node to a different upstream (which now supports full emailing!), as well as upgraded hardware. Please check your emails for more information, as well as your client areas!
——————-
and his website was on our network.
[21.03.2013 14:42:57] Yuri: so spamhaus pissed on it.
[21.03.2013 15:17:13] narko: i go to feed my addiction to chinese food now.brb
[21.03.2013 15:17:40] narko: when i’m back in few minutes. let’s ddos some more shit
[21.03.2013 15:17:41] narko: (hug)

====================================================================

Spamhaus succeeds in getting Stophaus[dot]org suspended at the domain registry level. This angers Prinz Sven, who begins coming unglued — threatening to attack or harm the domain registrar and anyone else involved in the suspension. Sven even goes so far as to post a manifesto on his Facebook account, taking on the persona of a pirate and lobbing threats of additional DDoS attacks as well as physical violence against Spamhaus members.

[21.03.2013 17:35:41] Antitheist: fuckers
[21.03.2013 17:35:42] narko: fuck! how they did this
[21.03.2013 17:35:56] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: hmm?
[21.03.2013 17:35:57] Antitheist: who are ahnames?
[21.03.2013 17:36:02] narko: advanced hosters ltd
[21.03.2013 17:36:13] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: say what
[21.03.2013 17:36:18] narko: the domain is suspended
[21.03.2013 17:36:22] narko: by the registrar
[21.03.2013 17:36:45] Antitheist: what kind of a shit registrar was it
[21.03.2013 17:36:59] narko: www.ahnames.com
[21.03.2013 17:37:03] Antitheist: webnames.ru or naunet.ru are pissing on spamhaus
[21.03.2013 17:37:13] Antitheist: had to get domain from them
[21.03.2013 17:37:19] narko: well now nothing can be done
[21.03.2013 17:37:21] Antitheist: its still possible to transfer
[21.03.2013 17:37:37] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: then do so
[21.03.2013 17:37:44] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: to -their- domain registrar 😛
[21.03.2013 17:37:56] narko: gandi is a bad registrar
[21.03.2013 17:46:33] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: Domain Name: STOPHAUS.COM

