Yesterday evening the FTC shut down ISP and data farm service to Pricewert LLC, aka 3FN (amongst other names). It is – or was – a major distribution channel for spam along with even less savory internetalia including child pr0n and they acted as a haven for botnets:

The FTC also alleges that the defendant engaged in the deployment and operation of botnets – large networks of computers that have been compromised and enslaved by the originator of the botnet, known as a “bot herder.” […] According to the FTC, the defendant recruited bot herders and hosted the command-and-control servers – the computers that relay commands from the bot herders to the compromised computers known as “zombie drones.” Transcripts of instant-message logs filed with the district court show the defendants’ senior employees discussing the configuration of botnets with bot herders. And, in filings with the district court, the FTC alleges that more than 4,500 malicious software programs are controlled by command-and-control servers hosted by 3FN. This malware includes programs capable of keystroke logging, password stealing, and data stealing, programs with hidden backdoor remote control activity, and programs involved in spam distribution.

Since they were running botnets and keyloggers it’s safe to say that a major part of their business plan was identity theft, the fucks. If this is true then we are all better off with these people off the internet for at least a little while.

Late last year there was a similar shutdown of McColo, another major haven for this type of thing, and at the company where I then worked we saw a significant drop in spam traffic that corresponded almost to the minute with the shutdown. Now I’m very curious to track what happens in my various spam folders today and over the weekend. We might be about to enjoy a very pleasant few days. Given that it looks like Pricewert were caught as red-handed as can be, maybe even a little longer.

However, even if everyone involved in running Pricewert itself were to go to jail and never have the chance to run this sort of operation again, their bot herders and the criminal clients who sought out Pricewert’s services will just go somewhere else and set up shop again. They don’t even necessarily have to wait for things to cool off first… and I don’t think there’s a solution to that. Security tools such as intrusion prevention have issues that make some fantasy of in-the-cloud security across all ISPs or all major upstream providers just that: fantasy. While the 40 and 100 Gbps standards are on the horizon, 10 Gbps security devices are still prohibitively expensive for almost all potential customers. If individual organizations can’t afford that kind of inspected speed in their own data centers then there’s no way an ISP could hope to do the same. On top of that, intrusion prevention has too much potential for a false positive taking out something important. As for firewalls, they’re for premises and individual organizations, not entire classes of customer.

There are things that can be done – basic ACLs on border routers, policies that block specific known bad traffic at the outermost edges of ISP networks – but the internet is simply always going to be, to some degree, the frontier. That’s kind of the point of the internet, actually. By the time some technology or standard or service is understood sufficiently to have vulnerabilities identified and those risks mitigated, there are ten more completely new technologies or standards or services coming down the pipe. The only way to protect a given network from malicious traffic originating outside of that network is to disconnect from the outside world.

ISPs and especially their upstream providers are in the business of providing as much bandwidth as possible as reliably as possible. Just as at the user level there is the potential for tension between convenience and risk management, there is tension between risk management and the level of availability demanded by a hosting center. Any ISP or upstream provider that started policing the traffic of its large, high-bandwidth, highly available clients would be asking to go out of business and that’s just the legit providers. Even if tomorrow someone were to wave their magic wand so that inspection took no more resources than routing there would still be people who see the criminal elements of the internet as little more than an under-served market, especially in times like these.