Abuse email: abuse@ahnames.com

DOMAIN SUSPENDED DUE TO VIOLATION OF OUR TOS
Arr! · · Promote
now turn it back on before we send those 80gbit/s down your ass.
[21.03.2013 17:47:02] narko: you have very big balls
[21.03.2013 17:47:12] narko: writing ddos threads on facebook? I would not even do that and I am the person doing th attacks 😛 lol
[21.03.2013 17:47:21] narko: threats *
[21.03.2013 17:47:33] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: who cares, they just ddossed us 😛
[21.03.2013 17:47:40] Yuri: most men in this chat are with big balls.
[21.03.2013 17:47:40] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: by disabling the domain without a proper excuse
[21.03.2013 17:47:44] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: so might as well disable theirs
[21.03.2013 17:47:53] eDataKing: what’s wrong with ahnames?
[21.03.2013 17:47:56] eDataKing: what did they do?
[21.03.2013 17:47:59] narko: they banned the domain
[21.03.2013 17:48:01] Yuri: did somebody stoped our domain ?
[21.03.2013 17:48:02] narko: suspended it
[21.03.2013 17:48:09] Yuri: wtf
[21.03.2013 17:48:10] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: actually i threattened to have steve linford terminated physically a minute before that on my own profile
[21.03.2013 17:48:11] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: lol
[21.03.2013 17:48:14] Yuri: we could change to RU
[21.03.2013 17:48:17] Yuri: stophaus.ru
[21.03.2013 17:48:19] Goo: xD
[21.03.2013 17:48:19] eDataKing: then we should hit them
[21.03.2013 17:48:21] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: just call them and have em turn it back on
[21.03.2013 17:48:26] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: or else we take THEM down
[21.03.2013 17:48:29] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: simple as that
[21.03.2013 17:48:32] narko: we need .com back because it’s already in google, linked in pages, etc
[21.03.2013 17:48:32] eDataKing: suspending the domain is a direct challenge
[21.03.2013 17:48:41] eDataKing: yes, the .com needs up
[21.03.2013 17:49:01] eDataKing: We need to contact ahnames and tell them to allow us to transfer the domain
[21.03.2013 17:49:06] Yuri: we need to transfer it to nic.ru
[21.03.2013 17:49:07] eDataKing: they have allowed it before
[21.03.2013 17:49:13] Yuri: they not slose it.
[21.03.2013 17:49:16] narko: domain transfer takes 5-6 days
[21.03.2013 17:49:18] Yuri: they have balls
[21.03.2013 17:49:21] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: im going to announce ALL of their motherfucking nameservers.
[21.03.2013 17:49:25] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: need to make some changes
[21.03.2013 17:49:27] Yuri: ok
[21.03.2013 17:49:31] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: hmm wait better not do that lol
[21.03.2013 17:49:40] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: that ehm would cost us quite a few peerings haha
[21.03.2013 17:49:49] eDataKing: no, it is way faster
[21.03.2013 17:49:58] narko: it doesnt mtater
[21.03.2013 17:50:00] narko: matter
[21.03.2013 17:50:04] narko: you are already offline from most locations
[21.03.2013 17:50:05] narko: :))
[21.03.2013 17:50:27] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: they responded
[21.03.2013 17:50:50] narko: facebook asks me to log in to see it
[21.03.2013 17:50:51] narko: what a joke
[21.03.2013 17:50:56] narko: i will never register to that site
[21.03.2013 17:51:50] eDataKing: if we show them that we will not tolerate them playing spamhaus games they may see that it could cost them to do so
[21.03.2013 17:52:19] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: Sven Olaf Kamphuis how about, its not a question, we know damn well that steve linford of spamhaus has been spreading lies again, this here undermines our freedom of speech, after all there is nothing on that forum that isn’t done 904903 times as much by spamhaus itself… so, if you’re not with us, you’re against us. turn it back on or we turn YOU OFF.
a few grains o’ sand ago · Arr!
Sven Olaf Kamphuis there is no clause in your TOS that states you have to be friends with ‘spamhaus’
a few grains o’ sand ago · Arr!
Sven Olaf Kamphuis so take your pick… 80gbit/s up your ass, orrrr… turning the domain back on
a few grains o’ sand ago · Arr!
[21.03.2013 17:52:25] eDataKing: perfect Sven
[21.03.2013 17:52:29] eDataKing: that is what they need to hear
[21.03.2013 17:53:01] Yuri: stophaus.org also our domain?
[21.03.2013 17:53:17] Goo: haha nice sven
[21.03.2013 17:53:22] Goo: they will be scared
[21.03.2013 17:53:32] Goo: otherwise they’re fucked haha
[21.03.2013 17:53:56] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: send them a few packets so they know
[21.03.2013 17:54:03] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: narko: ddos on that ahnames for like 1 minute
[21.03.2013 17:54:04] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: 😛
[21.03.2013 17:54:05] Yuri: also .to – they will not close, they ignore everything
[21.03.2013 17:54:30] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: we;re not gonna change the god damn domain name
[21.03.2013 17:54:35] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: we’re gonna make them turn it back on
[21.03.2013 17:54:37] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: simple as that.
[21.03.2013 17:56:16] Goo: i’m bored, shall i hack spamhaus?
[21.03.2013 17:56:27] Yuri: +1
[21.03.2013 17:56:39] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: goo: sure 😛
[21.03.2013 17:56:44] Goo: alright
[21.03.2013 17:56:48] Goo: Goo grabs some donuts
[21.03.2013 17:56:55] Goo: let do this
[21.03.2013 17:57:34] eDataKing: ok, I just collabed with my buddy here he has a good sugg.
[21.03.2013 18:15:24] Cali: your stophaus is offline.
[21.03.2013 18:15:25] Cali: what happened?
[21.03.2013 18:15:37] narko: the domain got suspended by the registrar
[21.03.2013 18:15:47] Cali: lame.
[21.03.2013 18:16:07] Cali: but you should have never registered a .com
[21.03.2013 18:16:23] Antitheist: its not about the tld its about the registrar
[21.03.2013 18:16:55] Antitheist: normal registrar will not suspend domains because of some stupid threats
[21.03.2013 18:17:33] Yuri: Cali, go other chat
[21.03.2013 18:17:40] Yuri: new one
[21.03.2013 18:17:43] Cali: well if it has not been suspended by the .tld then that’s even more lame.
[21.03.2013 18:17:53] Cali: new one?
[21.03.2013 18:18:25] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: as far as i recall marco rinaudo ran a registrar…
[21.03.2013 18:42:32] Valeriy Uhov: today spamhaus very angry
[21.03.2013 18:42:37] Valeriy Uhov: lists everybody
[21.03.2013 18:43:00] narko: yes they listed /25 of hostkey and /25 of burstnet
[21.03.2013 18:43:02] narko: really angry 😀
[21.03.2013 18:43:14] eDataKing: yeah, they are definitely fighting back
[21.03.2013 18:43:18] Yuri: spamhaus should be blind
[21.03.2013 18:43:39] Yuri: we can make a lit what spamhaus can;t close
[21.03.2013 18:43:44] eDataKing: but why wouldn’t they…this is very likely to be their version of Custard’s Last Stand
[21.03.2013 18:44:11] Yuri: like twitter, email account, icq, facebook, home LAN ADSL IP, domains in the next zones like .ru, .su, .to
[21.03.2013 18:44:27] Valeriy Uhov: .ru and .su it closes
[21.03.2013 18:44:39] Yuri: if botnets- yes. its ok.
[21.03.2013 18:44:45] Yuri: but for other things – they can’t close.
[21.03.2013 18:44:49] Yuri: my layer is the guard.
[21.03.2013 18:44:51] Valeriy Uhov: they close for spam
[21.03.2013 18:44:53] Valeriy Uhov: etc
[21.03.2013 18:44:59] eDataKing: what is spam again?
[21.03.2013 18:45:37] Yuri: for INFORMATION: write to other one chat
[21.03.2013 18:45:47] Valeriy Uhov: which one?
[21.03.2013 18:46:09] Valeriy Uhov: http://en.wikipedia.org/wiki/Spam
[21.03.2013 18:48:50] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: steve linford has -6- people on facebook that like his wikipedia page.
[21.03.2013 18:48:53] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: -6- 😛
[21.03.2013 18:48:56] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: so why even bother lol
[22.03.2013 04:18:56] valeralelin: http://clip2net.com/s/4MLYWZ
[22.03.2013 04:41:13] narko: (party)
[22.03.2013 04:46:07] valeralelin: i can get more documents about sh
[22.03.2013 04:50:22] narko: get a document with his real address on it
[22.03.2013 04:50:25] narko: not some virtual offices
[22.03.2013 04:54:08] edataking: let me see that one
[22.03.2013 04:54:17] edataking: post under his name in the records area
[23.03.2013 16:41:24] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: its running into the 95% percentile bandwith billing on cloudflare’s transits atm
[23.03.2013 16:41:43] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: and cloudflare has network issues, so at some point they’ll have to boot spamhaus as it affects their other clients
[23.03.2013 16:42:00] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: at which point, spamhaus has nowhere else to go that can cover them 😛
[23.03.2013 16:42:13] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: i doubt google is stupid enough to take them lol 😛

====================================================================

The Skype chat goes quiet at this point and resumes four weeks later. Narko’s worries about his Skype screen name showing up in a screenshot that eDataKing posted to anti-spam forum turn out to be warranted: It is this very screenshot that authorities in the United Kingdom use to later track him down and arrest him.

In April 2013, Kamphuis is arrested in Spain and eventually sent back to the Netherlands, where he is currently on trial. He publicly denies being involved in launching the attacks on Spamhaus.

Narko was a juvenile when he was arrested by the U.K.’s National Crime Agency (NCA); when the NCA raided Narko’s home, they found his computer still logged in to crime forums, and they seized £70,000 from his bank account (believed to be payments for DDoS attacks). Narko later pleaded guilty to coordinating the attacks, but because of his age and in return for cooperating with the NCA he avoided a jail term.

[26.04.2013 18:36:32] Hephaistos: guys
[26.04.2013 18:36:49] Hephaistos: I just got noticed in the news that sven got arrested
[26.04.2013 18:39:39] ??????? ?????: where in the new
[26.04.2013 18:39:39] ??????? ?????: news
[26.04.2013 18:40:40] Hephaistos:
http://translate.google.be/translate?sl=nl&tl=en&u=http%3A%2F%2Fwww.telegraaf.nl%2Fbinnenland%2F21518021%2F
__Nederlander_aangehouden_in_Spanje_vanwege_cyberaanvallen__.html
[26.04.2013 18:40:43] Hephaistos: dutch news
[26.04.2013 18:45:05] Hephaistos: his large-scale DDoS attacks last
month were also performed on Spamhaus partners in the Netherlands, the
United States and Great Britain. The attackers were using fake IP addresses.
As yet, no evidence that the cyber attack on Spamhaus related to the
attacks are later deployed to include banks, payment system iDeal and
DigiD. The house of the suspect, who lives in Barcelona, ??is examined.
Is expected to K. transferred to the Dutch Public Prosecution Service.
[26.04.2013 19:12:40] Hephaistos: http://translate.google.be/translate?sl=nl&tl=en&u=http%3A//www.om.nl/actueel/nieuws-persberichten/@160856/nederlander/
[26.04.2013 19:18:48] The STOPhaus Movement: I thought something was wrong
[26.04.2013 19:19:02] The STOPhaus Movement: is he arrested or just being searched and forensics?
[26.04.2013 19:19:13] Hephaistos: arrested
[26.04.2013 19:19:19] The STOPhaus Movement:
[26.04.2013 19:19:21] Hephaistos: as far as I can see.
[26.04.2013 19:19:33] Hephaistos: it goes off in twitter
[26.04.2013 19:19:39] The STOPhaus Movement: everyone else is ok though right?
[26.04.2013 19:19:45] Hephaistos: on irc anonops there is a channel #freecb3rob
[26.04.2013 19:19:54] Hephaistos: https://twitter.com/freecb3rob
[26.04.2013 19:20:06] Hephaistos: well I have not seen Narko for 2 days.
[26.04.2013 19:20:16] The STOPhaus Movement:
[26.04.2013 19:20:27 |changed 19:20:34] The STOPhaus Movement: we need an update from him
[26.04.2013 19:20:59] The STOPhaus Movement: narko is never offline that long
[26.04.2013 19:21:26] Hephaistos: thing is that I cannot connect to his irc server either.
[26.04.2013 19:21:56] The STOPhaus Movement: I thought anonops was talking shit about Sven promoting CB via STOP when I saw the chatroom?
[26.04.2013 19:22:12 | changed 19:22:22] The STOPhaus Movement: Now there is a channel. I am glad, but that’s some flip-flop stuff right there
[26.04.2013 19:22:14] Hephaistos: well I created the channel
[26.04.2013 19:22:22] Hephaistos: if they have a problem with me .. bring it on
[26.04.2013 19:22:22] The STOPhaus Movement: oh ok
[26.04.2013 19:22:29] The STOPhaus Movement: lulz
[26.04.2013 19:22:40] The STOPhaus Movement: Self-righteous assholes
[26.04.2013 19:28:44] Cali: Sven from cb3rob has been arrested.
[26.04.2013 19:40:19] Hephaistos: Sven = cb3rob
[26.04.2013 19:40:47] Cali: yeah
[26.04.2013 19:40:49] Cali: so he’s been stopped
[26.04.2013 19:40:52] Cali: in Spain.
[26.04.2013 19:40:57] Hephaistos: yes
[26.04.2013 19:41:05] NM: Is it truth? Not fake?
[26.04.2013 19:41:13] Cali: it is in dutch news.
[26.04.2013 19:41:16] Hephaistos: it is truth
[26.04.2013 19:41:21] Hephaistos: and all over twitter
[26.04.2013 19:43:13] Hephaistos: https://twitter.com/search?q=%23freecb3rob&src=hash
[26.04.2013 20:27:00] Hephaistos: http://www.ibtimes.co.uk/articles/461848/20130426/spamhaus-suspect-arrests-spain-kamphuis.htm
[26.04.2013 20:29:30] Yuri: heh.
[26.04.2013 20:30:07] Hephaistos: On twitter “Sven Olaf Kamphuis #freecb3rob possible source behind
record braking 300gbps #DDos arrested. #Anonymous will now try and break that record!”
[26.04.2013 20:32:31] Cali: So, it has made some PR for spamhaus.
[26.04.2013 20:32:37] Cali: that sucks.
[26.04.2013 20:34:06] Hephaistos: negative is still good.
[26.04.2013 20:34:36] Cali: this information has gone to press and media.
[26.04.2013 20:34:48] Cali: thus to the people
[26.04.2013 20:34:58] Hephaistos: well once they read what stophaus is.
[26.04.2013 20:35:05] Cali: who are at 90% dumb.
[26.04.2013 20:35:09] Hephaistos: true
[26.04.2013 20:35:14] Hephaistos: You got a point there
[26.04.2013 20:35:15] Cali: So now that make them think that spamhaus is doing well.
[26.04.2013 20:41:22] Hephaistos: pastebin.com/qzhcE1nV
[26.04.2013 20:41:25] Hephaistos: more badnews
[26.04.2013 20:41:56] Cali: Who has written that?
[26.04.2013 20:42:09] Hephaistos: I have no idea.
[26.04.2013 20:42:23] Hephaistos: its over the news everyone is freaking out
[26.04.2013 20:42:25] Cali: It seems to have be written by a 12 years old.
[26.04.2013 20:42:31] Cali: been*
[26.04.2013 20:42:52] Hephaistos: correct, seems like a trol to me. But tell that to the media
[26.04.2013 20:43:03] Hephaistos: and the 90% dumb people
[26.04.2013 20:43:09] Cali: Also I don’t understand.
[26.04.2013 20:43:23] Cali: How is it possible to get such reflection in media by posting something on pastebin?
[26.04.2013 20:43:37] Cali: So if I post that I am going to attack the U.S on pastebin, I would be in the news?
[26.04.2013 20:43:58] Hephaistos: Well, thing is that people think that banks will be ddosed and cannot get their
money. So their hoping that there will be a bankrun.
[26.04.2013 20:44:45] Cali: It is very doubtful that DDoSing the website of a bank will prevent the bank from operating.
[26.04.2013 20:46:45] Hephaistos: it will cost the bank money
[26.04.2013 20:47:32] Cali: Maybe to crap bank.
[26.04.2013 20:48:07] Cali: it will be insignifiant
[26.04.2013 20:48:11] Cali: insignificant.
[26.04.2013 18:21:36] Erik Bais: http://www.om.nl/actueel/nieuws-persberichten/@160856/nederlander/
[26.04.2013 18:26:15] Yuri: wtf
[26.04.2013 18:26:42] Yuri: is that about sven?
[26.04.2013 18:26:53] Erik Bais: looks like it.
[26.04.2013 18:27:03] NM: what does it mean?)))
[26.04.2013 18:28:17] Yuri: looks like some new that somebody got arrested becouse of some attacks of spamhaus…
heh… looks spamhaus has long hands.
[26.04.2013 18:29:49] Yuri: not so fine.
[26.04.2013 18:31:11] Yuri: afk
[26.04.2013 18:31:44] Yuri: Eric, can you call Sven and check if he is available?
[26.04.2013 18:31:55] Erik Bais: yes.
[26.04.2013 18:32:30] Erik Bais: I also just asked Twisted on Skype. he didn’t knew about it..
He hasn’t spoken to him yet today (he did yesterday) ..
[26.04.2013 18:33:59] Erik Bais: his spanish nr is not working (I get a message in spanish .. ) could be because the number is off.
[26.04.2013 21:51:16] Erik Bais: http://pastebin.com/qzhcE1nV
[26.04.2013 21:51:51] Erik Bais: http://www.telegraaf.nl/binnenland/21518021/__Arrest_NL_er_cyberaanvallen__.html
[26.04.2013 21:52:11] Erik Bais: http://tweakers.net/nieuws/88767/nederlander-opgepakt-voor-ddos-aanvallen-spamhaus.html
[26.04.2013 21:53:32] Erik Bais: http://krebsonsecurity.com/2013/04/dutchman-arrested-in-spamhaus-ddos/
[26.04.2013 21:53:50] Yuri: shit is going on..
[26.04.2013 21:56:17] Erik Bais: where did the pastbin thing came from ? Any idea ?
[26.04.2013 22:02:14] Yuri: don’t know
[26.04.2013 22:02:46] Yuri: may be we should use other system for chat?
[26.04.2013 22:18:07] Erik Bais: they have taken all his phones, data carriers and servers / computers located in Spain..
[26.04.2013 22:18:24] WebExxpurts: what is patebin
[26.04.2013 22:18:25] WebExxpurts: pastebin
[26.04.2013 22:18:39] Erik Bais: [26 April 2013 21:51] Erik Bais: <<< http://pastebin.com/qzhcE1nV
[26.04.2013 22:18:50] WebExxpurts: i mean who created that?
[26.04.2013 22:19:21] Erik Bais: no idea. I got it pasted from someone.. and it is also linked in various media outings on the Netherlands.
[26.04.2013 22:20:27] WebExxpurts: who is someone? that is interested
[26.04.2013 22:20:33] WebExxpurts: what sven did?
[26.04.2013 22:20:53] WebExxpurts: nonsense reports
[26.04.2013 22:21:20] Erik Bais: I got it from Xennt
[26.04.2013 22:21:45] Erik Bais: the owner of Cyberbunker. he got it linked by someone (I don’t know who. )
[26.04.2013 22:24:55] WebExxpurts: i m sure that sven is mistaken identity and authority have made mistake

====================================================================

To my knowledge, nobody else associated with this attack has been arrested or brought to justice. This chat log is fascinating because it highlights how easy it has been and remains for cybercriminals to commit massively disruptive attacks and get away with it.

These days, some of the biggest and most popular DDoS attack resources are in the hands of a few young men operating DDoS-for-hire “booter” or “stresser” services that in some cases accept both credit cards and PayPal, as well as Bitcoin. An upcoming investigation to be published soon by KrebsOnSecurity will provide perhaps the most detailed look yet at the this burgeoning and quite profitable industry. Stay tuned!

Further reading (assuming your eyes still work after this wall of text):

The Guardian: The Man Accused of Breaking the Internet

The Daily Beast: Yeah, We Broke the Internet: The Inside Story of the Biggest Attack Ever

Also, if you enjoy reading this kind of thing, you’ll probably get a kick out of Spam Nation.

Update, 7:40 p.m. ET: Corrected reference to NANAE anti-spam list.

Cloudflare Fights RIAA’s Piracy Blocking Demands in Court

Post Syndicated from Ernesto original https://torrentfreak.com/cloudflare-fights-riaas-piracy-blocking-demands-in-court-160823/

skullRepresenting various major record labels, the RIAA filed a lawsuit against MP3Skull last year.

With millions of visitors per month the MP3 download site had been one of the prime sources of pirated music for a long time, frustrating many music industry insiders.

Although the site was facing a claim of millions of dollars in damages, the owners failed to respond in court. This prompted the RIAA to file for a default judgment, with success.

Earlier this year a Florida federal court awarded the labels more than $22 million in damages. In addition, it issued a permanent injunction which allowed the RIAA to take over the site’s domain names.

However, despite the million dollar verdict, MP3Skull still continues to operate today. The site actually never stopped and simply added several new domain names to its arsenal, with mp3skull.vg as the most recent.

MP3Skull’s most recent home

mp3skullvg

The RIAA is not happy with MP3Skull’s contempt of court and has asked Cloudflare to help out. As a CDN provider, Cloudflare relays traffic of millions of websites through its network, including many pirate sites.

According to the RIAA, Cloudflare should stop offering its services to any MP3Skull websites, but the CDN provider has thus far refused to do so without a proper court order.

To resolve this difference of opinion, the RIAA has asked the Florida federal court for a “clarification” of the existing injunction, so it applies to Cloudflare as well.

In practice, this would mean that Cloudflare has to block all currently active domains, as well as any future domains with the keyword “MP3Skull,” which are tied to the site’s known IP-addresses.

“Cloudflare should be required to cease its provision of services to any of the Active MP3Skull Domains, as well as any website at either 89.46.100.104 or 151.80.100.107 that includes ‘MP3Skull’ in its name,” RIAA argued.

RIAA’s request

riaareq

However, Cloudflare believes that this goes too far. While the company doesn’t object to disconnecting existing accounts if ordered to by a court, adding a requirement to block sites based on a keyword and IP-address goes too far.

The proposed injunction goes well beyond the scope of the DMCA, the CDN provider informs the court in an opposition brief this week (pdf).

“…Plaintiffs’ proposed injunction would force Cloudflare —which provides services to millions of websites— to investigate open-ended domain letter-string and IP address combinations to comply with the injunction.

“Cloudflare believes that this Court should hold the Plaintiffs accountable for following clear rules of the road,” Cloudflare adds.

The company suggests that the court could require it to terminate specific accounts that are found to be infringing, but doesn’t want to become the RIAA’s copyright cop.

“What Cloudflare cannot do, and which the Court should not require, is to serve as a deputy for the Plaintiffs and their RIAA trade association in investigating and identifying further targets of an injunction.”

To outsiders the difference between RIAA’s request and what Cloudflare suggests may seem small, but the company draws a clear line to prevent having to scan for pirate sites, proactively. This could turn into a slippery censorship slope, they feel.

This isn’t the first time that the RIAA has requested a keyword ban. In a similar case last year Cloudflare was ordered to terminate any accounts with the term “grooveshark” in them. However, in this case the RIAA owned the trademark, which makes it substantially different as it doesn’t involve the DMCA.

The EFF applauds Cloudflare’s actions and hopes the court will properly limit the scope of these and other blocking efforts.

“The limits on court orders against intermediaries are vital safeguards against censorship, especially where the censorship is done on behalf of a well-financed party,” EFF’s Mitch Stoltz writes.

“That’s why it’s important for courts to uphold those limits even in cases where copyright or trademark infringement seems obvious,” he adds.

The Florida court is expected to rule on the RIAA’s injunction demands during the days to come, a decision that will significantly impact future blocking requests.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Powering Secondary DNS in a VPC using AWS Lambda and Amazon Route 53 Private Hosted Zones

Post Syndicated from Bryan Liston original https://aws.amazon.com/blogs/compute/powering-secondary-dns-in-a-vpc-using-aws-lambda-and-amazon-route-53-private-hosted-zones/

Mark Statham, Senior Cloud Architect

When you implement hybrid connectivity between existing on-premises environments and AWS, there are a number of approaches to provide DNS resolution of both on-premises and VPC resources. In a hybrid scenario, you likely require resolution of on-premises resources, AWS services deployed in VPCs, AWS service endpoints, and your own resources created in your VPCs.

You can leverage Amazon Route 53 private hosted zones to provide private DNS zones for your VPC resources and dynamically register resources, as shown in a previous post, Building a Dynamic DNS for Route 53 using CloudWatch Events and Lambda.

Ultimately, this complex DNS resolution scenario requires that you deploy and manage additional DNS infrastructure, running on EC2 resources, into your VPC to handle DNS requests either from VPCs or on-premises. Whilst this is a familiar approach it adds additional cost and operational complexity, where a solution using AWS managed services can be used instead.

In this post, we explore how you can use leverage Route 53 private hosted zones with AWS Lambda and Amazon CloudWatch Events to mirror on-premises DNS zones which can then be natively resolved from within your VPCs, without the need for additional DNS forwarding resources.

Route 53 private hosted zones

Route 53 offers the convenience of domain name services without having to build a globally distributed highly reliable DNS infrastructure. It allows instances within your VPC to resolve the names of resources that run within your AWS environment. It also lets clients on the Internet resolve names of your public-facing resources. This is accomplished by querying resource record sets that reside within a Route 53 public or private hosted zone.

A private hosted zone is basically a container that holds information about how you want to route traffic for a domain and its subdomains within one or more VPCs and is only resolvable from the VPCs you specify; whereas a public hosted zone is a container that holds information about how you want to route traffic from the Internet.

Route 53 has a programmable API that can be used to automate the creation/removal of records sets which we’re going leverage later in this post.

Using Lambda with VPC support and scheduled events

AWS Lambda is a compute service where you can upload your code and the service runs the code on your behalf using AWS infrastructure. You can create a Lambda function and execute it on a regular schedule. You can specify a fixed rate (for example, execute a Lambda function every hour or 15 minutes), or you can specify a cron expression. This functionality is underpinned by CloudWatch Events.

Lambda runs your function code securely within a VPC by default. However, to enable your Lambda function to access resources inside your private VPC, you must provide additional VPC-specific configuration information that includes VPC subnet IDs and security group IDs. Lambda uses this information to set up elastic network interfaces (ENIs) that enable your function to connect securely to other resources within your private VPC or reach back into your own network via AWS Direct Connect or VPN.

Each ENI is assigned a private IP address from the IP address range within the subnets that you specify, but is not assigned any public IP addresses. You cannot use an Internet gateway attached to your VPC, as that requires the ENI to have public IP addresses. Therefore, if your Lambda function requires Internet access, for example to access AWS APIs, you can use the Amazon VPC NAT gateway. Alternatively, you can leverage a proxy server to handle HTTPS calls, such as those used by the AWS SDK or CLI.

Building an example system

When you combine the power of Route 53 private hosted zones and Lambda, you can create a system that closely mimics the behavior of a stealth DNS to provide resolution of on-premises domains via VPC DNS.

For example, it is possible to schedule a Lambda function that executes every 15 minutes to perform a zone transfer from an on-premises DNS server, using a full zone transfer query (AXFR). The function can check the retrieved zone for differences from a previous version. Changes can then be populated into a Route 53 private hosted zone, which is only resolvable from within your VPCs, effectively mirroring the on-premises master to Route 53.

This then allows your resources deployed in VPC to use just VPC DNS to resolve on-premises, VPC and Internet resources records without the need for any additional forwarding infrastructure to on-premises DNS.

The following example is based on python code running as a Lambda function, invoked using CloudWatch Events with constant text to provide customizable parameters to support the mirroring of multiple zones for both forward and reverse domains.

Prerequisites for the example

Before you get started, make sure you have all the prerequisites in place including installing the AWS CLI and creating a VPC.

  • Region

    Check that the region where your VPC is deployed has the Lambda and CloudWatch Events services available.

  • AWS Command Line Interface (AWS CLI)

    This example makes use of the AWS CLI; however, all actions can be performed via the AWS console as well. Make sure you have the latest version installed, which provides support for creating Lambda functions in a VPC and the required IAM permissions to create resources required. For more information, see Getting Set Up with the AWS Command Line Interface.

  • VPC

    For this example, create or use a VPC configured with at least two private subnets in different Availability Zones and connectivity to the source DNS server. If you are building a new VPC, see Scenario 4: VPC with a Private Subnet Only and Hardware VPN Access.

    Ensure that the VPC has the DNS resolution and DNS hostnames options set to yes, and that you have both connectivity to your source DNS server and the ability to access the AWS APIs. You can create an AWS managed NAT gateway to provide Internet access to AWS APIs or as an alternative leverage a proxy server.

    You may wish to consider creating subnets specifically for your Lambda function, allowing you to restrict the IP address ranges that need access to the source DNS server and configure network access controls accordingly.

    After the subnets are created, take note of them as you’ll need them later to set up the Lambda function: they are in the format subnet-ab12cd34. You also need a security group to assign to the Lambda function; this can be the default security group for the VPC or one you create with limited outbound access to your source DNS: the format is sg-ab12cd34.

  • DNS server

    You need to make sure that you modify DNS zone transfer settings so that your DNS server accepts AXFR queries from the Lambda function. Also, ensure that security groups or firewall policies allow connection via TCP port 53 from the VPC subnet IP ranges created above.

Setting up the example Lambda function

Before you get started, it’s important to understand how the Lambda function works and interacts with the other AWS services and your network resources:

  1. The Lambda function is invoked by CloudWatch Events and configured based on a JSON string passed to the function. This sets a number of parameters, including the DNS domain, source DNS server, and Route 53 zone ID. This allows a single Lambda function to be reused for multiple zones.
  2. A new ENI is created in your VPC subnets and attached to the Lambda function; this allows your function to access your internal network resources based on the security group that you defined.
  3. The Lambda function then transfers the source DNS zone from the IP specified in the JSON parameters. You need to ensure that your DNS server is configured to allow full zone transfers and allow AXFR queries to your DNS server, which happens over TCP port 53.
  4. The Route 53 DNS zone is retrieved via API.
  5. The two zone files are compared; the resulting differences are returned as a set of actions to be performed against Route 53.
  6. Updates to the Route 53 zone are made via API and, finally, the SOA is updated to match the source version.

You’re now ready to set up the example using the following instructions.

Step 1 – Create a Route 53 hosted zone

Before you create the Lambda function, there needs to be a target Route 53 hosted zone to mirror the DNS zone records into. This can either be a public or private zone; however, for the purposes of this example, you will create a private hosted zone that only responds to queries from the VPC you specify.

To create a Route 53 private hosted zone associated with your VPC, provide the region and VPC ID as part of the following command:

aws route53 create-hosted-zone \
--name <domainname> \
--vpc VPCRegion=<region>,VPCId=<vpc-aa11bb22> \
--caller-reference mirror-dns-lambda \
--hosted-zone-config Comment="My DNS Domain"

Save the HostedZone Id returned, since you will need it for future steps.

Step 2 – Create an IAM role for the Lambda function

In this step, you use the AWS CLI to create the Identity and Access Management (IAM) role that the Lambda function assumes when the function is invoked. You need to create an IAM policy with the required permissions and then attach this policy to the role.

Download the mirror-dns-policy.json and mirror-dns-trust.json files from the aws-lambda-ddns-function AWS Labs GitHub repo.

mirror-dns-policy.json

The policy includes EC2 permissions to create and manage ENIs required for the Lambda function to access your VPC, and Route 53 permissions to list and create resource records. The policy also allows the function to create log groups and log events as per standard Lambda functions.

{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Action": [
            "logs:CreateLogGroup",
            "logs:CreateLogStream",
            "logs:PutLogEvents"
        ],
        "Resource": "arn:aws:logs:*:*:*"
    }, {

        "Effect": "Allow",
        "Action": [
            "ec2:CreateNetworkInterface",
            "ec2:DescribeNetworkInterfaces",
            "ec2:DetachNetworkInterface",
            "ec2:DeleteNetworkInterface"
        ],
        "Resource": "*"
    }, {
        "Sid": "Manage Route 53 records",
        "Effect": "Allow",
        "Action": [
            "route53:ChangeResourceRecordSets",
            "route53:ListResourceRecordSets"
        ],

        "Resource": ["*"]
    }]
}

To restrict the Lambda function access, you can control the scope of changes to Route 53 by specifying the hosted zones that are being managed in the format "arn:aws:route53:::hostedzone/Z148QEXAMPLE8V". This policy can be updated later if additional hosted zone IDs are added.

mirror-dns-trust.json

The mirror-dns-trust.json file contains the trust policy that grants the Lambda service permission to assume the role; this is standard for creating Lambda functions.

{
    "Version": "2012-10-17",
    "Statement": [{
        "Sid": "",
        "Effect": "Allow",
        "Principal": {
            "Service": "lambda.amazonaws.com"
        },
        "Action": "sts:AssumeRole"
    }]
}

Create IAM entities

The next step is to create the following IAM entities for the Lambda function:

  • IAM policy

    Create the IAM policy using the policy document in the mirror-dns-policy.json file, replacing with the local path to the file. The output of the create-policy command includes the Amazon Resource Locator (ARN). Save the ARN, as you need it for future steps.

    aws iam create-policy \
    --policy-name mirror-dns-lambda-policy \
    --policy-document file://<LOCAL PATH>/mirror-dns-policy.json

  • IAM role

    Create the IAM role using the trust policy in the mirror-dns-trust.json file, replacing with the local path to the file. The output of the create-role command includes the ARN associated with the role that you created. Save this ARN, as you need it when you create the Lambda function in the next section.

    aws iam create-role \
    --role-name mirror-dns-lambda-role \
    --assume-role-policy-document file://<LOCAL PATH>/mirror-dns-trust.json

    Attach the policy to the role. Use the ARN returned when you created the IAM policy for the
    –policy-arn input parameter.

    aws iam attach-role-policy \
    --role-name mirror-dns-lambda-role \
    --policy-arn <enter-your-policy-arn-here>

Step 3 – Create the Lambda function

The Lambda function uses modules included in the Python 2.7 Standard Library and the AWS SDK for Python module (boto3), which is preinstalled as part of the Lambda service. Additionally, the function uses the dnspython module, which provides DNS handling functions, and there is also an externalized lookup function.

The additional libraries and functions require that we create a deployment package for this example as follows:

  1. Create a new directory for the Lambda function and download the Python scripts lambdafunction.py and lookuprdtype.py from the aws-lambda-ddns-function AWS Labs GitHub repo. Alternatively, clone the repo locally.
  2. Install the additional dnspython module locally using the pip command. This creates a copy of the require module local to the function.

    pip install dnspython -t .

  3. Update the lambda_function.py to specify proxy server configuration, if required.

  4. Create a Lambda deployment package using the following command:

    zip -rq mirror-dns-lambda.zip lambda_function.py \
    lookup_rdtype.py dns*

Then, you’ll use the AWS CLI to create the Lambda function and upload the deployment package by executing the following command to create the function. Note that you need to update the commands to use the ARN of the IAM role that you created earlier, as well as the local path to the Lambda deployment file containing the Python code for the Lambda function.

aws lambda create-function --function-name mirror-dns-lambda \
--runtime python2.7 \
--role <enter-your-role-arn-here> \
--handler lambda_function.lambda_handler \
--timeout 60 \
--vpc-config SubnetIds=comma-separated-vpc-subnet-ids,SecurityGroupIds=comma-separated-security-group-ids \
--memory-size 128 \
--description "DNS Mirror Function"
--zip-file fileb://<LOCAL PATH>/mirror-dns-lambda.zip

The output of the command returns the FunctionArn of the newly-created function. Save this ARN, as you need it in the next section.

Configure a test event in order to validate that your Lambda function works; it should be in JSON format similar to the following. All keys are required as well as values for Domain, MasterDns, and ZoneId.

{
    "Domain": "mydomain.com",
    "MasterDns": "10.0.0.1",
    "ZoneId": "AA11BB22CC33DD",
    "IgnoreTTL": "False",
    "ZoneSerial": ""
}

Invoke the Lambda function to test that everything is working; after the function has been invoked, check the file named output to see if the function has worked (you should see a 200 return code). Alternatively, you can test in the AWS console, using the test event to see the log output.

aws lambda invoke \
--function-name mirror-dns-lambda \
--payload fileb://event.json output

Congratulations, you’ve now created a secondary mirrored DNS accessible to your VPC without the need for any servers!

Step 4 – Create the CloudWatch Events rule

After you’ve confirmed that the Lambda function is executing correctly, you can create the CloudWatch Events rule that triggers the Lambda function on a scheduled basis. First, create a new rule with a unique name and schedule expression. You can create rules that self-trigger on schedule in CloudWatch Events, using cron or rate expressions. The following example uses a rate expression to run every 15 minutes.

aws events put-rule \
--name mirror-dns-lambda-rule \
--schedule-expression 'rate(15 minutes)'

The output of the command returns the ARN to the newly-created CloudWatch Events rule. Save the ARN, as you need it to associate the rule with the Lambda function and to set the appropriate Lambda permissions.

Next, add the permissions required for the CloudWatch Events rule to execute the Lambda function. Note that you need to provide a unique value for the –statement-id input parameter. You also need to provide the ARN of the CloudWatch Events rule that you created.

aws lambda add-permission \
--function-name mirror-dns-lambda \
--statement-id Scheduled01 \
--action 'lambda:InvokeFunction' \
--principal events.amazonaws.com \
--source-arn <enter-your-cloudwatch-events-rule-arn-here>

Finally, set the target of the rule to be the Lambda function. Because you are going to pass parameters via a JSON string, the value for –targets also needs to be in JSON format. You need to construct a file containing a unique identifier for the target, the ARN of the Lambda function previously created, and the constant text that contains the function parameters. An example targets.json file would look similar to the following; note that every quote(") in the Input value must be escaped.

[{
        "Id": "RuleStatementId01",
        "Arn": "<arn-of-lambda-function>",
        "Input": "{\"Domain\": \"mydomain.com\",\"MasterDns\": \"10.0.0.1\",\"ZoneId\": \"AA11BB22CC33DD\",\"IgnoreTTL\": \"False\",\"ZoneSerial\": \"\"}"
}]

Activate the scheduled event by adding the following target:

aws events put-targets \
--rule mirror-dns-lambda-rule \
--targets file://targets.json

Because a single rule can have multiple targets, every domain that you want to mirror can be defined as another target with a different set of parameters; change the ID and Input values in the target JSON file.

Conclusion

Now that you’ve seen how you can combine various AWS services to automate the mirroring of DNS to Amazon Route 53 hosted zones, we hope that you are inspired to create your own solutions using Lambda in a VPC to enable hybrid integration. Lambda allows you to create highly scalable serverless infrastructures that allow you to reduce cost and operational complexity, while providing high availability. Coupled with CloudWatch Events, you can respond to events in real-time, such as when an instance changes its state or when a customer event is pushed to the CloudWatch Events service.

To learn more about Lambda and serverless infrastructures, see the AWS Lambda Developer Guide and the " Microservices without the Servers" blog post. To learn more about CloudWatch Events, see Using CloudWatch Events in the Amazon CloudWatch Developer Guide.

We’ve open-sourced the code used in this example in the aws-lambda-ddns-function AWS Labs GitHub repo and can’t wait to see your feedback and your ideas about how to improve the solution.

Reddit Refuses to Disclose Alleged Music Leaker’s IP Address

Post Syndicated from Andy original https://torrentfreak.com/reddit-refuses-to-disclose-alleged-music-leakers-ip-address-160816/

redditpBack in June, Atlantic Records were in the final stages of releasing the track ‘Heathens’ by the platinum-certified band Twenty One Pilots. Things didn’t go to plan.

The track, which was also set to appear on “Suicide Squad: The Album”, was leaked online, first appearing on an anonymous Slovakian file-hosting service called Dropfile.to.

From there it’s claimed that the alleged leaker advertised that file on Reddit, posting a link which enabled any viewer to download it for free. The posting, which was made on the ‘Twenty One Pilots’ subreddit by a user called ‘twentyoneheathens’, caught the eye of Atlantic Records.

Earlier this month in the Supreme Court of the State of New York, Atlantic described how the leak had ruined its plans for the release and promotion of the track. Underlying these complaints was the belief that the leak originated close to home.

The label said it had provided an early release copy “to an extremely limited number of individuals”, including members of 21 Pilots, their manager, Atlantic and [record label] Fueled by Ramen executives, plus members of Atlantic’s radio field staff.

According to Atlantic, all of its employees who were aware of the impending release were “contractually obligated and/or under a fiduciary obligation” not to disclose its existence until June 24.

So, in order to find out who was responsible for the pre-release, Atlantic asked the Court to force Reddit to hand over the presumed leaker’s details, including his or her IP address. Reddit, however, doesn’t want to play ball.

heathens

In a response to the Court, Reddit’s legal team at Harris Beach PLLC say that Atlantic’s claims fail to reach the standards required for discovery.

“In order to obtain pre-action discovery, Atlantic must demonstrate now that it has meritorious claims against the Reddit user. However, Atlantic has failed to show that its claims are meritorious for two, simple reasons,” Reddit begins (pdf).

“First, it has failed to establish that it has a contractual relationship with the Reddit user. Second, it has failed to establish that it has a fiduciary relationship with the Reddit user. Because Atlantic has not demonstrated that it has meritorious causes of action against the unidentified Reddit user, its petition for pre-action discovery related to such user should be denied.”

The problem lies with Atlantic’s allegation that the person responsible for the leak and the link on Reddit is under contract with the company. Reddit’s lawyers point out that while the label is clear about what action it would take in that instance, it has made no statement detailing what it would do if the person who posted the link on Reddit is disconnected from the initial leak.

“Atlantic does not describe the claims it would bring against a non-employee Reddit user who discovered the link on Dropfile.to and posted it to Reddit.com without assistance from an Atlantic employee or an employee of Fueled by Ramen, the members of Twenty One Pilots, or their manager, each of whom had access to the song at the time of the leak,” Reddit writes.

Underlining its concerns, Reddit points out that Atlantic provides no proof to back up its claims that the “individual or individuals” who uploaded the file to Dropfile.to also posted the link to Reddit.

“[T]he Reddit user may have been a member of the general public, who, after discovering the Dropfile.to link on another publicly available website, decided to resubmit it to Reddit.com. A member of the public would not likely have a contractual relationship with Atlantic that was breached and Atlantic has not alleged as much.”

Furthermore, Reddit says Atlantic has not advised the Court of any efforts made to obtain the alleged poster’s details from Dropfile.to. While that might indeed be the case, the operator of Dropfile previously informed TorrentFreak that his site is completely anonymous and carries no logs, so identifying any user would be impossible.

In closing, Reddit describes Atlantic’s effort as an “impermissible fishing expedition” and asks for its petition for pre-action discovery to be denied. However, should the Court decide otherwise, Reddit has asked for a cap to be placed on the amount of data it must hand over.

“Presently, Atlantic’s subpoena requests not only information related to the user twentyoneheathens, but also for information related to ‘all and any other Reddit accounts which accessed [Reddit’s] service from the same IP address on or about June 15, 2016’,” Reddit notes.

“While such users may share an IP address, they otherwise have no relationship among them. For this reason, any order requiring pre-action discovery should be limited to information directly related to the user twentyoneheathens and not violate the privacy interests of any Reddit users sharing the IP address.”

While Reddit is digging in its heels now, it seems likely that at some point the Court will indeed order the alleged leaker’s IP address to be handed over. However, only time will tell what action Atlantic will publicly take. Leaks are potentially embarrassing, so making their findings widely known may not be a priority.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

‘Mutable’ Torrents Proposal Makes BitTorrent More Resilient

Post Syndicated from Andy original https://torrentfreak.com/mutable-torrents-proposal-makes-bittorrent-resilient-160813/

bittorrent_logoRegardless of differing opinions on what kind of content should be shifted around using the protocol, few will contest the beauty of BitTorrent.

Thanks to the undoubted genius of creator Bram Cohen, it is still extremely robust some 15 years after its debut.

But while some may assume that BitTorrent is no longer under development, the opposite is true. Behind the scenes, groups of developers are working to further develop the protocol via BitTorrent Enhancement Proposals (BEPs).

Early BEPs, such as those covering DHT, PEX and private torrents, have long since been implemented but the process continues today.

Just one of the P2P developers involved is Luca Matteis. He lives in Rome, Italy, where he studies Computer Science at the Sapienza University and works part-time on various projects.

Passionate about P2P and decentralized systems, Luca informs TorrentFreak that his goal is to enable people to share and communicate in a censorship resistant manner. His fresh proposal, Updating Torrents Via DHT Mutable Items, was submitted last month and aims to live up to that billing.

We asked Luca to explain what his group’s proposal (it’s a team effort) is all about and he kindly obliged. It begins with the Distributed Hash Table (DHT) and a previous enhancement proposal.

“So currently the DHT in BitTorrent is used as a peer discovery mechanism for torrents, and it has really nice decentralized properties. It works just like a tracker, with the difference being that trackers are on central servers with a domain name, and therefore can be easily shut down,” Luca begins.

“[An earlier enhancement proposal] BEP44 added some interesting properties to the DHT network, namely the feature of being able to store arbitrary data. So instead of just storing IP addresses of people downloading specific torrents, we can now store any kind of data (max 1000 bytes per item).”

Luca says that so far this functionality hasn’t been used by torrent clients. uTorrent apparently has it under the hood, with some developers believing it’s there for reasons connected to BitTorrent Inc’s Bleep software. At this point, however, it only exists at the network level.

Importantly, however, Luca says that BEP44 allows one to store changing values under a key.

“We call these mutable items. So what you could do is generate a public key, which can be thought of as your address, and share this with the world. Then you use this public key to store stuff in BitTorrent’s DHT network. And, because it’s your public key, you (and only you) can change the value pointed by your public key.”

As mentioned earlier, only a 1000 bytes can be stored (less than 1kB), but Luca points out that it’s possible to store the info hash of a torrent, 79816060EA56D56F2A2148CD45705511079F9BCA, for example. Now things get interesting.

“At this point, your public key has very similar properties to an HTTP URL [a website address], with the difference that (just like trackers before) the value does not exist on a single computer/server, but is constantly shared across the DHT network,” he explains.

“Our BEP46 extension is an actual standardization of what the value, pointed by your public key, should look like. Our standard says it should be an info hash of a torrent. This allows for a multitude of use cases, but more practically it allows for torrents to automatically change what they’re downloading based on the public key value inside the DHT.”

While the technically minded out there might already know where this is going, Luca is kind enough to spell it out.

“Torrent sites (such as The Pirate Bay) could share a magnet link they control, which contains their public key. What they would store at this ‘address’ is the infohash of a torrent which contains a database of all their torrents,” he says.

“Users who trust them would bookmark the magnet link, and when they click on it, a torrent will start downloading. Specifically, they’d start downloading the database dump of the torrent site.”

While that might not yet sound like magic, the ability to change the value held in the DHT proves extremely useful.

“The cool thing is that when the torrent site decides to share more torrents (new releases, better quality stuff, more quality reviews), all they need to do is update the value in the DHT with a new torrent containing a new .rss file.

“At this point, all the users downloading from their magnet link will automatically be downloading the new torrent and will always have an up-to-date .RSS dump of torrents,” he says.

But while this would be useful to users, Luca says that sites like The Pirate Bay could also benefit.

“For torrent sites, this would be an attractive solution because they wouldn’t need to maintain a central HTTP server which implies costs and can be easily shut down. On the other hand, their mutable torrent magnet link cannot be easily shut down, does not imply maintenance costs, and cannot be easily tracked down,” he concludes.

For those interested in the progress of this enhancement proposal and others like it, all BEPs can be found here.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.